openvpn-install icon indicating copy to clipboard operation
openvpn-install copied to clipboard

Published 20 hours ago verified publisher icon angristan

[Bug]: Cannot pre-load keyfile (tls-crypt.key)

Open luntik2012 opened this issue 2 years ago • 11 comments

Make sure your check these beforehand!

  • [X] Issues - https://github.com/angristan/openvpn-install/issues
  • [X] README and FAQ - https://github.com/angristan/openvpn-install
  • [X] Wiki - https://github.com/angristan/openvpn-install/wiki
  • [X] Discussions - https://github.com/angristan/openvpn-install/discussions

Server OS

archlinux

OpenVPN version

2.5.8

Client

No response

What is the bug?

[email protected] failure

Relevant log output

Nov 04 12:27:07 myserver systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Nov 04 12:27:07 myserver systemd[1]: [email protected]: Failed with result 'exit-code'.
Nov 04 12:27:07 myserver systemd[1]: Failed to start OpenVPN service for server.

```sh
$ pwd
/etc/openvpn
$ sudo -H -u openvpn /usr/bin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Cannot pre-load keyfile (tls-crypt.key)
Exiting due to fatal error

luntik2012 avatar Nov 04 '22 11:11 luntik2012

I have the same problem since last month...

llamich avatar Nov 10 '22 07:11 llamich

I have the same promblem too. Ubuntu 22.04

I have build openvpn from /master to get DCO support. It works fine starting like a process sudo openvpn --config But i can't start it as a service/

My configuration for building configure --enable-dco --disable-lz4 --disable-lzo --enable-systemd

purum-pum-pum avatar Dec 04 '22 14:12 purum-pum-pum

I'm facing the same problem, fresh install on Debian 11.6, installed using the default configuration:

systemd[1]: Starting OpenVPN connection to server...
ovpn-server[17044]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
ovpn-server[17044]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
ovpn-server[17044]: Cannot pre-load keyfile (tls-crypt.key)
ovpn-server[17044]: Exiting due to fatal error
systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
systemd[1]: [email protected]: Failed with result 'exit-code'

andreagobetti avatar Jan 13 '23 11:01 andreagobetti

Have you tried changing the address of tls-crypt.key (in /etc/openvpn/server.conf to /etc/openvpn/tls-crypt.key?

seinmon avatar Jan 15 '23 19:01 seinmon

I have the same issue here on Debian 11.6. tls-crypt.key is missing in /etc/openvpn/

hartmanshk avatar May 31 '23 09:05 hartmanshk

Debian GNU/Linux 11 (bullseye) same error

TheZuna avatar Jun 04 '23 16:06 TheZuna

You can fix this by moving /etc/openvpn/tls-crypt.key to /etc/openvpn/server/tls-crypt.key, and the rest of the files ending in .key, .pem, and .crt in the /etc/openvpn into the /etc/openvpn/server folder.

Ill try to make a fix for it.

1s0n avatar Jun 28 '23 09:06 1s0n

If the TLS-Crypt key is missing or in the wrong place then the error is:

Options error: --tls-crypt fails with 'tls-crypt.key': No such file or directory (errno=2)

To understand what the error Cannot pre-load keyfile (tls-crypt.key) means, it would be useful to see the key-file in question.

I have just tested the script on Debian-11 and it works correctly.

TinCanTech avatar Jun 28 '23 10:06 TinCanTech

I had the same problem here. a workaround is to cope the key files from /etc/openvpn to /etc/openvpn/easy-rsa/pki/

cp /etc/openvpn/*.key /etc/openvpn/easy-rsa/pki/

peter2233finn avatar Aug 02 '23 16:08 peter2233finn