Coreelec autoboot openvpn before kodi starts

Hi guys, this will be my first post. Hope someone can help.

I use a s905x tvbox and use your coreelec for it. What I want to do is simple, at least I think it is. Via a ssh console I activated a systemctl file called MYOPENVPN.service , which logically I want to have to startup openvpn before kodi starts. In earlier libreelec versions this was no problem. MAybe I make a mistake. I don’t know, but I don’t get it to work.

This is in the MYOPENVPN.service file:

[Unit]
Description=MYOPENVPN
After=network-online.service
Before=kodi.service
Requires=network-online.service
[Service]
Type=forking
ExecStart=/storage/.config/system.d/vpnENdate
TimeoutStopSec=1
Restart=always
RestartSec=2
StartLimitInterval=0
[Install]
WantedBy=multi-user.target

and in vpnENdate:

/usr/sbin/openvpn --config /storage/.config/vpn.config/vpn.conf

This works not very great.
It seems in the new openvpn version (2.4.6) there is a problem with using
–daemon. So I skipped that part. In previous versions openvpn worked ok, with the same .conf files ater booting,

So my question is:

How to get coreelec to autoboot a working openvpn connection?
Also, I would like to make sure the vpn connection keeps stable.

Thanks for your help.

Get zomboided’s vpn manager addon. Then under Monitor, connect vpn before kodi starts.

1 Like

This is how my systemd service file looks. I’m also running 2.4.6 and I haven’t noticed any issues with it and it starts just fine at boot.

-Rascal

[Unit]
Description=OpenVPN Autorun Service
Requires=network-online.service
After=network-online.service

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon --config /storage/.config/openvpn.config
Restart=always
RestartSec=15

[Install]
WantedBy=kodi.target

Thanks Bubblegum and Rascal!

Rascal, I will try your version soon. Right now by just viewing it, I don’t see a clear difference in the result, but it could help to launch the openvpn .conf command directly from the systemd service. Trying is free :slight_smile: I will let you know the results.

About the openvpn manager, I don’t like it. I tried to configure it one time, but it was very difficult with my provider’s files. Not stable. It gave me the idea, that only a bunch of providers is supported with it. Mine is not included in those.

There is also a matter of principle. In my idea an vpn connection should run before kodi does. a vpn connection is an o.s. job, not a kodi job.

This command does not work for me:
/usr/sbin/openvpn --daemon --config /storage/.config/vpn.config/vpn.conf

I tried it manually. again I have that --daemon problem. If I run it like that, I see an open space coming up at the command line and nothing happens.

This one worked one time:
/usr/sbin/openvpn --config /storage/.config/vpn.config/vpn.conf

the second time after reboot if gave me this error:
Options error: --up script fails with ‘update-resolv-conf’: No such file or directory (errno=2)

It seems my provider included this file to avoid vpn leaking. fine. But it gives me a configuration problem now.
So I tried to add in the MYOPENVPN.service file:
ExecStart=cd ~/.config/vpn.config && /usr/sbin/openvpn --config /storage/.config/vpn.config/vpn.conf

to make sure openvpn could find the right file in the right directory.
This works when I run it manually, but it doesn’t work when I add it in the MYOPENVPN.service file and reboot the system. The result is no vpn…

surfing the net forums tell the add ‘update-resolv-conf’ and other provider files to the /etc/openvpn directory to avoid this problem. But we don’t have that one in coreelec linux do we?

I have no idea now how to handle this Very annoying… somebody else must have this problem I guess… I just want to setup openvpn in a linux o.s. how hard could it be?? :slight_smile:

Thanks for any ideas.

update:

when I do : systemctl enable MYOPENVPN.service

and after :systemctl status MYOPENVPN.service
or: systemctl start MYOPENVPN.service

this is the error coming up:
Failed to start MYOPENVPN.service: Unit MYOPENVPN.service has a bad unit file setting.

So, it doesn’t start at all after booting…
This is my file right now, what is wrong with my “Unit” part? If it wokrs for Rascal and others, it should work for me right?

MYOPENVPN.service content:

[Unit]
Description=OpenVPN Autorun Service
Requires=network-online.service
After=network-online.service

[Service]
Type=forking
ExecStart=cd ~/.config/vpn.config && /usr/sbin/openvpn --config /storage/.config/vpn.config/vpn.conf
Restart=always
RestartSec=15

[Install]
WantedBy=kodi.target

Remove the cd ~/.config/vpn.config && from execstart. What does journalctl say after you start it again?

Rascal thanks!,

The problem was indeed what you suggested. Yesterday I couldn’t stop to find a solution until night hours, but in the end I found a solution for the whole mess.

Most important things i learned while frustrating myself over and over…;

Thanks to Rascal; in a systemctl .service file, never use for the ExecStart= part a nested or piped command! It will give you a [unit] error, but don’t let it throw you. You think there is a config error in the [unit] part, but it in fact it can’t handle the command. Takes a lot of time to sort it out if you don’t know. Keep commands simple as possible.

In coreelec linux, delete first all iptable script commands out of the storage/.config/autostart.sh file before you start to determine the cause of a speed or vpn related problem. In fact I think it is best to use no autostart.sh file at all.

in .service files never refer to ~/.config/… It doesn’t work.
Use /storage/.config/…

test the speed of your vpn first at another pc or device with the same client protocol.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Ok, here is what I did to solve this annoying thing in my case:

CORELEC SOLUTION:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Instead of trying to direct the openvpn command to execute in the directory where the certificates are located, find a solution the other way around. Edit the .ovpn and add the right paths to the .ovpn file itself.

(I’m not sure this works for all providers the same, but I guess it is a default client file concept:
let’s say your .ovpn file has these parts included:)

auth-user-pass vpn_userpass.txt
ca vpn_ca.crt
crl-verify vpn_crl.pem

tun-ipv6
script-security 2
up update-resolv-conf
down update-resolv-conf

When your file has these lines modificate them to these:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

auth-user-pass /storage/.config/(…whatever…)/vpn_userpass.txt
ca /storage/.config/(…whatever…)/vpn_ca.crt
crl-verify /storage/.config/(…whatever…)/vpn_crl.pem

tun-ipv6
script-security 2
up /storage/.config/(…whatever…)/update-resolv-conf
down /storage/.config/(…whatever…)/update-resolv-conf

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
After, save this .conf file to .ovpn (if not .ovpn before)

result: openvpn can be started directly without complex commands:
/usr/sbin/openvpn --config /storage/.config/vpn.config/vpn.ovpn
Run this manually. with a ssh console terminal, check if it works.

Now modificate the .service file to what Rascal said in the beginning of this topic and save it;
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Unit]
Description=OpenVPN Autorun Service

[Service]
Type=forking
Requires=network-online.service
After=network-online.service
ExecStart= /usr/sbin/openvpn --daemon --config /storage/.config/…(your path)…/vpn.ovpn
Restart=always
RestartSec=15

[Install]
WantedBy=kodi.target

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
now in your SSH console, stop an eventually running openvpn .service file with this command:
(In my example I call it: MYOPENVPN.service)

A:

systemctl stop MYOPENVPN.service

disable it from starting after booting the device:
systemctl disable MYOPENVPN.service

enable booting the modified .service file:
systemctl enable MYOPENVPN.service

Now most important, check if it works manually:
systemctl start MYOPENVPN.service

If your setup is correct this command should give you a prompt back after executing it.
to test vpn works (and the .service) enter this command: curl ipinfo.io/ip
It should give you your recent (WAN) ip address, which should be the vpn’s address.
if you see you ip providers address in this step, it doesn’t work, you should recheck the config again…

To see where it could go wrong use this command:
systemctl status MYOPENVPN.service

It could give you the output of the openvpn command in the service. Correct the .service file when needed. (afterwards start again the commands from “A.” )
note: for a detailed systemctl manual go here:

http(s)://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ok.
Your .service file works. Good. Again, check your storage/.config/autostart.sh
file before testing. In case of doubt rename it temporary. You can test whatever you like, but in my case I had some iptable (firewall) rules there that screwed up everything in fact. It is easy to forget those after time, it will give you hell…

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

After testing:

-restart you system and log in again with ssh on the box.
-see if it works. Execute a Ping to the WAN ip address:
curl --silent ipinfo.io/ip

-Check the speed of your connection by installing a speedtest app in kodi.
-Secondly install the WanIP app in Kodi, this gives your WAN ip with a push. Handy.
-Contact your vpn if the vpn speed is too low. 11Mbit/second is enough for most people.

-Consider this: VPN works in both directions…Most people using kodi vpn manager do not realize this.
Might be a good idea to change the password of your ssh login on your box. Use this command after logged in on ssh: passwd
Choose new password and retype + enter.
DO NOT FORGET YOUR NEW PASSWORD OR FACE A RE-INSTALL OF YOUR BOX!

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
last sharings:

Beware the --daemon option in the command :
/usr/sbin/openvpn --daemon --config /storage/.config/vpn.config/vpn.conf

the --daemon parameter works only when executed from a “working” .service script (systemctl),
not when used as a manual command…So don’t get fooled by that.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
So the situation yesterday in my case:

-bad configured .autostart.sh file.
-old vpn certificate in use.
-The.ovpn file was not adapted for coreelec use. no exact paths to other vpn provider files.
-MYOPENVPN.service had a nested ExecStart: command, it couldn’t be handled. (unit error)
-I kept on testing --deamon by running the command manually, no result.
-I kept restarting the box without testing the MYOPENVPN.service in a ssh console.

pfeeew…
But it works now…

last note:

Save yourself all this trouble and get a modem/router with opensource firmware. if you can configure a openvpn connection in it , let the router solve it all…
Make sure the that router is singlecore . openvpn doesn’t use multicore as far as i know…

Hope somebody can use this!

1 Like