OpenVPN in Ubuntu 18.04 Foo within OpenVZ Container (Strato)

  • peter 

It has been a while since my last blog post, but there was no real foo happening to me during that time. But this issue really gave me some heartburn.

Let’s start with the general setup. We have a Linux VM in an OpenVZ environment. The hoster is Strato in Germany, but I don’t think that really matters. There are some known issues with the TUN device not being accessible within the VM, but Strato did their homework and I could see the module:

# lsmod | grep tun
tun                     4242  -2
vznetstat               4242  -2 tun,ip_vznetstat,ip6_vznetstat

This looks promising. Yet OpenVPN failed to start and for some reason I got stuck on this error… well, it is just a warning and is, at least in my case, not a problem. But I thought it was the problem:

ovpn-appdevserver[21200]: Note: Cannot set tx queue length on tun0: Inappropriate ioctl for device (errno=25)

After a long search, that always pointed back to a problem with the TUN device and the not really existing support of Strato I finally found something. Supposedly don’t persisting the TUN device should help. Well it didn’t. At least not directly. But it made me aware of another quite obvious error, that I overlooked the whole time. And this guy was the real error. Not the poser warning about the tx queue length:

openvpn_execve: unable to fork: Resource temporarily unavailable (errno=11)

Now we’re talking. This is a real error and it actually has a solution and a reason. It seems it is caused by a new default setting in Ubuntu, that doesn’t play nicely with my environment. Either way. Strato or Ubuntu, if you hear me, please update your documentation about this issue! Or just fix the bug. I can’t be the only one wanting to use a current Ubuntu version and OpenVPN.

With no further ado I give you a solution. Because OpenVPN is a system unit in systemd it is best to add an override. And if you are already root, then you don’t need to use sudo. Type the following to open the override configuration in the default text editor:

sudo systemctl edit openvpn@

Unless you made already overrides for OpenVPN you should see an empty file. Add the following lines. If you already have a [Service] section you just add the LimitNPROC entry to that section.

[Service]
LimitNPROC=infinity

This is the same as a call to ulimit -u unlimited (set the number of processes to unlimited). This is of course a little bit extreme. And if that doesn’t make sense in your context, adjust it until it works for you.

Lastly you have to reload the systemd daemon, so that these changes can take effect. And the same rule applies here for sudo:

sudo systemctl daemon-reload

Afterward the VPN should start without any problems. If not, then you will most likely have another problem and you are allowed to yell at me.

Happy VPN-ing.