# Sshd not starting on openvpn network with systemd

## danez

Hello,

I have a new server since some months and this was the first time I setup gentoo with systemd. Most stuff worked, some stuff still doesn't work reliable (like network interface eth0 cannot be renamed to en* on boot because busy) but for most things I found workarounds.

One thing that I haven't figured out yet is how to reliable start sshd after openvpn link is up and sshd can bind to the vpn network address. This worked fine on my old server with openrc but with systemd there seem to be race timing conditions as it works 3 or 4 times out of 10.

So far I already added this systemd unit extension, but that doesn't seem to help much as even though the network interface is up it seems not to have an ip assigned yet.

/etc/systemd/system/sshd.service.d/00openvpn.conf

```

[Unit]

Wants=sys-devices-virtual-net-tun0.device sys-subsystem-net-devices-tun0.device

After=sys-devices-virtual-net-tun0.device sys-subsystem-net-devices-tun0.device

```

Here is a snippet of my systemlog:

```

Mar 23 09:46:43 bifrost systemd[1]: Started Wait for Network to be Configured.

Mar 23 09:46:43 bifrost systemd[1]: Reached target Network is Online.

Mar 23 09:46:43 bifrost systemd-timesyncd[1689]: Synchronized to time server 78.46.204.247:123 (0.gentoo.pool.ntp.org).

Mar 23 09:46:43 bifrost systemd[1]: Starting OpenVPN service for gateway...

Mar 23 09:46:43 bifrost openvpn[1890]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  9 2018

Mar 23 09:46:43 bifrost openvpn[1890]: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.09

Mar 23 09:46:43 bifrost systemd[1]: Started OpenVPN service for gateway.

Mar 23 09:46:43 bifrost openvpn[1890]: Diffie-Hellman initialized with 2048 bit key

Mar 23 09:46:43 bifrost openvpn[1890]: ROUTE_GATEWAY x.x.x.x/255.255.255.224 IFACE=enp3s0 HWADDR=x:x:x:x:x:x

Mar 23 09:46:43 bifrost openvpn[1890]: TUN/TAP device tun0 opened

Mar 23 09:46:43 bifrost openvpn[1890]: TUN/TAP TX queue length set to 100

Mar 23 09:46:43 bifrost openvpn[1890]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0

Mar 23 09:46:43 bifrost openvpn[1890]: /bin/ip link set dev tun0 up mtu 1500

Mar 23 09:46:43 bifrost systemd-udevd[1892]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.

Mar 23 09:46:43 bifrost systemd[1]: Found device /sys/subsystem/net/devices/tun0.

Mar 23 09:46:43 bifrost systemd[1]: Found device /sys/devices/virtual/net/tun0.

Mar 23 09:46:43 bifrost systemd-timesyncd[1689]: Network configuration changed, trying to establish connection.

Mar 23 09:46:43 bifrost systemd[1]: Starting OpenSSH server daemon...

Mar 23 09:46:43 bifrost systemd-timesyncd[1689]: Synchronized to time server 62.138.205.79:123 (0.gentoo.pool.ntp.org).

Mar 23 09:46:43 bifrost systemd[1]: Started OpenSSH server daemon.

Mar 23 09:46:43 bifrost systemd[1]: Reached target Multi-User System.

Mar 23 09:46:43 bifrost systemd[1]: Reached target Graphical Interface.

Mar 23 09:46:43 bifrost systemd[1]: Startup finished in 3.869s (kernel) + 17.921s (userspace) = 21.790s.

Mar 23 09:46:43 bifrost sshd[1896]: Bind to port 22 on 10.0.51.1 failed: Cannot assign requested address.

Mar 23 09:46:43 bifrost sshd[1896]: Cannot bind any address.

Mar 23 09:46:43 bifrost systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a

Mar 23 09:46:43 bifrost systemd[1]: sshd.service: Failed with result 'exit-code'.

```

I'm using systemd 237 if it matters.

Does anyone have an idea or a workaround? I thought about setting a timer for sshd to start 30sec after boot, but that seems really ugly.

Or maybe is it possible to create my own target "vpn-online" similar to network-online?

----------

## danez

Okay seems sometimes writing stuff down helps also finding new ways. I think I solved it now, will test further though. Here is what I have done:

Created new service

/etc/systemd/system/openvpn-online.service

```
[Unit]

Description=Wait for Openvpn to be Configured

DefaultDependencies=no

Conflicts=shutdown.target

Requires=sys-devices-virtual-net-tun0.device

After=sys-devices-virtual-net-tun0.device

[Service]

Type=oneshot

ExecStart=/lib/systemd/systemd-networkd-wait-online --interface=tun0 --quiet

RemainAfterExit=yes

[Install]

WantedBy=multi-user.target
```

and changed /etc/systemd/system/sshd.service.d/00openvpn.conf to

```
[Unit]

Wants=openvpn-online.service

After=openvpn-online.service
```

----------

## mike155

Another solution would be to start sshd independently of openvpn and NOT to set ListenAdress in sshd_config, so that sshd listens on all local addresses.

----------

## danez

 *mike155 wrote:*   

> Another way would be to start sshd independently of openvpn and NOT to set ListenAdress in sshd_config, so that sshd listens on all local addresses.

 

But that's the point of my configuration that I only want ssh be available in the vpn network.

----------

## szatox

Danez. you can make it listen on all addresses and deny direct access on firewall.

Usually you set INPUT policy to DROP, and then allow traffic you want. E.g. you can decide to accept stuff coming in via tap0 or whatever interface openvpn creates for you and drop the rest.

----------

