I have a working OpenVPN client config that uses a passphrase-protected private key.
If I run openvpn directly, I'm prompted for the passphrase and the client starts successfully.
But if I start it with systemctl, I'm not prompted for the passphrase, and the service never finishes initializing.
It appears that systemd-ask-password is waiting for the passphrase, but no prompt is displayed.
$ sudo systemctl start openvpn-myclient.service$ systemctl status openvpn-myclient.service● openvpn-myclient.service - OpenVPN instance ‘myclient’ ... Status: "Pre-connection initialization successful" ... CGroup: /system.slice/openvpn-myclient.service├─18997 openvpn --suppress-timestamps --config /path/to/client.conf└─18998 /path/to/systemd-ask-password --icon network-vpn Enter Private Key Password:I can manually create a prompt to submit the passphrase:
$ sudo systemd-tty-ask-password-agent --queryEnter Private Key Password: ************************I can also work around the issue by putting askpass /path/to/passphrase in my client.conf. That avoids the need for user input, but it also means keeping the passphrase in cleartext.
I'd like to understand what's going on, what I could do to get a prompt to show up, or how I could avoid putting the passphrase in cleartext.
How can I debug this further? I read the following man pages and it's still not clear to me what's at play.
systemd-ask-passwordsystemd-tty-ask-password-agentsystemd-ask-password-wall.service