So I suspect openvpn was upgraded when it was ported over to python as this is the same config I've been using for years:
openvpn vtun0 { encryption { cipher aes256gcm } keep-alive { failure-count 3 interval 10 } mode server openvpn-option "tls-auth /config/auth/openvpn/ta.key 0" server { name-server 10.53.53.53 name-server 10.53.53.54 push-route 0.0.0.0/0 subnet 10.7.178.0/24 } tls { ca-cert-file /config/auth/openvpn/domain.com.crt cert-file /config/auth/openvpn/vpn.domain.com.crt dh-file /config/auth/openvpn/dh4096.pem key-file /config/auth/openvpn/vpn.domain.com.key } use-lzo-compression }
The first problem was the
openvpn-option "tls-auth /config/auth/openvpn/ta.key 0"
I know those aren't validated, but considering it's the precise thing that the tls block option drops in the file, I'm not sure why it was failing. In any case, moving that to the tls block make that work. It still caused openvpn to not start without any indication.
The next problem was the keep-alive stuff that failed with the following error:
Nov 21 17:37:37 edge openvpn-vtun0[12401]: DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5. Nov 21 17:37:37 edge openvpn-vtun0[12401]: Options error: the second parameter to --keepalive (restart timeout=3) must be at least twice the value of the first parameter (ping interval=10). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60. Nov 21 17:37:37 edge openvpn-vtun0[12401]: Use --help for more information. Nov 21 17:37:37 edge systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE Nov 21 17:37:37 edge systemd[1]: [email protected]: Failed with result 'exit-code'. Nov 21 17:37:37 edge systemd[1]: Failed to start OpenVPN connection to vtun0.
Also note the compat-names deprecation warning.