The error message clearly indicates OpenVPN cannot locate the certificate files during startup. The key log entries show:
Options error: --cert fails with 'client.crt': No such file or directory Options error: --key fails with 'client.key': No such file or directory
While you mentioned the files exist in /etc/openvpn/easy-rsa/keys/, OpenVPN by default looks for them in the configuration directory (/etc/openvpn/). There are three ways to resolve this:
Option 1: Copy certificates to default location
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt,dh2048.pem} /etc/openvpn/
Option 2: Update server.conf with full paths
# Original: ca ca.crt cert server.crt key server.key # Modified: ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key
Even with correct paths, OpenVPN (running as nobody) needs proper permissions:
chmod 644 /etc/openvpn/easy-rsa/keys/{server.crt,ca.crt,dh2048.pem}
chmod 600 /etc/openvpn/easy-rsa/keys/server.key
chown nobody:nobody /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt,dh2048.pem}
The sysctl errors indicate missing kernel modules. For OpenVZ containers:
# Load required modules (on host node) vzctl set CTID --save --capability net_admin:on vzctl set CTID --save --devnodes net/tun:rw
For better troubleshooting, run OpenVPN in debug mode:
openvpn --config /etc/openvpn/server.conf --verb 6
Check for these critical startup phases in output:
1. TLS certificate verification 2. TUN/TAP device initialization 3. Network route configuration
OpenVZ requires special NAT configuration for tun interfaces:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source YOUR_MAIN_IP
Validate these essential components in your setup:
1. /etc/openvpn/server.conf paths 2. Certificate files exist in specified locations 3. IP forwarding enabled (sysctl -w net.ipv4.ip_forward=1) 4. Firewall rules for UDP 1194 5. SELinux context (if enabled): chcon -t openvpn_t /etc/openvpn/*
The error message clearly indicates OpenVPN cannot locate the certificate files during startup:
Options error: --cert fails with 'client.crt': No such file or directory
Options error: --key fails with 'client.key': No such file or directoryFirst verify the actual location of your certificate files. Even though you mentioned they exist in /etc/openvpn/easy-rsa/keys/, OpenVPN might be looking elsewhere. Run:
ls -la /etc/openvpn/easy-rsa/keys/client.*
stat /etc/openvpn/easy-rsa/keys/client.crtYour server.conf needs absolute paths to certificate files. Modify these lines:
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.keyOpenVPN runs as nobody user, so certificates need proper permissions:
chown nobody:nobody /etc/openvpn/easy-rsa/keys/client.*
chmod 600 /etc/openvpn/easy-rsa/keys/client.*The sysctl errors about bridge modules are unrelated but should be fixed:
modprobe bridge
lsmod | grep bridgeRun OpenVPN in debug mode for more details:
openvpn --config /etc/openvpn/server.conf --verb 6For OpenVZ containers specifically:
vzctl set CTID --devnodes net/tun:rw --save
vzctl set CTID --capability net_admin:on --saveCreate a verification script to check paths:
#!/bin/bash
for cert in ca.crt server.crt server.key client.crt client.key; do
if [ ! -f "/etc/openvpn/easy-rsa/keys/$cert" ]; then
echo "Missing: $cert"
else
echo "Found: $cert"
fi
doneIf issues persist, regenerate certificates:
cd /etc/openvpn/easy-rsa/
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1