Since 2.4~rc1-1 the OpenVPN binary package ships two additional systemd units from upstream /lib/systemd/system/openvpn-client@.service /lib/systemd/system/openvpn-server@.service in addition to the ones that are Debian specific /lib/systemd/system/openvpn.service /lib/systemd/system/openvpn@.service Except for the paths the units look a bit different to the ones shipped by Debian I doubt we can drop the upstream ones now since they have already been part of a stable release, but maybe we can adjust the Debian specific ones to be as close to the upstream ones as possible. --- openvpn-server@.service 2017-06-22 18:00:56.000000000 +0200 +++ openvpn@.service 2016-01-20 17:31:04.000000000 +0100 @@ -1,22 +1,27 @@ [Unit] -Description=OpenVPN service for %I -After=syslog.target network-online.target -Wants=network-online.target +Description=OpenVPN connection to %i +PartOf=openvpn.service +ReloadPropagatedFrom=openvpn.service +Before=systemd-user-sessions.service Documentation=man:openvpn(8) -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] -Type=notify PrivateTmp=true -RuntimeDirectory=openvpn-server -RuntimeDirectoryMode=0710 -WorkingDirectory=/etc/openvpn/server -ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +KillMode=mixed +Type=forking +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid +PIDFile=/run/openvpn/%i.pid +ExecReload=/bin/kill -HUP $MAINPID +WorkingDirectory=/etc/openvpn +ProtectSystem=yes +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target
This bug hit me pretty hard. I unknowingly used the upstream openvpn-server@ unit, and then spent a day or so trying to work out why it did not work - the upstream one has CAP_AUDIT_WRITE missing from its capability list. Perhaps the upstream one could be patched to include this capability?
Hi, Unfortunately I'm a total DAC illiterate, can anyone explain the difference between Upstream: CAP_DAC_OVERRIDE Debian: CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE and what they actually mean? What is allowed by the Debian unit that is not allowed by the Upstream unit, and when would you need this? Can you file an upstream bug about this? https://community.openvpn.net/openvpn/report I was actually looking into changing the Debian unit to be like the upstream unit. Regards, Bernhard
Bernhard, I too am DAC illiterate. I merely took the list of capabilities from http://man7.org/linux/man-pages/man7/capabilities.7.html and binary chopped to find the missing one. Regards, John
Cloned into seperate bug for the limited bounding set
Hi, I found another issue regarding the new openvpn-server and openvpn-client template services. The old openvpn@.service unit has a generator[1] that looks for config files in /etc/openvpn/ and creates instances if needed. The openvpn-server@.service and openvpn-client@.service templates are not handled by a generator, the user has to enable the instances manually. I think this difference should be either fixed or documented. [1] /lib/systemd/system-generators/openvpn-generator
Hi, I found another issue regarding the new openvpn-server and openvpn-client template services. The old openvpn@.service unit has a generator[1] that looks for config files in /etc/openvpn/ and creates instances if needed. The openvpn-server@.service and openvpn-client@.service templates are not handled by a generator, the user has to enable the instances manually. I think this difference should be either fixed or documented. [1] /lib/systemd/system-generators/openvpn-generator
-- Good day. I sent you an email yesterday, did you receive it? It is a very important message, anyway reply back to confirm that you already got my message to enable me give you more details.. Best Regards. Mrs. Ameena Essa
-- Good day. I sent you an email yesterday, did you receive it? It is a very important message, anyway reply back to confirm that you already got my message to enable me give you more details.. Best Regards. Mrs. Ameena Essa
According to the OpenVPN wiki [0]: - openvpn@.service is deprecated. - openvpn.service is obsoleted. (This is only used for backward compatibility) The openvpn-client@ and openvpn-server@ units worked very nicely for me, is it possible to add a header to both units to point to the recommended units? # Using this unit file is not recommended, use openvpn-client@ and openvpn-server@ instead # Further information: https://community.openvpn.net/openvpn/wiki/Systemd [0] https://community.openvpn.net/openvpn/wiki/Systemd