#866523 Duplicate systemd units

Package:
openvpn
Source:
openvpn
Description:
virtual private network daemon
Submitter:
Bernhard Schmidt
Date:
2023-04-21 09:03:03 UTC
Severity:
important
Tags:
#866523#5
Date:
2017-06-29 20:19:47 UTC
From:
To:
Since 2.4~rc1-1 the OpenVPN binary package ships two additional systemd
units from upstream

/lib/systemd/system/openvpn-client@.service
/lib/systemd/system/openvpn-server@.service

in addition to the ones that are Debian specific

/lib/systemd/system/openvpn.service
/lib/systemd/system/openvpn@.service

Except for the paths the units look a bit different to the ones shipped by
Debian

I doubt we can drop the upstream ones now since they have already been
part of a stable release, but maybe we can adjust the Debian specific ones
to be as close to the upstream ones as possible.
--- openvpn-server@.service     2017-06-22 18:00:56.000000000 +0200
+++ openvpn@.service    2016-01-20 17:31:04.000000000 +0100
@@ -1,22 +1,27 @@
 [Unit]
-Description=OpenVPN service for %I
-After=syslog.target network-online.target
-Wants=network-online.target
+Description=OpenVPN connection to %i
+PartOf=openvpn.service
+ReloadPropagatedFrom=openvpn.service
+Before=systemd-user-sessions.service
 Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

 [Service]
-Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-server
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/server
-ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+KillMode=mixed
+Type=forking
+ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
+PIDFile=/run/openvpn/%i.pid
+ExecReload=/bin/kill -HUP $MAINPID
+WorkingDirectory=/etc/openvpn
+ProtectSystem=yes
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw

 [Install]
 WantedBy=multi-user.target

#866523#10
Date:
2017-07-18 09:15:59 UTC
From:
To:
This bug hit me pretty hard. I unknowingly used the upstream openvpn-server@ unit, and then spent a day or so trying to work out why it did not work - the upstream one has CAP_AUDIT_WRITE missing from its capability list.

Perhaps the upstream one could be patched to include this capability?

#866523#15
Date:
2017-07-18 15:14:35 UTC
From:
To:
Hi,

Unfortunately I'm a total DAC illiterate, can anyone explain the
difference between

Upstream:
CAP_DAC_OVERRIDE

Debian:
CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE

and what they actually mean? What is allowed by the Debian unit that is
not allowed by the Upstream unit, and when would you need this?

Can you file an upstream bug about this?
https://community.openvpn.net/openvpn/report

I was actually looking into changing the Debian unit to be like the
upstream unit.

Regards,
Bernhard

#866523#22
Date:
2017-07-18 15:37:58 UTC
From:
To:
Bernhard,

I too am DAC illiterate. I merely took the list of capabilities from
http://man7.org/linux/man-pages/man7/capabilities.7.html and binary
chopped to find the missing one.

Regards,
John

#866523#27
Date:
2017-07-18 20:10:54 UTC
From:
To:
Cloned into seperate bug for the limited bounding set
#866523#34
Date:
2019-01-07 12:14:57 UTC
From:
To:
Hi,

I found another issue regarding the new openvpn-server and openvpn-client
template services. The old openvpn@.service unit has a generator[1] that
looks for config files in /etc/openvpn/ and creates instances if needed.
The openvpn-server@.service and openvpn-client@.service templates are
not handled by a generator, the user has to enable the instances
manually.

I think this difference should be either fixed or documented.

[1] /lib/systemd/system-generators/openvpn-generator

#866523#37
Date:
2019-01-07 12:14:57 UTC
From:
To:
Hi,

I found another issue regarding the new openvpn-server and openvpn-client
template services. The old openvpn@.service unit has a generator[1] that
looks for config files in /etc/openvpn/ and creates instances if needed.
The openvpn-server@.service and openvpn-client@.service templates are
not handled by a generator, the user has to enable the instances
manually.

I think this difference should be either fixed or documented.

[1] /lib/systemd/system-generators/openvpn-generator

#866523#42
Date:
2022-06-16 08:50:11 UTC
From:
To:
-- 
Good day.

I sent you an email yesterday, did you receive it? It is a very important
message, anyway reply back to confirm that you already got my message to
enable me give you more details..

Best Regards.
Mrs. Ameena Essa

#866523#47
Date:
2022-06-16 08:50:11 UTC
From:
To:
-- 
Good day.

I sent you an email yesterday, did you receive it? It is a very important
message, anyway reply back to confirm that you already got my message to
enable me give you more details..

Best Regards.
Mrs. Ameena Essa

#866523#52
Date:
2023-04-21 08:53:55 UTC
From:
To:
According to the OpenVPN wiki [0]:
- openvpn@.service is deprecated.
- openvpn.service is obsoleted. (This is only used for backward
compatibility)

The openvpn-client@ and openvpn-server@ units worked very nicely for me,
is it possible to add a header to both units to point to the recommended
units?

# Using this unit file is not recommended, use openvpn-client@ and
openvpn-server@ instead
# Further information: https://community.openvpn.net/openvpn/wiki/Systemd

[0] https://community.openvpn.net/openvpn/wiki/Systemd