openvpn/distro/systemd/openvpn-client@.service.in

[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true

[Install]
WantedBy=multi-user.target
Add systemd unit file for OpenVPN This is to encourage all Linux distributions to use a unified systemd unit file. This unit file also tries to reduce the capabilities of the running openvpn process. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9043 2014-09-18 04:57:53 -04:00			`[Unit]`
			`Description=OpenVPN tunnel for %I`
systemd: Reworked the systemd unit file to handle server and client configs better Systemd can delay starting a service if the network isn't fully available yet. This feature is useful in client configurations, where OpenVPN will not be started before the client can reach the Internet. It is the network service manager which tells systemd if the system is "online" or not. For server configurations, the OpenVPN should be able to be started, regardless if the system is "online" or not. This is also the old behaviour of most of the old init.d script and the last systemd unit file. This patch splits the previous systemd unit file into to two files. One which is aimed at clients (openvpn-client@.service) and one for server configurations (openvpn-server@.service). These files will also pick the configurations from different sub-directories. The unit file for openvpn-client@ will use /etc/openvpn/client and the server unit file will use /etc/openvpn/server. This also ensures that config files are not started in the wrong manner. The arguments given to the openvpn binary have also shifted order, to ensure that some of them cannot be overridden by the config file, such as --daemon and --writepid. For server configurations a --status file is also added with the status format set to 2. This can be overridden by the configuration file. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1415889817-28049-1-git-send-email-openvpn.list@topphemmelig.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/9222 Signed-off-by: Gert Doering <gert@greenie.muc.de> 2014-11-13 09:43:37 -05:00			`After=syslog.target network-online.target`
			`Wants=network-online.target`
Add systemd unit file for OpenVPN This is to encourage all Linux distributions to use a unified systemd unit file. This unit file also tries to reduce the capabilities of the running openvpn process. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9043 2014-09-18 04:57:53 -04:00			`Documentation=man:openvpn(8)`
systemd: Improve the systemd unit files There are several changes which allows systemd to take care of several aspects of hardening the execution of OpenVPN. - Let systemd take care of the process tracking directly, instead of doing that via PID files - Make systemd prepare proper runtime directories for the OpenVPN process. - Let systemd do the chdir() before starting OpenVPN. This allows us to avoid using the --cd option when executing openvpn. - CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise the root user would not be allowed to access files/directories not owned by root. This will change in the future, when we find better ways to avoid calling chroot() in OpenVPN and rather let systemd prepare a more isolated namespace. - Client configurations are now started with --nobind and the OpenVPN client process have lost the CAP_NET_BIND_SERVICE capability which allows binding to port < 1024. - Documentation URL now points at the OpenVPN 2.4 man page URL The majority of these changes have been proposed by Elias Probst (eliasp) in the GitHub PR #22. v3 - Add ExecPreStart= to check if OpenVPN configuration contains 'daemon'. That can break the process tracking as we now use Type=simple (default) v2 - Change RuntimeDirectory= to a profile specific (client, server) directory to avoid clashing with older distro unit files Commit note: As this is not a critical security change, we apply this without any formal ACKs. It has been thoroghly tested by several users. See mailing list for details. Contribution-by: Elias Probst <mail@eliasprobst.eu> Signed-off-by: David Sommerseth <davids@openvpn.net> Message-Id: <1479122408-6867-1-git-send-email-davids@openvpn.net> URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html 2016-11-14 06:20:08 -05:00			`Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage`
Add systemd unit file for OpenVPN This is to encourage all Linux distributions to use a unified systemd unit file. This unit file also tries to reduce the capabilities of the running openvpn process. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9043 2014-09-18 04:57:53 -04:00			`Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO`

			`[Service]`
Use systemd service manager notification Notify systemd service manager when our initialization sequence completed. This helps ordering services as dependencies can rely on vpn being available. v2: Add curly brackets (and indention) to block the else-part, msg() call was non-conditional before. v3: Move systemd header include from init.h to init.c. Signed-off-by: Christian Hesse <mail@eworm.de> Tested-By: Richard Bonhomme <fragmentux@gmail.com> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20161201213104.5667-1-list@eworm.de> URL: http://www.mail-archive.com/search?l=mid&q=20161201213104.5667-1-list@eworm.de Signed-off-by: David Sommerseth <davids@openvpn.net> 2016-12-01 16:31:03 -05:00			`Type=notify`
Add systemd unit file for OpenVPN This is to encourage all Linux distributions to use a unified systemd unit file. This unit file also tries to reduce the capabilities of the running openvpn process. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9043 2014-09-18 04:57:53 -04:00			`PrivateTmp=true`
systemd: Improve the systemd unit files There are several changes which allows systemd to take care of several aspects of hardening the execution of OpenVPN. - Let systemd take care of the process tracking directly, instead of doing that via PID files - Make systemd prepare proper runtime directories for the OpenVPN process. - Let systemd do the chdir() before starting OpenVPN. This allows us to avoid using the --cd option when executing openvpn. - CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise the root user would not be allowed to access files/directories not owned by root. This will change in the future, when we find better ways to avoid calling chroot() in OpenVPN and rather let systemd prepare a more isolated namespace. - Client configurations are now started with --nobind and the OpenVPN client process have lost the CAP_NET_BIND_SERVICE capability which allows binding to port < 1024. - Documentation URL now points at the OpenVPN 2.4 man page URL The majority of these changes have been proposed by Elias Probst (eliasp) in the GitHub PR #22. v3 - Add ExecPreStart= to check if OpenVPN configuration contains 'daemon'. That can break the process tracking as we now use Type=simple (default) v2 - Change RuntimeDirectory= to a profile specific (client, server) directory to avoid clashing with older distro unit files Commit note: As this is not a critical security change, we apply this without any formal ACKs. It has been thoroghly tested by several users. See mailing list for details. Contribution-by: Elias Probst <mail@eliasprobst.eu> Signed-off-by: David Sommerseth <davids@openvpn.net> Message-Id: <1479122408-6867-1-git-send-email-davids@openvpn.net> URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html 2016-11-14 06:20:08 -05:00			`WorkingDirectory=/etc/openvpn/client`
systemd: Use automake tools to install unit files If systemd is enabled we install unit files to $libdir/systemd/system (or the path specified by SYSTEMD_UNIT_DIR). The unit files are generated on the fly with matching $sbindir. Signed-off-by: Christian Hesse <mail@eworm.de> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170124143947.27385-1-list@eworm.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13940.html Signed-off-by: David Sommerseth <davids@openvpn.net> 2017-01-24 09:39:46 -05:00			`ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf`
systemd: Improve the systemd unit files There are several changes which allows systemd to take care of several aspects of hardening the execution of OpenVPN. - Let systemd take care of the process tracking directly, instead of doing that via PID files - Make systemd prepare proper runtime directories for the OpenVPN process. - Let systemd do the chdir() before starting OpenVPN. This allows us to avoid using the --cd option when executing openvpn. - CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise the root user would not be allowed to access files/directories not owned by root. This will change in the future, when we find better ways to avoid calling chroot() in OpenVPN and rather let systemd prepare a more isolated namespace. - Client configurations are now started with --nobind and the OpenVPN client process have lost the CAP_NET_BIND_SERVICE capability which allows binding to port < 1024. - Documentation URL now points at the OpenVPN 2.4 man page URL The majority of these changes have been proposed by Elias Probst (eliasp) in the GitHub PR #22. v3 - Add ExecPreStart= to check if OpenVPN configuration contains 'daemon'. That can break the process tracking as we now use Type=simple (default) v2 - Change RuntimeDirectory= to a profile specific (client, server) directory to avoid clashing with older distro unit files Commit note: As this is not a critical security change, we apply this without any formal ACKs. It has been thoroghly tested by several users. See mailing list for details. Contribution-by: Elias Probst <mail@eliasprobst.eu> Signed-off-by: David Sommerseth <davids@openvpn.net> Message-Id: <1479122408-6867-1-git-send-email-davids@openvpn.net> URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html 2016-11-14 06:20:08 -05:00			`CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE`
Add systemd unit file for OpenVPN This is to encourage all Linux distributions to use a unified systemd unit file. This unit file also tries to reduce the capabilities of the running openvpn process. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9043 2014-09-18 04:57:53 -04:00			`LimitNPROC=10`
			`DeviceAllow=/dev/null rw`
			`DeviceAllow=/dev/net/tun rw`
systemd: Add more security feature for systemd units ProtectSystem=true mounts the /usr and /boot directories read-only. ProtectHome=true makes the directories /home, /root and /run/user inaccessible and empty for the process. See systemd.exec(5) [0] for details. v2: Replace ProtectSystem=strict with ProtectSystem=true. Some configurations may want to write to /etc or the like. [0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html Signed-off-by: Christian Hesse <mail@eworm.de> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20161227221832.610-1-list@eworm.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13743.html Signed-off-by: David Sommerseth <davids@openvpn.net> 2016-12-27 17:18:32 -05:00			`ProtectSystem=true`
			`ProtectHome=true`
Add systemd unit file for OpenVPN This is to encourage all Linux distributions to use a unified systemd unit file. This unit file also tries to reduce the capabilities of the running openvpn process. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9043 2014-09-18 04:57:53 -04:00
			`[Install]`
			`WantedBy=multi-user.target`