There were some complaints about valid setups
that ran into problems with LimitNPROC. This
is especially true since LimitNPROC limits
the total amounts of threads running for the
same uid, so if multiple openvpn services run
under the same user, they will compete for
resources. As suggested in the systemd
documentation change this to TasksMax which
really counts the threads running in one
specific service.
Also increase the limit. When using e.g.
resolvconf for DNS configuration the limit
can be exhausted just due to the amount of
nested shell scripts.
Github: FixesOpenVPN/openvpn#929
Change-Id: Ic877f9a9c6459c6eb97cde1099f47f0b196b8084
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539
Message-Id: <20260313223833.3813-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36123.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c02964f0b2)
This is necessary to make the ``--nice n`` option work for OpenVPN
instances started by systemd.
Github: closesOpenVPN/openvpn#834
Signed-off-by: Simon Matter <simon.matter@invoca.ch>
Acked-By: Arne Schwabe <arne@rfc2549.org>
Message-Id: <f58b64307a86c62cb20a142ebfb40e56.20251204111659.1764843419@xxl.corp.invoca.ch>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34803.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The service name displays `%I` which invokes systemd's path mangling
(notably, converting `-` to `/`), suggesting you need to provide an
encoded parameter (via e.g. `systemd-escape`), but the start command
itself uses `%i` which doesn't do the conversion.
This updates the service name to match the start command.
Signed-off-by: Terrance <git@terrance.allofti.me>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250729180014.11550-2-sourceforge@terrance.allofti.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32423.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The systemd unit files for both client and server were referencing
outdated documentation as they were hard-coded to the OpenVPN 2.4.x
release branch.
Github: closesOpenVPN/openvpn#457
Change-Id: Iee289aa5df9ee0e9a03c0dc562e45dd39836e794
Signed-off-by: Christoph Schug <com+github@schug.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240308140346.4058419-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28369.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On Linux, when dropping privileges, interaction with
the network configuration, such as tearing down routes
or ovpn-dco interfaces will fail when --user/--group are
used.
This patch sets the CAP_NET_ADMIN capability, which grants
the needed privileges during the lifetime of the OpenVPN
process when dropping root privileges.
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
Reviewed-By: David Sommerseth <davids@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220514103717.235-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24360.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Auth_pam will require audit writes or the connection will be rejected
as the plugin fails to initialize like:
openvpn[1111]: sudo: unable to send audit message
openvpn[1111]: sudo: pam_open_session: System error
openvpn[1111]: sudo: policy plugin failed session initialization
See links from https://community.openvpn.net/openvpn/ticket/918 for
more.
auth_pam is a common use case and capabilties for it should be allowed
by the .service file.
Fixes: #918
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Systemd supervises services it has started and can act upon unexpected
scenarios. This change will restart OpenVPN after 5 seconds if the OpenVPN
process exits unexpectedly.
The on-failure mode is the recommended mode by upstream systemd.
This change have been tested on a test server for some month, and it
works indeed as intended when provoking the OpenVPN process to stop.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170906235202.26551-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15370.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
By default, when systemd is stopping OpenVPN it will send the SIGTERM
to all processes within the same process control-group. This can come
as a surprise to plug-ins which may have fork()ed out child processes.
So we tell systemd to only send the SIGTERM signal to the main OpenVPN
process and let OpenVPN take care of the shutdown process on its own.
If the main OpenVPN process does not stop within 90 seconds (unless
changed), it will send SIGKILL to all remaining processes within
the same process control-group.
This issue have been reported in both Debian and Fedora.
Trac: 581
Message-Id: <20170906234705.26202-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
[DS: Applied lazy-ack policy]
ProtectSystem=true mounts the /usr and /boot directories read-only.
ProtectHome=true makes the directories /home, /root and /run/user
inaccessible and empty for the process.
See systemd.exec(5) [0] for details.
v2: Replace ProtectSystem=strict with ProtectSystem=true. Some
configurations may want to write to /etc or the like.
[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161227221832.610-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13743.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.
So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-2-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13939.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
If systemd is enabled we install unit files to $libdir/systemd/system
(or the path specified by SYSTEMD_UNIT_DIR).
The unit files are generated on the fly with matching $sbindir.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13940.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
2017-01-25 19:39:42 +01:00
Renamed from distro/systemd/openvpn-server@.service (Browse further)
