In order to make systemd know, when openvpn is REALLY started,
I modified /lib/systemd/system/openvpn@.service as follows:
[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
[Service]
Type=notify
NotifyAccess=all
ExecStart=/usr/sbin/openvpn --status /run/openvpn/%i.status 10 --cd
/etc/openvpn --config /etc/openvpn/%i.conf --up "/etc/openvpn/notifyhelper.sh
${NOTIFY_SOCKET}"
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
[Install]
WantedBy=multi-user.target
EOF
(Probably NotifyAccess=exec can also work, this has not been tested.
that must be tried later when everything else works)
I created /etc/openvpn/notifyhelper.sh executable as follows:
#!/bin/bash
set -e
NOTIFY_SOCKET="$1" /bin/systemd-notify --ready --pid=$PPID
EOF
NOTIFY_SOCKET variable must be passed to the notifyhelper script as
shown above because openvpn cleans it from the environment and then
systemd-notify cannot contact systemd.
The system works almost.
But there are two major problems:
Mär 09 08:53:47 m2 openvpn[664]: Thu Mar 9 08:53:47 2017 do_ifconfig,
tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mär 09 08:53:47 m2 openvpn[664]: Thu Mar 9 08:53:47 2017 /sbin/ip link set dev
tun0 up mtu 1500
Mär 09 08:53:47 m2 openvpn[664]: Thu Mar 9 08:53:47 2017 /sbin/ip addr add dev
tun0 local 192.100.100.5 peer 192.100.100.1
Mär 09 08:53:47 m2 openvpn[664]: Thu Mar 9 08:53:47 2017
/etc/openvpn/notifyhelper.sh /run/systemd/notify tun0 1500 1542 192.100.100.5
192.100.100.1 init
Mär 09 08:53:47 m2 systemd[1]: Started OpenVPN connection to client. <<< this
is what notifyhelper.sh does!
Mär 09 08:53:47 m2 systemd[1]: Mounting /home...
Mär 09 08:53:47 m2 openvpn[664]: Thu Mar 9 08:53:47 2017 /sbin/ip route del
0.0.0.0/0
Mär 09 08:53:47 m2 openvpn[664]: Thu Mar 9 08:53:47 2017 /sbin/ip route add
0.0.0.0/0 via 192.100.100.1
Mär 09 08:53:47 m2 openvpn[664]: Thu Mar 9 08:53:47 2017 Initialization
Sequence Completed
as you see from the journalctl excerpt above,
some routes are set AFTER notifyhelper.sh gets called.
so we have an order problem here.
I do not find a way to specify that notifyhelper.sh must be called VERY LAST.
if I read my logs longer i see that mounting /home fails because the routes
have not been set...
Second major problem:
Mär 09 08:53:44 m2 openvpn[664]: Thu Mar 9 08:53:44 2017 Multiple --up scripts
defined. The previously configured script is overridden.
In my case this leads to the problem that /etc/openvpn/update-resolv-conf
does not get called which is specified from my /etc/openvpn/client.conf file.
Conclusion:
It does not seem to be easy to make openvpn call some script at the very end
without interfering with the way the user thinks its own config file works
(i.e. the user has his own --up calls there.)
The clean way would be to have openvpn call systemctl sd_notify(...READY=1)
at the absolute end of initialization. upstream someone?
meanwhile I will continue by writing a custom systemd service
which waits until openvpn is ready by doing dns lookups and or pings.
then i will add the neccessary dependencies to make my boot work.
But for now I will give up on the idea of doing it the right way.
cya
erik
