Package: openvpn Version: 2.4.7-1 Severity: normal Hi,
On one machine that runs an OpenVPN server, I also have a name server running that should also service requests from the VPN on the machine's tun0 IP address. For reasons related to systemd, I therefore need to delay the start of the name server to a point when the OpenVPN daemon has already created the tun0 interface. In stretch, this could be done with some aux unit: - network initializes - OpenVPN starts immediately - a unit wait-vpn-ready.service, WantedBy=network-online.target waits fot tun0 to show up - a unit wait-no-tentative-ipv6.service, also WantedBy=network-online.target, waits for IPv6 having left tentative state. - bind9 waits for network-online.target In buster, OpenVPN has After=network-online.target and Wants=network-online.target itself, which breaks this scheme. wait-vpn-ready.service times out because the OpenVPN service it is waiting for has never started in the first place, and then OpenVPN and the DNS server start simultaneously. I do not know why it is necessary to have OpenVPN wait for network-online.target other then log cosmetics, but there should be a possibility to override this new behavior. Unfortunately, dropping a /etc/systemd/system/openvpn@.service.d/after-wants.conf with [Unit] After= Wants= doesn't help here. With the current state of the package, the only method that helps is copying /lib/systemd/system/openvpn@.service to /etc/systemd/system/openvpn@.service and making the necessary changes there. This of course does make future packaging changes in /lib/systemd/system/openvpn@.service ineffective on the system in question since the entire Unit is overrideen. I am not sure whether this is desireable. Having the entire unit as a dpkg-conffile in /etc would probably be a policy violation. A possible solution is: [8/4996]mh@torres:~ $ sudo systemctl cat openvpn@.service # /lib/systemd/system/openvpn@.service [Unit] Description=OpenVPN connection to %i PartOf=openvpn.service ReloadPropagatedFrom=openvpn.service Before=systemd-user-sessions.service Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/ PIDFile=/run/openvpn/%i.pid KillMode=process ExecReload=/bin/kill -HUP $MAINPID CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_ LimitNPROC=100 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true RestartSec=5s Restart=on-failure [Install] WantedBy=multi-user.target # /lib/systemd/system/openvpn@.service.d/after-wants.conf [Unit] After=network-online.target Wants=network-online.target While shipping both a unit file and an override file for this very unit in the same package might look confusing at first, this allows the After= and Wants= settings to be overridden by placing another override file in /etc/systemd/system/openvpn@.service.d/after-wants.conf. I am not sure whether the inability to override unit dependencies from a Unit in an override file is a shortcoming in systemd or not and I don't want to get into this level of politics today. Please consider whether the suggested change might be suitwable for the OpenVPN package, probably not without extensive documentation and rationale. Greetings Marc
