Hi, following are the server and client systemd unit files which work best for me.
Tested on: Archlinux - OpenVPN 2.3.13 x86_64-unknown-linux-gnu - systemd 231 CentOS 7 - OpenVPN 2.3.12 x86_64-redhat-linux-gnu - systemd 219 Debian 8 - OpenVPN 2.3.13 x86_64-pc-linux-gnu - systemd 215 OpenSUSE 42.2 - OpenVPN 2.3.8 x86_64-suse-linux-gnu - systemd 228 Fedora 24 - OpenVPN 2.3.12 x86_64-redhat-linux-gnu - systemd 229 Ubuntu 16.04 - OpenVPN 2.3.13 x86_64-pc-linux-gnu - systemd 229 Tested with: Multiple server and multiple client configs all enabled. Tests: systemctl enable/disable/start/stop/restart/reboot Result: ALL Tests passed. Note: I have inserted blank lines to help with email line wrap. ===== openvpn-client@.service [Unit] Description=OpenVPN tunnel for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] PrivateTmp=true RuntimeDirectory=openvpn-client RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/client ExecStart=/usr/sbin/openvpn --config %i.conf --nobind --suppress-timestamps CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target ===== openvpn-server@.service [Unit] Description=OpenVPN service for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] PrivateTmp=true RuntimeDirectory=openvpn-server RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/server ExecStart=/usr/sbin/openvpn --config %i.conf --status %t/openvpn-server/%i-status.log --status-version 2 --suppress-timestamps CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target ===== Regards On 20/10/16 21:42, David Sommerseth wrote: > There are several changes which allows systemd to take care of several > aspects of hardening the execution of OpenVPN. > > - Let systemd take care of the process tracking directly, instead > of doing that via PID files > > - Make systemd prepare proper runtime directories for the OpenVPN > process. > > - Let systemd do the chdir() before starting OpenVPN. This allows > us to avoid using the --cd option when executing openvpn. > > - CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise > the root user would not be allowed to access files/directories > not owned by root. This will change in the future, when we > find better ways to avoid calling chroot() in OpenVPN and > rather let systemd prepare a more isolated namespace. > > - Client configurations are now started with --nobind and > the OpenVPN client process have lost the CAP_NET_BIND_SERVICE > capability which allows binding to port < 1024. > > - Documentation URL now points at the OpenVPN 2.4 man page URL > > The majority of these changes have been proposed by Elias Probst > (eliasp) in the GitHub PR #22. > > Contribution-by: Elias Probst <m...@eliasprobst.eu> > Signed-off-by: David Sommerseth <dav...@openvpn.net> > --- > distro/systemd/openvpn-client@.service | 11 ++++++----- > distro/systemd/openvpn-server@.service | 14 ++++++++------ > 2 files changed, 14 insertions(+), 11 deletions(-) > > diff --git a/distro/systemd/openvpn-client@.service > b/distro/systemd/openvpn-client@.service > index 56d93a9..051eb47 100644 > --- a/distro/systemd/openvpn-client@.service > +++ b/distro/systemd/openvpn-client@.service > @@ -3,15 +3,16 @@ Description=OpenVPN tunnel for %I > After=syslog.target network-online.target > Wants=network-online.target > Documentation=man:openvpn(8) > -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage > +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO > > [Service] > PrivateTmp=true > -Type=forking > -PIDFile=/var/run/openvpn/client_%i.pid > -ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/client --config %i.conf > --daemon --writepid /var/run/openvpn/client_%i.pid > -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH > +RuntimeDirectory=openvpn > +RuntimeDirectoryMode=0710 > +WorkingDirectory=/etc/openvpn/client > +ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf > +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID > CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > LimitNPROC=10 > DeviceAllow=/dev/null rw > DeviceAllow=/dev/net/tun rw > diff --git a/distro/systemd/openvpn-server@.service > b/distro/systemd/openvpn-server@.service > index c4c9a12..c8da5fa 100644 > --- a/distro/systemd/openvpn-server@.service > +++ b/distro/systemd/openvpn-server@.service > @@ -1,16 +1,18 @@ > [Unit] > Description=OpenVPN service for %I > -After=syslog.target network.target > +After=syslog.target network-online.target > +Wants=network-online.target > Documentation=man:openvpn(8) > -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage > +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO > > [Service] > PrivateTmp=true > -Type=forking > -PIDFile=/var/run/openvpn/server_%i.pid > -ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/server --status > /var/run/openvpn/server_%i-status.log --status-version 2 --config %i.conf > --daemon --writepid /var/run/openvpn/server_%i.pid > -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH > +RuntimeDirectory=openvpn > +RuntimeDirectoryMode=0710 > +WorkingDirectory=/etc/openvpn/server > +ExecStart=/usr/sbin/openvpn --status %t/openvpn/server_%i-status.log > --status-version 2 --suppress-timestamps --config %i.conf > +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > LimitNPROC=10 > DeviceAllow=/dev/null rw > DeviceAllow=/dev/net/tun rw > ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
