This comes a bit late, sorry. Il 20/10/2016 23:42, David Sommerseth ha scritto: > There are several changes which allows systemd to take care of several > aspects of hardening the execution of OpenVPN. > > - Let systemd take care of the process tracking directly, instead > of doing that via PID files >
This makes sense, but it has one caveat. If there is no pidfile, external, local monitoring applications might not be able to monitor the status of the OpenVPN process anymore. I, for example, heavily utilize monit for it's email notification capabilities, and because it can actually do things if it detects anomalies. The last time I checked, there is no easy way to get systemd to notify the admin if, say, a daemon goes down and systemd restarts it. Is this still the case? > - Make systemd prepare proper runtime directories for the OpenVPN > process. > > - Let systemd do the chdir() before starting OpenVPN. This allows > us to avoid using the --cd option when executing openvpn. > > - CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise > the root user would not be allowed to access files/directories > not owned by root. This will change in the future, when we > find better ways to avoid calling chroot() in OpenVPN and > rather let systemd prepare a more isolated namespace. > > - Client configurations are now started with --nobind and > the OpenVPN client process have lost the CAP_NET_BIND_SERVICE > capability which allows binding to port < 1024. > > - Documentation URL now points at the OpenVPN 2.4 man page URL > > The majority of these changes have been proposed by Elias Probst > (eliasp) in the GitHub PR #22. > > Contribution-by: Elias Probst <m...@eliasprobst.eu> > Signed-off-by: David Sommerseth <dav...@openvpn.net> > --- > distro/systemd/openvpn-client@.service | 11 ++++++----- > distro/systemd/openvpn-server@.service | 14 ++++++++------ > 2 files changed, 14 insertions(+), 11 deletions(-) > > diff --git a/distro/systemd/openvpn-client@.service > b/distro/systemd/openvpn-client@.service > index 56d93a9..051eb47 100644 > --- a/distro/systemd/openvpn-client@.service > +++ b/distro/systemd/openvpn-client@.service > @@ -3,15 +3,16 @@ Description=OpenVPN tunnel for %I > After=syslog.target network-online.target > Wants=network-online.target > Documentation=man:openvpn(8) > -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage > +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO > > [Service] > PrivateTmp=true > -Type=forking > -PIDFile=/var/run/openvpn/client_%i.pid > -ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/client --config %i.conf > --daemon --writepid /var/run/openvpn/client_%i.pid > -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH > +RuntimeDirectory=openvpn > +RuntimeDirectoryMode=0710 > +WorkingDirectory=/etc/openvpn/client > +ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf > +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID > CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > LimitNPROC=10 > DeviceAllow=/dev/null rw > DeviceAllow=/dev/net/tun rw > diff --git a/distro/systemd/openvpn-server@.service > b/distro/systemd/openvpn-server@.service > index c4c9a12..c8da5fa 100644 > --- a/distro/systemd/openvpn-server@.service > +++ b/distro/systemd/openvpn-server@.service > @@ -1,16 +1,18 @@ > [Unit] > Description=OpenVPN service for %I > -After=syslog.target network.target > +After=syslog.target network-online.target > +Wants=network-online.target > Documentation=man:openvpn(8) > -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage > +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO > > [Service] > PrivateTmp=true > -Type=forking > -PIDFile=/var/run/openvpn/server_%i.pid > -ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/server --status > /var/run/openvpn/server_%i-status.log --status-version 2 --config %i.conf > --daemon --writepid /var/run/openvpn/server_%i.pid > -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH > +RuntimeDirectory=openvpn > +RuntimeDirectoryMode=0710 > +WorkingDirectory=/etc/openvpn/server > +ExecStart=/usr/sbin/openvpn --status %t/openvpn/server_%i-status.log > --status-version 2 --suppress-timestamps --config %i.conf > +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > LimitNPROC=10 > DeviceAllow=/dev/null rw > DeviceAllow=/dev/net/tun rw > -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
