Re: [Openvpn-users] OpenVPN Plugins and Systemd

Wed, 29 Nov 2023 14:04:06 -0800 

On 29/11/2023 19:50, Colin Ryan wrote:

Folks,

Trying to move my openvpn configuration to fully systemd modified.
I've compiled openvpn with systemd support and fundamentally it works with the most recent systemd recipe's in the style of openvpn@.service 


Systemd until has this:

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/opt/aa/config/aalan
ExecStart=/opt/aa/sbin/openvpnĀ  --suppress-timestamps --config /opt/aa/config/aalan/%i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUD> 
LimitNPROC=20
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=control-group
RestartSec=30s
Restart=always


However it appears this is not allowing plug-ins to fork properly.


-PLUGIN: Thread creation failed.
If I use a much more primitive unit file from the early days of systemd usage where the Type=forking was used to essentially just run the daemon the exact same configuration file works. 

As well instance without plugin also works.
I'm assuming it's some CapabilityBoundingSet issue. The daemon starts, management console is available, accepts connections attempts etc but when the fork to the plug-in goes it fails. 

Thoughts

Colin


Which distribution do you see this on?
The openvpn@.service unit files has generally been deprecated in the upstream OpenVPN project for quite some time; due to inconsistent behaviors across distributions. Many distributions still continue to ship these, but it is being supported by the distribution only.
The OpenVPN project ships openvpn-server@.service and openvpn-client@.service, which is considered to be a better alternative. This was introduced with OpenVPN 2.4, which added better systemd integration so systemd could better understand in which runtime status the OpenVPN process has. And it adds a lot of hardening, depending on the use case (client or server config). 

Can you please try and see if that works better?


--
kind regards,

David Sommerseth
OpenVPN Inc




_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to