Re: [Openvpn-users] OpenVPN Plugins and Systemd

Wed, 13 Dec 2023 11:09:17 -0800 

Just for community knowledge.
Through much trial and error it was concluded from some reason that the LimitNPROC was the culprit even though the plug-in only spawned 3 additional instances of OVPN. Didn't have time to really figure out why. 

PrivateTmp, ProtectHome, ProtectSystem are all fine to use.

Colin

On 2023-11-29 5:00 p.m., David Sommerseth wrote:

On 29/11/2023 19:50, Colin Ryan wrote:

Folks,

Trying to move my openvpn configuration to fully systemd modified.


I've compiled openvpn with systemd support and fundamentally it works 
with the most recent systemd recipe's in the style of openvpn@.service



Systemd until has this:

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/opt/aa/config/aalan

ExecStart=/opt/aa/sbin/openvpn  --suppress-timestamps --config 
/opt/aa/config/aalan/%i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUD>

LimitNPROC=20
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=control-group
RestartSec=30s
Restart=always


However it appears this is not allowing plug-ins to fork properly.


-PLUGIN: Thread creation failed.



If I use a much more primitive unit file from the early days of 
systemd usage where the Type=forking was used to essentially just run 
the daemon the exact same configuration file works.


As well instance without plugin also works.


I'm assuming it's some CapabilityBoundingSet issue. The daemon 
starts, management console is available, accepts connections attempts 
etc but when the fork to the plug-in goes it fails.


Thoughts

Colin


Which distribution do you see this on?


The openvpn@.service unit files has generally been deprecated in the 
upstream OpenVPN project for quite some time; due to inconsistent 
behaviors across distributions.  Many distributions still continue to 
ship these, but it is being supported by the distribution only.



The OpenVPN project ships openvpn-server@.service and 
openvpn-client@.service, which is considered to be a better 
alternative.  This was introduced with OpenVPN 2.4, which added better 
systemd integration so systemd could better understand in which 
runtime status the OpenVPN process has.  And it adds a lot of 
hardening, depending on the use case (client or server config).


Can you please try and see if that works better?





_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to