Just for community knowledge.
Through much trial and error it was concluded from some reason that the
LimitNPROC was the culprit even though the plug-in only spawned 3
additional instances of OVPN. Didn't have time to really figure out why.
PrivateTmp, ProtectHome, ProtectSystem are all fine to use.
Colin
On 2023-11-29 5:00 p.m., David Sommerseth wrote:
On 29/11/2023 19:50, Colin Ryan wrote:
Folks,
Trying to move my openvpn configuration to fully systemd modified.
I've compiled openvpn with systemd support and fundamentally it works
with the most recent systemd recipe's in the style of openvpn@.service
Systemd until has this:
[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/opt/aa/config/aalan
ExecStart=/opt/aa/sbin/openvpn --suppress-timestamps --config
/opt/aa/config/aalan/%i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
CAP_AUD>
LimitNPROC=20
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=control-group
RestartSec=30s
Restart=always
However it appears this is not allowing plug-ins to fork properly.
-PLUGIN: Thread creation failed.
If I use a much more primitive unit file from the early days of
systemd usage where the Type=forking was used to essentially just run
the daemon the exact same configuration file works.
As well instance without plugin also works.
I'm assuming it's some CapabilityBoundingSet issue. The daemon
starts, management console is available, accepts connections attempts
etc but when the fork to the plug-in goes it fails.
Thoughts
Colin
Which distribution do you see this on?
The openvpn@.service unit files has generally been deprecated in the
upstream OpenVPN project for quite some time; due to inconsistent
behaviors across distributions. Many distributions still continue to
ship these, but it is being supported by the distribution only.
The OpenVPN project ships openvpn-server@.service and
openvpn-client@.service, which is considered to be a better
alternative. This was introduced with OpenVPN 2.4, which added better
systemd integration so systemd could better understand in which
runtime status the OpenVPN process has. And it adds a lot of
hardening, depending on the use case (client or server config).
Can you please try and see if that works better?
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users