Just for community knowledge.

Through much trial and error it was concluded from some reason that the LimitNPROC was the culprit even though the plug-in only spawned 3 additional instances of OVPN. Didn't have time to really figure out why.

PrivateTmp, ProtectHome, ProtectSystem are all fine to use.

Colin

On 2023-11-29 5:00 p.m., David Sommerseth wrote:
On 29/11/2023 19:50, Colin Ryan wrote:
Folks,

Trying to move my openvpn configuration to fully systemd modified.

I've compiled openvpn with systemd support and fundamentally it works with the most recent systemd recipe's in the style of openvpn@.service


Systemd until has this:

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/opt/aa/config/aalan
ExecStart=/opt/aa/sbin/openvpn  --suppress-timestamps --config /opt/aa/config/aalan/%i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUD>
LimitNPROC=20
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=control-group
RestartSec=30s
Restart=always


However it appears this is not allowing plug-ins to fork properly.


-PLUGIN: Thread creation failed.


If I use a much more primitive unit file from the early days of systemd usage where the Type=forking was used to essentially just run the daemon the exact same configuration file works.

As well instance without plugin also works.

I'm assuming it's some CapabilityBoundingSet issue. The daemon starts, management console is available, accepts connections attempts etc but when the fork to the plug-in goes it fails.

Thoughts

Colin

Which distribution do you see this on?

The openvpn@.service unit files has generally been deprecated in the upstream OpenVPN project for quite some time; due to inconsistent behaviors across distributions.  Many distributions still continue to ship these, but it is being supported by the distribution only.

The OpenVPN project ships openvpn-server@.service and openvpn-client@.service, which is considered to be a better alternative.  This was introduced with OpenVPN 2.4, which added better systemd integration so systemd could better understand in which runtime status the OpenVPN process has.  And it adds a lot of hardening, depending on the use case (client or server config).

Can you please try and see if that works better?




_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to