A User's perspective:
We run OpenVPN on some 2500 systems in a (unmanned) client-server config
(we're the ones hoping to someday see Gava's client-nat and ftp-nat patches
included). Long ago we came up with a brute force workaround to the
service restart issue -- a script that pings back to a node
On 14/11/16 11:44, David Sommerseth wrote:
> On 12/11/16 16:00, Gert Doering wrote:
>> Hi,
>>
>> On Fri, Nov 11, 2016 at 01:35:57PM +0100, David Sommerseth
>> wrote:
>>> We can of course investigate if we should enable systemd to
>>> restart OpenVPN, at least the server profile, if it dies
>>> une
On 12/11/16 16:00, Gert Doering wrote:
> Hi,
>
> On Fri, Nov 11, 2016 at 01:35:57PM +0100, David Sommerseth wrote:
>> We can of course investigate if we should enable systemd to restart
>> OpenVPN, at least the server profile, if it dies unexpectedly.
>> Currently, I am not fully convinced we want
Hi,
On Fri, Nov 11, 2016 at 01:35:57PM +0100, David Sommerseth wrote:
> We can of course investigate if we should enable systemd to restart
> OpenVPN, at least the server profile, if it dies unexpectedly.
> Currently, I am not fully convinced we want that.
I think this would be useful to have. S
Il 11/11/2016 14:35, David Sommerseth ha scritto:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 11/11/16 13:28, Samuli Seppänen wrote:
>> This comes a bit late, sorry.
>>
>> Il 20/10/2016 23:42, David Sommerseth ha scritto:
>>> There are several changes which allows systemd to take care
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/11/16 13:28, Samuli Seppänen wrote:
> This comes a bit late, sorry.
>
> Il 20/10/2016 23:42, David Sommerseth ha scritto:
>> There are several changes which allows systemd to take care of
>> several aspects of hardening the execution of OpenVPN.
On 11/11/16 13:09, debbie10t wrote:
> Hi,
>
> following are the server and client systemd unit files
> which work best for me.
>
>
> Tested on:
> Archlinux - OpenVPN 2.3.13 x86_64-unknown-linux-gnu - systemd 231
> CentOS 7 - OpenVPN 2.3.12 x86_64-redhat-linux-gnu - systemd 219
> Debia
This comes a bit late, sorry.
Il 20/10/2016 23:42, David Sommerseth ha scritto:
> There are several changes which allows systemd to take care of several
> aspects of hardening the execution of OpenVPN.
>
> - Let systemd take care of the process tracking directly, instead
> of doing that via PID
Hi,
following are the server and client systemd unit files
which work best for me.
Tested on:
Archlinux - OpenVPN 2.3.13 x86_64-unknown-linux-gnu - systemd 231
CentOS 7 - OpenVPN 2.3.12 x86_64-redhat-linux-gnu - systemd 219
Debian 8 - OpenVPN 2.3.13 x86_64-pc-linux-gnu - syst
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/11/16 02:11, debbie10t wrote:
>
>
> On 20/10/16 21:42, David Sommerseth wrote:
>
>> [Service] PrivateTmp=true +RuntimeDirectory=openvpn
>> +RuntimeDirectoryMode=0710 +WorkingDirectory=/etc/openvpn/server
>> +ExecStart=/usr/sbin/openvpn --sta
On 20/10/16 21:42, David Sommerseth wrote:
> [Service]
> PrivateTmp=true
> +RuntimeDirectory=openvpn
> +RuntimeDirectoryMode=0710
> +WorkingDirectory=/etc/openvpn/server
> +ExecStart=/usr/sbin/openvpn --status %t/openvpn/server_%i-status.log
> --status-version 2 --suppress-timestamps --config
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/11/16 22:02, Alberto Gonzalez Iniesta wrote:
> On Tue, Nov 08, 2016 at 09:27:20PM +0100, David Sommerseth wrote:
>> On 08/11/16 16:40, debbie10t wrote:
>>> Hi,
>>>
>>> I now have these unit files working on all my test VMS.
>>>
>>> The only pro
On Tue, Nov 08, 2016 at 09:27:20PM +0100, David Sommerseth wrote:
> On 08/11/16 16:40, debbie10t wrote:
> > Hi,
> >
> > I now have these unit files working on all my test VMS.
> >
> > The only problem before was that on debian 8 these services failed to
> > start after reboot. (systemctl enable o
On 08/11/16 16:40, debbie10t wrote:
> Hi,
>
> I now have these unit files working on all my test VMS.
>
> The only problem before was that on debian 8 these services failed to
> start after reboot. (systemctl enable openvpn-{client/server}@config
> was enabled) The error message was:
> main proce
Hi,
I now have these unit files working on all my test VMS.
The only problem before was that on debian 8 these services failed to
start after reboot. (systemctl enable openvpn-{client/server}@config
was enabled) The error message was:
main process exited, code=exited, status=233/RUNTIME_DIRECTORY
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/11/16 16:07, debbie10t wrote:
>
> I would say that these .service files are likely to temporarily
> break (m)any existing systemd usage until admins change their
> configs. Especially use of --cd
>
I forgot to comment this one.
No existing in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/11/16 16:07, debbie10t wrote:
> Hi,
>
> I have tested these two unit files on Archlinux, CentOS7, Debian8,
> Fedora 24, OpenSuse 42 and Ubuntu 16.04 and they all work. I tested
> for a week, starting ,stopping, restarting and rebooting on 1
>
Hi,
I have tested these two unit files on Archlinux, CentOS7, Debian8,
Fedora 24, OpenSuse 42 and Ubuntu 16.04 and they all work.
I tested for a week, starting ,stopping, restarting and rebooting on 1
server and 1 client per OS. (And two instance of 2x client and 2x
server)
Notes:
The problems I
There are several changes which allows systemd to take care of several
aspects of hardening the execution of OpenVPN.
- Let systemd take care of the process tracking directly, instead
of doing that via PID files
- Make systemd prepare proper runtime directories for the OpenVPN
process.
- Let
19 matches
Mail list logo