Hi Karl,
I found that by using `notify` and `daemon` when running openvpn in server mode
- the service does not work entirely as intended or expected (but it has been a
while and I do not remember what changed but iirc the behaviour broke my
setup/configuration). My configuration specifies to drop to the nobody user and
confines openvpn using apparmor using the following policy
# vim:syntax=apparmor
#include <tunables/global>
/usr/sbin/openvpn {
#include <abstractions/base>
#include <abstractions/nameservice>
capability setuid,
capability setgid,
capability net_admin,
capability dac_read_search,
capability dac_override,
network packet,
network raw,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/** r,
/dev/net/tun rw,
/bin/ip Pixrm,
/etc/openvpn/ r,
/etc/openvpn/** rw,
/run/openvpn/ r,
/run/openvpn/** rw,
/{,var/}run/systemd/notify w,
#include <local/usr.sbin.openvpn>
}
** Changed in: openvpn (Ubuntu)
Status: Invalid => Opinion
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1809576
Title:
18.04 seems to have a broken openvpn server configuration (template)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1809576/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
