- Use systemd-rpm macros - Remove %triggerun for openvpn < 2.2.1 (which is way too old anyhow for newer Fedoras) - Fixed several issues with installed files - Fixed ./configure arguments - several of them where outdated or used wrong - Removed the deprecated openvpn@.service in favour of the new upstream unit files - Added README.systemd which describes the new unit files - Fixed wrong mixing of %doc and %{_pkgdocdir} causing duplication of sample and contrib directories - Install management-notes.txt, which contains useful information about the OpenVPN management interface commands - Don't own %{_localstatedir}/run/%{name} ... that's handled by tmpfiles.d/openvpn.conf instead. - Own /etc/openvpn{,client,server}/epel8
parent
4daec6fd69
commit
a9b2582ae9
@ -0,0 +1,71 @@
|
|||||||
|
OpenVPN and systemd
|
||||||
|
===================
|
||||||
|
|
||||||
|
As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a
|
||||||
|
fine grained control of each OpenVPN configuration as well as trying to
|
||||||
|
restrict the capabilities the OpenVPN process have on a system.
|
||||||
|
|
||||||
|
|
||||||
|
Configuration profile types
|
||||||
|
---------------------------
|
||||||
|
These new unit files separates between client and server profiles. The
|
||||||
|
configuration files are kept in separate directories, to provide clarity
|
||||||
|
of the profile they run under.
|
||||||
|
|
||||||
|
Typically the client profile cannot bind to any ports below port 1024
|
||||||
|
and the client configuration is always started with --nobind.
|
||||||
|
|
||||||
|
The server profile is allowed to bind to any ports. In addition it enables
|
||||||
|
a client status file, usually found in the /run/openvpn-server directory.
|
||||||
|
The status format is set to version 2 by default. These settings may be
|
||||||
|
overridden by adding --status and/or --status-version in the OpenVPN
|
||||||
|
configuration file.
|
||||||
|
|
||||||
|
Neither of these profiles makes use of PID files, but OpenVPN reports back to
|
||||||
|
systemd its PID once it has initialized.
|
||||||
|
|
||||||
|
For configuration using a peer-to-peer mode (not using --mode server on one
|
||||||
|
of the sides) it is recommended to use the client profile.
|
||||||
|
|
||||||
|
|
||||||
|
Configuration files
|
||||||
|
-------------------
|
||||||
|
These new unit files expects client configuration files to be made available
|
||||||
|
in /etc/openvpn/client. Similar for the server configurations, it is expected
|
||||||
|
to be found in /etc/openvpn/server. The configuration files must have a .conf
|
||||||
|
file extension.
|
||||||
|
|
||||||
|
|
||||||
|
Managing VPN tunnels
|
||||||
|
--------------------
|
||||||
|
Use the normal systemctl tool to start, stop VPN tunnels, as well as enable
|
||||||
|
and disable tunnels at boot time. The syntax is:
|
||||||
|
|
||||||
|
- client configurations:
|
||||||
|
# systemctl $OPER openvpn-client@$CONFIGNAME
|
||||||
|
|
||||||
|
- server configurations:
|
||||||
|
# systemctl $OPER openvpn-server@$CONFIGNAME
|
||||||
|
|
||||||
|
Similarly, to view the OpenVPN journal log use a similar syntax:
|
||||||
|
|
||||||
|
# journalctl -u openvpn-client@$CONFIGNAME
|
||||||
|
or
|
||||||
|
# journalctl -u openvpn-server@$CONFIGNAME
|
||||||
|
|
||||||
|
* Examples
|
||||||
|
Say your server configuration is /etc/openvpn/server/tun0.conf, you
|
||||||
|
start this VPN service like this:
|
||||||
|
|
||||||
|
# systemctl start openvpn-server@tun0
|
||||||
|
|
||||||
|
A client configuration file in /etc/openvpn/client/corpvpn.conf is
|
||||||
|
started like this:
|
||||||
|
|
||||||
|
# systemctl start openvpn-client@corpvpn
|
||||||
|
|
||||||
|
To view the server configuration's journal only listing entries from
|
||||||
|
yesterday and until today:
|
||||||
|
|
||||||
|
# journalctl --since yesterday -u openvpn-server@tun0
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
PrivateTmp=true
|
|
||||||
Type=forking
|
|
||||||
PIDFile=/var/run/openvpn/%i.pid
|
|
||||||
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
Loading…
Reference in new issue