Cleaning up

- Use systemd-rpm macros
- Remove %triggerun for openvpn < 2.2.1 (which is way too old anyhow
  for newer Fedoras)
- Fixed several issues with installed files
- Fixed ./configure arguments - several of them where outdated or
  used wrong
- Removed the deprecated openvpn@.service in favour of the new
  upstream unit files
- Added README.systemd which describes the new unit files
- Fixed wrong mixing of %doc and %{_pkgdocdir} causing duplication
  of sample and contrib directories
- Install management-notes.txt, which contains useful information
  about the OpenVPN management interface commands
- Don't own %{_localstatedir}/run/%{name} ... that's handled by
  tmpfiles.d/openvpn.conf instead.
- Own /etc/openvpn{,client,server}/
epel8
David Sommerseth 8 years ago
parent 4daec6fd69
commit a9b2582ae9

@ -0,0 +1,71 @@
OpenVPN and systemd
===================
As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a
fine grained control of each OpenVPN configuration as well as trying to
restrict the capabilities the OpenVPN process have on a system.
Configuration profile types
---------------------------
These new unit files separates between client and server profiles. The
configuration files are kept in separate directories, to provide clarity
of the profile they run under.
Typically the client profile cannot bind to any ports below port 1024
and the client configuration is always started with --nobind.
The server profile is allowed to bind to any ports. In addition it enables
a client status file, usually found in the /run/openvpn-server directory.
The status format is set to version 2 by default. These settings may be
overridden by adding --status and/or --status-version in the OpenVPN
configuration file.
Neither of these profiles makes use of PID files, but OpenVPN reports back to
systemd its PID once it has initialized.
For configuration using a peer-to-peer mode (not using --mode server on one
of the sides) it is recommended to use the client profile.
Configuration files
-------------------
These new unit files expects client configuration files to be made available
in /etc/openvpn/client. Similar for the server configurations, it is expected
to be found in /etc/openvpn/server. The configuration files must have a .conf
file extension.
Managing VPN tunnels
--------------------
Use the normal systemctl tool to start, stop VPN tunnels, as well as enable
and disable tunnels at boot time. The syntax is:
- client configurations:
# systemctl $OPER openvpn-client@$CONFIGNAME
- server configurations:
# systemctl $OPER openvpn-server@$CONFIGNAME
Similarly, to view the OpenVPN journal log use a similar syntax:
# journalctl -u openvpn-client@$CONFIGNAME
or
# journalctl -u openvpn-server@$CONFIGNAME
* Examples
Say your server configuration is /etc/openvpn/server/tun0.conf, you
start this VPN service like this:
# systemctl start openvpn-server@tun0
A client configuration file in /etc/openvpn/client/corpvpn.conf is
started like this:
# systemctl start openvpn-client@corpvpn
To view the server configuration's journal only listing entries from
yesterday and until today:
# journalctl --since yesterday -u openvpn-server@tun0

@ -10,18 +10,10 @@ Summary: A full-featured SSL VPN solution
URL: https://community.openvpn.net/ URL: https://community.openvpn.net/
Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
Source1: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc Source1: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
# Sample 2.0 config files
Source2: roadwarrior-server.conf Source2: roadwarrior-server.conf
Source3: roadwarrior-client.conf Source3: roadwarrior-client.conf
# Systemd service (deprecated) Source4: README.systemd
Source4: openvpn@.service Patch0: 0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
# Don't start openvpn by default.
#Patch0: openvpn-init.patch
#Patch1: openvpn-script-security.patch
#Patch2: openvpn-2.1.1-init.patch
#Patch3: openvpn-2.1.1-initinfo.patch
Patch4: 0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
License: GPLv2 License: GPLv2
Group: Applications/Internet Group: Applications/Internet
BuildRequires: systemd-devel BuildRequires: systemd-devel
@ -56,11 +48,7 @@ for compression.
%prep %prep
%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
#%patch0 -p0 %patch0 -p1
#%patch1 -p1
#%patch2 -p0
#%patch3 -p0
%patch4 -p1
sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
@ -69,24 +57,16 @@ find contrib sample -type f -perm /100 \
-exec chmod a-x {} \; -exec chmod a-x {} \;
%build %build
# --enable-pthread Enable pthread support (Experimental for OpenVPN 2.0)
# --enable-password-save Allow --askpass and --auth-user-pass passwords to be
# read from a file
# --enable-iproute2 Enable support for iproute2
# --with-ifconfig-path=PATH Path to ifconfig tool
# --with-iproute-path=PATH Path to iproute tool
# --with-route-path=PATH Path to route tool
%configure \ %configure \
--enable-iproute2 \ --enable-iproute2 \
--with-iproute-path=/sbin/ip \
--enable-plugins \
--enable-plugin-down-root \
--enable-plugin-auth-pam \
--with-crypto-library=mbedtls \ --with-crypto-library=mbedtls \
--enable-selinux \
--enable-systemd \ --enable-systemd \
--docdir=%{_pkgdocdir} \ --docdir=%{_pkgdocdir} \
SYSTEMD_UNIT_DIR=%{_unitdir} \ SYSTEMD_UNIT_DIR=%{_unitdir} \
TMPFILES_DIR=%{_tmpfilesdir} TMPFILES_DIR=%{_tmpfilesdir} \
IPROUTE=/sbin/ip
# --enable-pkcs11 \
%{__make} %{__make}
#%check #%check
@ -119,29 +99,15 @@ find contrib sample -type f -perm /100 \
# %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server # %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
%install %install
#install -D -m 0644 doc/%{name}.8 $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8
#install -D -m 0755 src/openvpn/%{name} $RPM_BUILD_ROOT%{_sbindir}/%{name}
mkdir -p %{buildroot}%{_unitdir}
install -D -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/
rm -rf %{buildroot}%{_initrddir}
install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}
#mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}
#cp -pR easy-rsa $RPM_BUILD_ROOT%{_datadir}/%{name}/
#rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}/easy-rsa/Windows
cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
%{__make} install DESTDIR=$RPM_BUILD_ROOT %{__make} install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
# Package installs into %%{_pkgdocdir} directly # Package installs into %%{_pkgdocdir} directly
# Add further files # Add further files
cp -a AUTHORS PORTS INSTALL contrib sample $RPM_BUILD_ROOT%{_pkgdocdir} cp -a AUTHORS contrib sample %{SOURCE4} $RPM_BUILD_ROOT%{_pkgdocdir}
# tmpfiles.d
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0710 %{buildroot}%{_localstatedir}/run/%{name}/
%pre %pre
getent group openvpn &>/dev/null || groupadd -r openvpn getent group openvpn &>/dev/null || groupadd -r openvpn
@ -150,54 +116,42 @@ getent passwd openvpn &>/dev/null || \
-d /etc/openvpn openvpn -d /etc/openvpn openvpn
%post %post
if [ $1 -eq 1 ] ; then %systemd_post openvpn-client@\*.service
# Initial installation %systemd_post openvpn-server@\*.service
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
fi
%preun %preun
if [ $1 -eq 0 ] ; then %systemd_preun openvpn-client@\*.service
# Package removal, not upgrade %systemd_preun openvpn-server@\*.service
/bin/systemctl --no-reload disable openvpn.service > /dev/null 2>&1 || :
/bin/systemctl stop openvpn.service > /dev/null 2>&1 || :
fi
%postun %postun
/bin/systemctl daemon-reload >/dev/null 2>&1 || : %systemd_postun openvpn-client@\*.service
# Normally, we'd try a restart here, but in this case, it could be troublesome. %systemd_postun openvpn-server@\*.service
%triggerun -- openvpn < 2.2.1-2
# Save the current service runlevel info
# User must manually run systemd-sysv-convert --apply openvpn
# to migrate them to systemd targets
/usr/bin/systemd-sysv-convert --save openvpn >/dev/null 2>&1 ||:
# Run these because the SysV package being removed won't do them
/sbin/chkconfig --del openvpn >/dev/null 2>&1 || :
/bin/systemctl try-restart openvpn.service >/dev/null 2>&1 || :
%files %files
%{_pkgdocdir} %{_pkgdocdir}
%exclude %{_pkgdocdir}/README.IPv6 %exclude %{_pkgdocdir}/README.IPv6
%exclude %{_pkgdocdir}/README.polarssl %exclude %{_pkgdocdir}/README.polarssl
%exclude %{_pkgdocdir}/management-notes.txt
%doc contrib sample
%{_mandir}/man8/%{name}.8* %{_mandir}/man8/%{name}.8*
%{_sbindir}/%{name} %{_sbindir}/%{name}
#%{_datadir}/%{name}/
%{_includedir}/openvpn-plugin.h %{_includedir}/openvpn-plugin.h
%{_includedir}/openvpn-msg.h %{_includedir}/openvpn-msg.h
%{_libdir}/%{name}/ %{_libdir}/%{name}/
%{_unitdir}/%{name}@.service
%{_unitdir}/%{name}-client@.service %{_unitdir}/%{name}-client@.service
%{_unitdir}/%{name}-server@.service %{_unitdir}/%{name}-server@.service
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%attr(0710,root,openvpn) %dir %{_localstatedir}/run/%{name}/
%config %dir %{_sysconfdir}/%{name}/ %config %dir %{_sysconfdir}/%{name}/
%config %dir %{_sysconfdir}/%{name}/client
%config %dir %{_sysconfdir}/%{name}/server
%changelog %changelog
* Fri Mar 24 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
- Various cleanups
- Use systemd-rpm macros (rhbz #850257)
- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service
- Added README.systemd describing new systemd unit files
* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1 * Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
- Updating to upstream release, v2.4.1 - Updating to upstream release, v2.4.1
- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 - Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1

@ -1,12 +0,0 @@
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
Loading…
Cancel
Save