diff options
author | Bernhard Schmidt <berni@debian.org> | 2018-03-04 22:22:32 +0100 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2018-03-04 22:22:32 +0100 |
commit | cf55ab99392458e723c7ebcc32c19bbd225b1f4b (patch) | |
tree | b895b41b7629c9a31de5cc15e7aa7805ddac87ce /distro/systemd | |
parent | 9683f890944ffb114f5f8214f694e0b339cf5a5a (diff) |
New upstream version 2.4.5
Diffstat (limited to 'distro/systemd')
-rw-r--r-- | distro/systemd/Makefile.am | 4 | ||||
-rw-r--r-- | distro/systemd/Makefile.in | 60 | ||||
-rw-r--r-- | distro/systemd/README.systemd | 70 | ||||
-rw-r--r-- | distro/systemd/openvpn-client@.service.in | 1 | ||||
-rw-r--r-- | distro/systemd/openvpn-server@.service.in | 3 |
5 files changed, 122 insertions, 16 deletions
diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am index 1e3f3ea..69e1269 100644 --- a/distro/systemd/Makefile.am +++ b/distro/systemd/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2017 OpenVPN Technologies, Inc. <sales@openvpn.net> +# Copyright (C) 2017-2018 OpenVPN Inc <sales@openvpn.net> # %.service: %.service.in Makefile @@ -23,6 +23,8 @@ systemdunit_DATA = \ openvpn-server@.service tmpfiles_DATA = \ tmpfiles-openvpn.conf +dist_doc_DATA = \ + README.systemd install-data-hook: mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf diff --git a/distro/systemd/Makefile.in b/distro/systemd/Makefile.in index 27b390e..8e641aa 100644 --- a/distro/systemd/Makefile.in +++ b/distro/systemd/Makefile.in @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2017 OpenVPN Technologies, Inc. <sales@openvpn.net> +# Copyright (C) 2017-2018 OpenVPN Inc <sales@openvpn.net> # VPATH = @srcdir@ @@ -109,7 +109,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_doc_DATA_DIST) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h @@ -134,6 +135,7 @@ am__can_run_installinfo = \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +am__dist_doc_DATA_DIST = README.systemd am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -161,9 +163,9 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(systemdunitdir)" \ +am__installdirs = "$(DESTDIR)$(docdir)" "$(DESTDIR)$(systemdunitdir)" \ "$(DESTDIR)$(tmpfilesdir)" -DATA = $(systemdunit_DATA) $(tmpfiles_DATA) +DATA = $(dist_doc_DATA) $(systemdunit_DATA) $(tmpfiles_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -335,6 +337,7 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sampledir = @sampledir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -358,6 +361,9 @@ EXTRA_DIST = \ @ENABLE_SYSTEMD_TRUE@tmpfiles_DATA = \ @ENABLE_SYSTEMD_TRUE@ tmpfiles-openvpn.conf +@ENABLE_SYSTEMD_TRUE@dist_doc_DATA = \ +@ENABLE_SYSTEMD_TRUE@ README.systemd + MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in @@ -399,6 +405,27 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs +install-dist_docDATA: $(dist_doc_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ + done + +uninstall-dist_docDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) install-systemdunitDATA: $(systemdunit_DATA) @$(NORMAL_INSTALL) @list='$(systemdunit_DATA)'; test -n "$(systemdunitdir)" || list=; \ @@ -482,7 +509,7 @@ check-am: all-am check: check-am all-am: Makefile $(DATA) installdirs: - for dir in "$(DESTDIR)$(systemdunitdir)" "$(DESTDIR)$(tmpfilesdir)"; do \ + for dir in "$(DESTDIR)$(docdir)" "$(DESTDIR)$(systemdunitdir)" "$(DESTDIR)$(tmpfilesdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -537,7 +564,8 @@ info: info-am info-am: -install-data-am: install-systemdunitDATA install-tmpfilesDATA +install-data-am: install-dist_docDATA install-systemdunitDATA \ + install-tmpfilesDATA @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-dvi: install-dvi-am @@ -582,7 +610,8 @@ ps: ps-am ps-am: -uninstall-am: uninstall-systemdunitDATA uninstall-tmpfilesDATA +uninstall-am: uninstall-dist_docDATA uninstall-systemdunitDATA \ + uninstall-tmpfilesDATA .MAKE: install-am install-data-am install-strip @@ -590,14 +619,15 @@ uninstall-am: uninstall-systemdunitDATA uninstall-tmpfilesDATA cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am \ - install-data-hook install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip install-systemdunitDATA \ - install-tmpfilesDATA installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags-am uninstall uninstall-am uninstall-systemdunitDATA \ + install-data-hook install-dist_docDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip install-systemdunitDATA install-tmpfilesDATA \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-dist_docDATA uninstall-systemdunitDATA \ uninstall-tmpfilesDATA .PRECIOUS: Makefile diff --git a/distro/systemd/README.systemd b/distro/systemd/README.systemd new file mode 100644 index 0000000..a193a87 --- /dev/null +++ b/distro/systemd/README.systemd @@ -0,0 +1,70 @@ +OpenVPN and systemd +=================== + +As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a +fine grained control of each OpenVPN configuration as well as trying to +restrict the capabilities the OpenVPN process have on a system. + + +Configuration profile types +--------------------------- +These new unit files separates between client and server profiles. The +configuration files are kept in separate directories, to provide clarity +of the profile they run under. + +Typically the client profile cannot bind to any ports below port 1024 +and the client configuration is always started with --nobind. + +The server profile is allowed to bind to any ports. In addition it enables +a client status file, usually found in the /run/openvpn-server directory. +The status format is set to version 2 by default. These settings may be +overridden by adding --status and/or --status-version in the OpenVPN +configuration file. + +Neither of these profiles makes use of PID files, but OpenVPN reports back to +systemd its PID once it has initialized. + +For configuration using a peer-to-peer mode (not using --mode server on one +of the sides) it is recommended to use the client profile. + + +Configuration files +------------------- +These new unit files expects client configuration files to be made available +in /etc/openvpn/client. Similar for the server configurations, it is expected +to be found in /etc/openvpn/server. The configuration files must have a .conf +file extension. + + +Managing VPN tunnels +-------------------- +Use the normal systemctl tool to start, stop VPN tunnels, as well as enable +and disable tunnels at boot time. The syntax is: + + - client configurations: + # systemctl $OPER openvpn-client@$CONFIGNAME + + - server configurations: + # systemctl $OPER openvpn-server@$CONFIGNAME + +Similarly, to view the OpenVPN journal log use a similar syntax: + + # journalctl -u openvpn-client@$CONFIGNAME + or + # journalctl -u openvpn-server@$CONFIGNAME + +* Examples + Say your server configuration is /etc/openvpn/server/tun0.conf, you + start this VPN service like this: + + # systemctl start openvpn-server@tun0 + + A client configuration file in /etc/openvpn/client/corpvpn.conf is + started like this: + + # systemctl start openvpn-client@corpvpn + + To view the server configuration's journal only listing entries from + yesterday and until today: + + # journalctl --since yesterday -u openvpn-server@tun0 diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in index 49e3f51..cbcef65 100644 --- a/distro/systemd/openvpn-client@.service.in +++ b/distro/systemd/openvpn-client@.service.in @@ -17,6 +17,7 @@ DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true +KillMode=process [Install] WantedBy=multi-user.target diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index 9a8a2c7..a8366a0 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -17,6 +17,9 @@ DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true +KillMode=process +RestartSec=5s +Restart=on-failure [Install] WantedBy=multi-user.target |