summaryrefslogtreecommitdiff
path: root/distro/systemd
diff options
context:
space:
mode:
Diffstat (limited to 'distro/systemd')
-rw-r--r--distro/systemd/Makefile.am4
-rw-r--r--distro/systemd/Makefile.in89
-rw-r--r--distro/systemd/README.systemd70
-rw-r--r--distro/systemd/openvpn-server@.service.in2
4 files changed, 141 insertions, 24 deletions
diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
index 1e3f3ea..69e1269 100644
--- a/distro/systemd/Makefile.am
+++ b/distro/systemd/Makefile.am
@@ -5,7 +5,7 @@
# packet encryption, packet authentication, and
# packet compression.
#
-# Copyright (C) 2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+# Copyright (C) 2017-2018 OpenVPN Inc <sales@openvpn.net>
#
%.service: %.service.in Makefile
@@ -23,6 +23,8 @@ systemdunit_DATA = \
openvpn-server@.service
tmpfiles_DATA = \
tmpfiles-openvpn.conf
+dist_doc_DATA = \
+ README.systemd
install-data-hook:
mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf
diff --git a/distro/systemd/Makefile.in b/distro/systemd/Makefile.in
index 57e82c2..0458aa3 100644
--- a/distro/systemd/Makefile.in
+++ b/distro/systemd/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -21,11 +21,21 @@
# packet encryption, packet authentication, and
# packet compression.
#
-# Copyright (C) 2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+# Copyright (C) 2017-2018 OpenVPN Inc <sales@openvpn.net>
#
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -89,7 +99,6 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = distro/systemd
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
@@ -100,6 +109,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_doc_DATA_DIST) \
+ $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -124,6 +135,7 @@ am__can_run_installinfo = \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
+am__dist_doc_DATA_DIST = README.systemd
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -151,10 +163,11 @@ am__uninstall_files_from_dir = { \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
-am__installdirs = "$(DESTDIR)$(systemdunitdir)" \
+am__installdirs = "$(DESTDIR)$(docdir)" "$(DESTDIR)$(systemdunitdir)" \
"$(DESTDIR)$(tmpfilesdir)"
-DATA = $(systemdunit_DATA) $(tmpfiles_DATA)
+DATA = $(dist_doc_DATA) $(systemdunit_DATA) $(tmpfiles_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -203,6 +216,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -346,6 +360,9 @@ EXTRA_DIST = \
@ENABLE_SYSTEMD_TRUE@tmpfiles_DATA = \
@ENABLE_SYSTEMD_TRUE@ tmpfiles-openvpn.conf
+@ENABLE_SYSTEMD_TRUE@dist_doc_DATA = \
+@ENABLE_SYSTEMD_TRUE@ README.systemd
+
MAINTAINERCLEANFILES = \
$(srcdir)/Makefile.in
@@ -364,14 +381,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign distro/systemd/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign distro/systemd/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
@@ -388,6 +404,27 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
+install-dist_docDATA: $(dist_doc_DATA)
+ @$(NORMAL_INSTALL)
+ @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
+ fi; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
+ done
+
+uninstall-dist_docDATA:
+ @$(NORMAL_UNINSTALL)
+ @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \
+ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
install-systemdunitDATA: $(systemdunit_DATA)
@$(NORMAL_INSTALL)
@list='$(systemdunit_DATA)'; test -n "$(systemdunitdir)" || list=; \
@@ -437,7 +474,10 @@ ctags CTAGS:
cscope cscopelist:
-distdir: $(DISTFILES)
+distdir: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -471,7 +511,7 @@ check-am: all-am
check: check-am
all-am: Makefile $(DATA)
installdirs:
- for dir in "$(DESTDIR)$(systemdunitdir)" "$(DESTDIR)$(tmpfilesdir)"; do \
+ for dir in "$(DESTDIR)$(docdir)" "$(DESTDIR)$(systemdunitdir)" "$(DESTDIR)$(tmpfilesdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
@@ -526,7 +566,8 @@ info: info-am
info-am:
-install-data-am: install-systemdunitDATA install-tmpfilesDATA
+install-data-am: install-dist_docDATA install-systemdunitDATA \
+ install-tmpfilesDATA
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) install-data-hook
install-dvi: install-dvi-am
@@ -571,7 +612,8 @@ ps: ps-am
ps-am:
-uninstall-am: uninstall-systemdunitDATA uninstall-tmpfilesDATA
+uninstall-am: uninstall-dist_docDATA uninstall-systemdunitDATA \
+ uninstall-tmpfilesDATA
.MAKE: install-am install-data-am install-strip
@@ -579,16 +621,19 @@ uninstall-am: uninstall-systemdunitDATA uninstall-tmpfilesDATA
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
- install-data-hook install-dvi install-dvi-am install-exec \
- install-exec-am install-html install-html-am install-info \
- install-info-am install-man install-pdf install-pdf-am \
- install-ps install-ps-am install-strip install-systemdunitDATA \
- install-tmpfilesDATA installcheck installcheck-am installdirs \
- maintainer-clean maintainer-clean-generic mostlyclean \
- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- tags-am uninstall uninstall-am uninstall-systemdunitDATA \
+ install-data-hook install-dist_docDATA install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-ps install-ps-am \
+ install-strip install-systemdunitDATA install-tmpfilesDATA \
+ installcheck installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
+ uninstall-am uninstall-dist_docDATA uninstall-systemdunitDATA \
uninstall-tmpfilesDATA
+.PRECIOUS: Makefile
+
%.service: %.service.in Makefile
$(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \
diff --git a/distro/systemd/README.systemd b/distro/systemd/README.systemd
new file mode 100644
index 0000000..a193a87
--- /dev/null
+++ b/distro/systemd/README.systemd
@@ -0,0 +1,70 @@
+OpenVPN and systemd
+===================
+
+As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a
+fine grained control of each OpenVPN configuration as well as trying to
+restrict the capabilities the OpenVPN process have on a system.
+
+
+Configuration profile types
+---------------------------
+These new unit files separates between client and server profiles. The
+configuration files are kept in separate directories, to provide clarity
+of the profile they run under.
+
+Typically the client profile cannot bind to any ports below port 1024
+and the client configuration is always started with --nobind.
+
+The server profile is allowed to bind to any ports. In addition it enables
+a client status file, usually found in the /run/openvpn-server directory.
+The status format is set to version 2 by default. These settings may be
+overridden by adding --status and/or --status-version in the OpenVPN
+configuration file.
+
+Neither of these profiles makes use of PID files, but OpenVPN reports back to
+systemd its PID once it has initialized.
+
+For configuration using a peer-to-peer mode (not using --mode server on one
+of the sides) it is recommended to use the client profile.
+
+
+Configuration files
+-------------------
+These new unit files expects client configuration files to be made available
+in /etc/openvpn/client. Similar for the server configurations, it is expected
+to be found in /etc/openvpn/server. The configuration files must have a .conf
+file extension.
+
+
+Managing VPN tunnels
+--------------------
+Use the normal systemctl tool to start, stop VPN tunnels, as well as enable
+and disable tunnels at boot time. The syntax is:
+
+ - client configurations:
+ # systemctl $OPER openvpn-client@$CONFIGNAME
+
+ - server configurations:
+ # systemctl $OPER openvpn-server@$CONFIGNAME
+
+Similarly, to view the OpenVPN journal log use a similar syntax:
+
+ # journalctl -u openvpn-client@$CONFIGNAME
+ or
+ # journalctl -u openvpn-server@$CONFIGNAME
+
+* Examples
+ Say your server configuration is /etc/openvpn/server/tun0.conf, you
+ start this VPN service like this:
+
+ # systemctl start openvpn-server@tun0
+
+ A client configuration file in /etc/openvpn/client/corpvpn.conf is
+ started like this:
+
+ # systemctl start openvpn-client@corpvpn
+
+ To view the server configuration's journal only listing entries from
+ yesterday and until today:
+
+ # journalctl --since yesterday -u openvpn-server@tun0
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
index a8366a0..d1cc72c 100644
--- a/distro/systemd/openvpn-server@.service.in
+++ b/distro/systemd/openvpn-server@.service.in
@@ -11,7 +11,7 @@ Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw