systemd: Reworked the systemd unit file to handle server and client configs better

Systemd can delay starting a service if the network isn't fully available
yet.  This feature is useful in client configurations, where OpenVPN will
not be started before the client can reach the Internet.  It is the network
service manager which tells systemd if the system is "online" or not.

For server configurations, the OpenVPN should be able to be started,
regardless if the system is "online" or not.  This is also the old
behaviour of most of the old init.d script and the last systemd unit file.

This patch splits the previous systemd unit file into to two files.  One
which is aimed at clients (openvpn-client@.service) and one for server
configurations (openvpn-server@.service).  These files will also pick
the configurations from different sub-directories.  The unit file for
openvpn-client@ will use /etc/openvpn/client and the server unit file
will use /etc/openvpn/server.  This also ensures that config files
are not started in the wrong manner.

The arguments given to the openvpn binary have also shifted order,
to ensure that some of them cannot be overridden by the config file,
such as --daemon and --writepid.  For server configurations a
--status file is also added with the status format set to 2.  This
can be overridden by the configuration file.

Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1415889817-28049-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9222
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/distro/systemd/openvpn@.service b/distro/systemd/openvpn-client@.service
similarity index 68%
rename from distro/systemd/openvpn@.service
rename to distro/systemd/openvpn-client@.service
index 7cd36c3671f8e681df45f100f8478f5091b6ebc0..56d93a932e6715acc1890a949c6edf8f670d41bb 100644 (file)
--- a/distro/systemd/openvpn@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=OpenVPN tunnel for %I
-After=syslog.target network.target
+After=syslog.target network-online.target
+Wants=network-online.target
 Documentation=man:openvpn(8)
 Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
@@ -8,8 +9,8 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 PrivateTmp=true
 Type=forking
-PIDFile=/var/run/openvpn/%i.pid
-ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
+PIDFile=/var/run/openvpn/client_%i.pid
+ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/client --config %i.conf --daemon --writepid /var/run/openvpn/client_%i.pid
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
 LimitNPROC=10
 DeviceAllow=/dev/null rw

diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-server@.service
new file mode 100644 (file)
index 0000000..c4c9a12
--- /dev/null
+++ b/distro/systemd/openvpn-server@.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=OpenVPN service for %I
+After=syslog.target network.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+PrivateTmp=true
+Type=forking
+PIDFile=/var/run/openvpn/server_%i.pid
+ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/server --status /var/run/openvpn/server_%i-status.log --status-version 2 --config %i.conf --daemon --writepid /var/run/openvpn/server_%i.pid
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+
+[Install]
+WantedBy=multi-user.target