systemd: Ensure systemd shuts down OpenVPN in a proper way

By default, when systemd is stopping OpenVPN it will send the SIGTERM
to all processes within the same process control-group.  This can come
as a surprise to plug-ins which may have fork()ed out child processes.

So we tell systemd to only send the SIGTERM signal to the main OpenVPN
process and let OpenVPN take care of the shutdown process on its own.

If the main OpenVPN process does not stop within 90 seconds (unless
changed), it will send SIGKILL to all remaining processes within
the same process control-group.

This issue have been reported in both Debian and Fedora.

Trac: 581
Message-Id: <20170906234705.26202-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
[DS: Applied lazy-ack policy]
(cherry picked from commit 29446a18e1f2b52d20f359253b085e96fe458367)

diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in
index 49e3f51cc5493f6fe72aeeaf76706f93640ab496..cbcef6533c34e8969c321893c9e354f9c7d1a010 100644 (file)
--- a/distro/systemd/openvpn-client@.service.in
+++ b/distro/systemd/openvpn-client@.service.in
@@ -17,6 +17,7 @@ DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
 ProtectSystem=true
 ProtectHome=true
+KillMode=process
 
 [Install]
 WantedBy=multi-user.target

diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
index 9a8a2c730c2e73adfb97431a8a4663968ecce921..b343868a9250e1c8211e324609402bfe05931abe 100644 (file)
--- a/distro/systemd/openvpn-server@.service.in
+++ b/distro/systemd/openvpn-server@.service.in
@@ -17,6 +17,7 @@ DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
 ProtectSystem=true
 ProtectHome=true
+KillMode=process
 
 [Install]
 WantedBy=multi-user.target