systemd: Improve the systemd unit files

There are several changes which allows systemd to take care of several
aspects of hardening the execution of OpenVPN.

- Let systemd take care of the process tracking directly, instead
  of doing that via PID files

- Make systemd prepare proper runtime directories for the OpenVPN
  process.

- Let systemd do the chdir() before starting OpenVPN.  This allows
  us to avoid using the --cd option when executing openvpn.

- CAP_DAC_OVERRIDE was needed when using --chroot.  Otherwise
  the root user would not be allowed to access files/directories
  not owned by root.  This will change in the future, when we
  find better ways to avoid calling chroot() in OpenVPN and
  rather let systemd prepare a more isolated namespace.

- Client configurations are now started with --nobind and
  the OpenVPN client process have lost the CAP_NET_BIND_SERVICE
  capability which allows binding to port < 1024.

- Documentation URL now points at the OpenVPN 2.4 man page URL

The majority of these changes have been proposed by Elias Probst
(eliasp) in the GitHub PR #22.

v3 - Add ExecPreStart= to check if OpenVPN configuration contains
     'daemon'. That can break the process tracking as we now use
     Type=simple (default)

v2 - Change RuntimeDirectory= to a profile specific (client, server)
     directory to avoid clashing with older distro unit files

Commit note: As this is not a critical security change, we apply this
             without any formal ACKs.  It has been thoroghly tested by
             several users.  See mailing list for details.

Contribution-by: Elias Probst <mail@eliasprobst.eu>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1479122408-6867-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html

diff --git a/distro/systemd/openvpn-client@.service b/distro/systemd/openvpn-client@.service
index 56d93a932e6715acc1890a949c6edf8f670d41bb..18b84dd1c9aefcc08ec24fed4cb06f8d74c0f444 100644 (file)
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -3,15 +3,17 @@ Description=OpenVPN tunnel for %I
 After=syslog.target network-online.target
 Wants=network-online.target
 Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 
 [Service]
 PrivateTmp=true
-Type=forking
-PIDFile=/var/run/openvpn/client_%i.pid
-ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/client --config %i.conf --daemon --writepid /var/run/openvpn/client_%i.pid
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being managed by systemd" ; exit 1'
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw

diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-server@.service
index c4c9a1233d389c322aa83bc267fead55c24a8977..a2b7b52b85b65cbed9e127c78d5a3cf6b7ab41e3 100644 (file)
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -1,16 +1,19 @@
 [Unit]
 Description=OpenVPN service for %I
-After=syslog.target network.target
+After=syslog.target network-online.target
+Wants=network-online.target
 Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 
 [Service]
 PrivateTmp=true
-Type=forking
-PIDFile=/var/run/openvpn/server_%i.pid
-ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/server --status /var/run/openvpn/server_%i-status.log --status-version 2 --config %i.conf --daemon --writepid /var/run/openvpn/server_%i.pid
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+RuntimeDirectory=openvpn-server
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/server
+ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being managed by systemd" ; exit 1'
+ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw