Add systemd unit file for OpenVPN

This is to encourage all Linux distributions to use a unified systemd
unit file.

This unit file also tries to reduce the capabilities of the running
openvpn process.

Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9043
(cherry picked from commit 8a4566ce4f01a434ac9ea841eae74330368398a0)

diff --git a/distro/systemd/openvpn@.service b/distro/systemd/openvpn@.service
new file mode 100644 (file)
index 0000000..7cd36c3
--- /dev/null
+++ b/distro/systemd/openvpn@.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+PrivateTmp=true
+Type=forking
+PIDFile=/var/run/openvpn/%i.pid
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+
+[Install]
+WantedBy=multi-user.target