From: Frank Lichtenheld Date: Fri, 13 Mar 2026 22:38:28 +0000 (+0100) Subject: systemd: Change LimitNPROC to TasksMax and increase limit X-Git-Tag: v2.7.1~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a156abb4b40dee63174fd45fe66e4591409b497;p=thirdparty%2Fopenvpn.git systemd: Change LimitNPROC to TasksMax and increase limit There were some complaints about valid setups that ran into problems with LimitNPROC. This is especially true since LimitNPROC limits the total amounts of threads running for the same uid, so if multiple openvpn services run under the same user, they will compete for resources. As suggested in the systemd documentation change this to TasksMax which really counts the threads running in one specific service. Also increase the limit. When using e.g. resolvconf for DNS configuration the limit can be exhausted just due to the amount of nested shell scripts. Github: Fixes OpenVPN/openvpn#929 Change-Id: Ic877f9a9c6459c6eb97cde1099f47f0b196b8084 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539 Message-Id: <20260313223833.3813-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36123.html Signed-off-by: Gert Doering (cherry picked from commit c02964f0b20d860176545dbeaf54b11127e9f8a3) --- diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in index 326bb73b1..340603e73 100644 --- a/distro/systemd/openvpn-client@.service.in +++ b/distro/systemd/openvpn-client@.service.in @@ -12,7 +12,7 @@ PrivateTmp=true WorkingDirectory=/etc/openvpn/client ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE -LimitNPROC=10 +TasksMax=20 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index d43bce1bb..3462f33e2 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -12,7 +12,7 @@ PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE CAP_AUDIT_WRITE -LimitNPROC=10 +TasksMax=20 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true