Add systemd unit file for OpenVPN

This is to encourage all Linux distributions to use a unified systemd unit file. This unit file also tries to reduce the capabilities of the running openvpn process. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net URL: http://article.gmane.org/gmane.network.openvpn.devel/9043
2024-09-20 03:52:28 +02:00 · 2014-09-18 10:57:53 +02:00 · 2014-09-18 10:57:53 +02:00 · 8a4566ce4f
commit 8a4566ce4f
parent 9048d50b0a
1 changed files with 19 additions and 0 deletions
--- a/distro/systemd/openvpn@.service
+++ b/distro/systemd/openvpn@.service
@ -0,0 +1,19 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+PrivateTmp=true
+Type=forking
+PIDFile=/var/run/openvpn/%i.pid
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+
+[Install]
+WantedBy=multi-user.target