mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
a564781cfd
Auth_pam will require audit writes or the connection will be rejected as the plugin fails to initialize like: openvpn[1111]: sudo: unable to send audit message openvpn[1111]: sudo: pam_open_session: System error openvpn[1111]: sudo: policy plugin failed session initialization See links from https://community.openvpn.net/openvpn/ticket/918 for more. auth_pam is a common use case and capabilties for it should be allowed by the .service file. Fixes: #918 Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
26 lines
824 B
SYSTEMD
26 lines
824 B
SYSTEMD
[Unit]
|
|
Description=OpenVPN service for %I
|
|
After=syslog.target network-online.target
|
|
Wants=network-online.target
|
|
Documentation=man:openvpn(8)
|
|
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
|
|
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
|
|
|
|
[Service]
|
|
Type=notify
|
|
PrivateTmp=true
|
|
WorkingDirectory=/etc/openvpn/server
|
|
ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
|
|
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
|
LimitNPROC=10
|
|
DeviceAllow=/dev/null rw
|
|
DeviceAllow=/dev/net/tun rw
|
|
ProtectSystem=true
|
|
ProtectHome=true
|
|
KillMode=process
|
|
RestartSec=5s
|
|
Restart=on-failure
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|