@@ -365,6 +365,7 @@ AC_ARG_VAR([GIT], [path to git utility])
AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@])
AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@])
+AC_ARG_VAR([SYSUSERS_DIR], [Path of sysusers directory @<:@default=LIBDIR/sysusers.d@:>@])
AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
@@ -1198,6 +1199,12 @@ if test "$enable_systemd" = "yes" ; then
else
tmpfilesdir="\${libdir}/tmpfiles.d"
fi
+
+ if test -n "${SYSUSERS_DIR}"; then
+ sysusersdir="${SYSUSERS_DIR}"
+ else
+ sysusersdir="\${libdir}/sysusers.d"
+ fi
fi
@@ -1381,6 +1388,7 @@ AC_SUBST([sampledir])
AC_SUBST([systemdunitdir])
AC_SUBST([tmpfilesdir])
+AC_SUBST([sysusersdir])
VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/"
VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist"
@@ -14,6 +14,7 @@
EXTRA_DIST = \
tmpfiles-openvpn.conf \
+ sysusers-openvpn.conf \
openvpn-client@.service.in \
openvpn-server@.service.in
@@ -23,11 +24,14 @@ systemdunit_DATA = \
openvpn-server@.service
tmpfiles_DATA = \
tmpfiles-openvpn.conf
+sysusers_DATA = \
+ sysusers-openvpn.conf
dist_doc_DATA = \
README.systemd
install-data-hook:
mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf
+ mv $(DESTDIR)$(sysusersdir)/sysusers-openvpn.conf $(DESTDIR)$(sysusersdir)/openvpn.conf
endif
MAINTAINERCLEANFILES = \
@@ -9,9 +9,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
Type=notify
PrivateTmp=true
+User=openvpn
+Group=openvpn
WorkingDirectory=/etc/openvpn/client
ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
@@ -9,9 +9,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
Type=notify
PrivateTmp=true
+User=openvpn
+Group=openvpn
WorkingDirectory=/etc/openvpn/server
ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
new file mode 100644
@@ -0,0 +1 @@
+u openvpn - "OpenVPN user" /
@@ -1,2 +1,2 @@
-d /run/openvpn-client 0710 root root -
-d /run/openvpn-server 0710 root root -
+d /run/openvpn-client 0750 openvpn openvpn -
+d /run/openvpn-server 0750 openvpn openvpn -