This new README file describes how to use the new
openvpn-client@.service and openvpn-server@.service unit files properly.
The purpose of this file is primarily for all systemd based
distributions to have a common set of documentation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170327221620.24639-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14311.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
29 | 31 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,70 @@ |
0 |
+OpenVPN and systemd |
|
1 |
+=================== |
|
2 |
+ |
|
3 |
+As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a |
|
4 |
+fine grained control of each OpenVPN configuration as well as trying to |
|
5 |
+restrict the capabilities the OpenVPN process have on a system. |
|
6 |
+ |
|
7 |
+ |
|
8 |
+Configuration profile types |
|
9 |
+--------------------------- |
|
10 |
+These new unit files separates between client and server profiles. The |
|
11 |
+configuration files are kept in separate directories, to provide clarity |
|
12 |
+of the profile they run under. |
|
13 |
+ |
|
14 |
+Typically the client profile cannot bind to any ports below port 1024 |
|
15 |
+and the client configuration is always started with --nobind. |
|
16 |
+ |
|
17 |
+The server profile is allowed to bind to any ports. In addition it enables |
|
18 |
+a client status file, usually found in the /run/openvpn-server directory. |
|
19 |
+The status format is set to version 2 by default. These settings may be |
|
20 |
+overridden by adding --status and/or --status-version in the OpenVPN |
|
21 |
+configuration file. |
|
22 |
+ |
|
23 |
+Neither of these profiles makes use of PID files, but OpenVPN reports back to |
|
24 |
+systemd its PID once it has initialized. |
|
25 |
+ |
|
26 |
+For configuration using a peer-to-peer mode (not using --mode server on one |
|
27 |
+of the sides) it is recommended to use the client profile. |
|
28 |
+ |
|
29 |
+ |
|
30 |
+Configuration files |
|
31 |
+------------------- |
|
32 |
+These new unit files expects client configuration files to be made available |
|
33 |
+in /etc/openvpn/client. Similar for the server configurations, it is expected |
|
34 |
+to be found in /etc/openvpn/server. The configuration files must have a .conf |
|
35 |
+file extension. |
|
36 |
+ |
|
37 |
+ |
|
38 |
+Managing VPN tunnels |
|
39 |
+-------------------- |
|
40 |
+Use the normal systemctl tool to start, stop VPN tunnels, as well as enable |
|
41 |
+and disable tunnels at boot time. The syntax is: |
|
42 |
+ |
|
43 |
+ - client configurations: |
|
44 |
+ # systemctl $OPER openvpn-client@$CONFIGNAME |
|
45 |
+ |
|
46 |
+ - server configurations: |
|
47 |
+ # systemctl $OPER openvpn-server@$CONFIGNAME |
|
48 |
+ |
|
49 |
+Similarly, to view the OpenVPN journal log use a similar syntax: |
|
50 |
+ |
|
51 |
+ # journalctl -u openvpn-client@$CONFIGNAME |
|
52 |
+ or |
|
53 |
+ # journalctl -u openvpn-server@$CONFIGNAME |
|
54 |
+ |
|
55 |
+* Examples |
|
56 |
+ Say your server configuration is /etc/openvpn/server/tun0.conf, you |
|
57 |
+ start this VPN service like this: |
|
58 |
+ |
|
59 |
+ # systemctl start openvpn-server@tun0 |
|
60 |
+ |
|
61 |
+ A client configuration file in /etc/openvpn/client/corpvpn.conf is |
|
62 |
+ started like this: |
|
63 |
+ |
|
64 |
+ # systemctl start openvpn-client@corpvpn |
|
65 |
+ |
|
66 |
+ To view the server configuration's journal only listing entries from |
|
67 |
+ yesterday and until today: |
|
68 |
+ |
|
69 |
+ # journalctl --since yesterday -u openvpn-server@tun0 |