Browse code
systemd: Add and ship README.systemd
This new README file describes how to use the new
openvpn-client@.service and openvpn-server@.service unit files properly.
The purpose of this file is primarily for all systemd based
distributions to have a common set of documentation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170327221620.24639-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14311.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth authored on 2017/03/28 07:16:20Showing 2 changed files
| 29 | 31 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,70 @@ |
| 0 |
+OpenVPN and systemd |
|
| 1 |
+=================== |
|
| 2 |
+ |
|
| 3 |
+As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a |
|
| 4 |
+fine grained control of each OpenVPN configuration as well as trying to |
|
| 5 |
+restrict the capabilities the OpenVPN process have on a system. |
|
| 6 |
+ |
|
| 7 |
+ |
|
| 8 |
+Configuration profile types |
|
| 9 |
+--------------------------- |
|
| 10 |
+These new unit files separates between client and server profiles. The |
|
| 11 |
+configuration files are kept in separate directories, to provide clarity |
|
| 12 |
+of the profile they run under. |
|
| 13 |
+ |
|
| 14 |
+Typically the client profile cannot bind to any ports below port 1024 |
|
| 15 |
+and the client configuration is always started with --nobind. |
|
| 16 |
+ |
|
| 17 |
+The server profile is allowed to bind to any ports. In addition it enables |
|
| 18 |
+a client status file, usually found in the /run/openvpn-server directory. |
|
| 19 |
+The status format is set to version 2 by default. These settings may be |
|
| 20 |
+overridden by adding --status and/or --status-version in the OpenVPN |
|
| 21 |
+configuration file. |
|
| 22 |
+ |
|
| 23 |
+Neither of these profiles makes use of PID files, but OpenVPN reports back to |
|
| 24 |
+systemd its PID once it has initialized. |
|
| 25 |
+ |
|
| 26 |
+For configuration using a peer-to-peer mode (not using --mode server on one |
|
| 27 |
+of the sides) it is recommended to use the client profile. |
|
| 28 |
+ |
|
| 29 |
+ |
|
| 30 |
+Configuration files |
|
| 31 |
+------------------- |
|
| 32 |
+These new unit files expects client configuration files to be made available |
|
| 33 |
+in /etc/openvpn/client. Similar for the server configurations, it is expected |
|
| 34 |
+to be found in /etc/openvpn/server. The configuration files must have a .conf |
|
| 35 |
+file extension. |
|
| 36 |
+ |
|
| 37 |
+ |
|
| 38 |
+Managing VPN tunnels |
|
| 39 |
+-------------------- |
|
| 40 |
+Use the normal systemctl tool to start, stop VPN tunnels, as well as enable |
|
| 41 |
+and disable tunnels at boot time. The syntax is: |
|
| 42 |
+ |
|
| 43 |
+ - client configurations: |
|
| 44 |
+ # systemctl $OPER openvpn-client@$CONFIGNAME |
|
| 45 |
+ |
|
| 46 |
+ - server configurations: |
|
| 47 |
+ # systemctl $OPER openvpn-server@$CONFIGNAME |
|
| 48 |
+ |
|
| 49 |
+Similarly, to view the OpenVPN journal log use a similar syntax: |
|
| 50 |
+ |
|
| 51 |
+ # journalctl -u openvpn-client@$CONFIGNAME |
|
| 52 |
+ or |
|
| 53 |
+ # journalctl -u openvpn-server@$CONFIGNAME |
|
| 54 |
+ |
|
| 55 |
+* Examples |
|
| 56 |
+ Say your server configuration is /etc/openvpn/server/tun0.conf, you |
|
| 57 |
+ start this VPN service like this: |
|
| 58 |
+ |
|
| 59 |
+ # systemctl start openvpn-server@tun0 |
|
| 60 |
+ |
|
| 61 |
+ A client configuration file in /etc/openvpn/client/corpvpn.conf is |
|
| 62 |
+ started like this: |
|
| 63 |
+ |
|
| 64 |
+ # systemctl start openvpn-client@corpvpn |
|
| 65 |
+ |
|
| 66 |
+ To view the server configuration's journal only listing entries from |
|
| 67 |
+ yesterday and until today: |
|
| 68 |
+ |
|
| 69 |
+ # journalctl --since yesterday -u openvpn-server@tun0 |