aboutsummaryrefslogtreecommitdiffgithub
diff options
context:
space:
mode:
authorAustin Adams <git@austinjadams.com>2016-07-17 00:23:55 -0400
committerAustin Adams <git@austinjadams.com>2016-07-17 00:30:09 -0400
commit3f4f776e4cb7bf949de8d41e78ffe1252c46328f (patch)
treee8f66922e12b163ca2487c15458d211626d3ad57
parent8326e8d371752074243e3e2ffa3c25fbe185a65f (diff)
downloadnsdo-3f4f776e4cb7bf949de8d41e78ffe1252c46328f.tar.gz
nsdo-3f4f776e4cb7bf949de8d41e78ffe1252c46328f.tar.xz
openvpn-example: Add capabilities info
Version 2.3.11 of the Arch openvpn package changed openvpn@.service by limiting its capabilities to a set not including CAP_SYS_ADMIN, which setns() requires. So update the unit pasted into the guide and add the needed capability to the suggested drop-in unit.
-rw-r--r--openvpn-example.md29
1 files changed, 24 insertions, 5 deletions
diff --git a/openvpn-example.md b/openvpn-example.md
index 7ab121d..e3ee2e1 100644
--- a/openvpn-example.md
+++ b/openvpn-example.md
@@ -8,30 +8,46 @@ namespace, allowing you to run a bunch of VPNs at the same time, each
available only to programs you choose.
First, I leverage the [Arch `openvpn` package's `openvpn@.service`][2]
-systemd [service][3], which I'll paste here for posterity:
+systemd [service][3] (based on [upstream's slightly different
+version][7]), which I'll paste here for posterity:
[Unit]
Description=OpenVPN connection to %i
[Service]
+ PrivateTmp=true
Type=forking
- ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid
+ ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2
PIDFile=/run/openvpn@%i.pid
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
+ DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
+
(For instance, you'd start an openvpn instance configured in
`/etc/openvpn/foo.conf` with `systemctl start openvpn@foo`.)
-To make OpenVPN keep the same network namespace across VPN reconnections
-or daemon restarts (e.g., after a suspend), I put the following in
-`/etc/systemd/system/openvpn@.service.d/netns.conf`:
+However, the unit needs a few modifications. First, calling `setns()` to
+change network namespaces requires [`CAP_SYS_ADMIN`][8], a capability
+the vanilla unit does not provide. Second, to make OpenVPN keep the same
+network namespace across VPN reconnections or daemon restarts (e.g.,
+after a suspend), a separate unit must set up the destination network
+namespace. To solve both issues, I put the following in
+`/etc/systemd/system/openvpn@.service.d/netns.conf`, a [systemd drop-in
+unit][9]:
[Unit]
Requires=netns@%i.service
After=netns@%i.service
+ [Service]
+ # Needed to call setns() as ip netns does
+ CapabilityBoundingSet=CAP_SYS_ADMIN
+
And then created a `netns@.service` in `/etc/systemd/system`:
[Unit]
@@ -198,3 +214,6 @@ by pointing your client to `foo:5050`:
[4]: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
[5]: http://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/
[6]: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e314dbdc1c0dc6a548ecf0afce28ecfd538ff568
+[7]: https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/openvpn-client%40.service
+[8]: http://manpages.ubuntu.com/manpages/xenial/en/man7/capabilities.7.html
+[9]: https://www.freedesktop.org/software/systemd/man/systemd.unit.html