Package: openvpn Version: 2.4~rc1-1 Severity: important Since 2.4~rc1-1 the OpenVPN binary package ships two additional systemd units from upstream
/lib/systemd/system/openvpn-client@.service /lib/systemd/system/openvpn-server@.service in addition to the ones that are Debian specific /lib/systemd/system/openvpn.service /lib/systemd/system/openvpn@.service Except for the paths the units look a bit different to the ones shipped by Debian I doubt we can drop the upstream ones now since they have already been part of a stable release, but maybe we can adjust the Debian specific ones to be as close to the upstream ones as possible. --- openvpn-server@.service 2017-06-22 18:00:56.000000000 +0200 +++ openvpn@.service 2016-01-20 17:31:04.000000000 +0100 @@ -1,22 +1,27 @@ [Unit] -Description=OpenVPN service for %I -After=syslog.target network-online.target -Wants=network-online.target +Description=OpenVPN connection to %i +PartOf=openvpn.service +ReloadPropagatedFrom=openvpn.service +Before=systemd-user-sessions.service Documentation=man:openvpn(8) -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] -Type=notify PrivateTmp=true -RuntimeDirectory=openvpn-server -RuntimeDirectoryMode=0710 -WorkingDirectory=/etc/openvpn/server -ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +KillMode=mixed +Type=forking +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid +PIDFile=/run/openvpn/%i.pid +ExecReload=/bin/kill -HUP $MAINPID +WorkingDirectory=/etc/openvpn +ProtectSystem=yes +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target
