Package: openvpn Version: 2.4.0-6+deb9u1~bpo8+1 Severity: important Tags: patch
Currently openvpn service definition doesn't include the options from /etc/default/openvpn. This is problematic from start, but it hurts especially if you would like to use the --script-security directive. I made a changed version of the service file to include as below. /lib/systemd/system/openvpn@.service: [Unit] Description=OpenVPN connection to %i PartOf=openvpn.service ReloadPropagatedFrom=openvpn.service Before=systemd-user-sessions.service Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] EnvironmentFile=-/etc/default/openvpn PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i $OPTARGS --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn ProtectSystem=yes CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target ----------------------- This works now with my config. I would suggest to include this change in all the versions of openvpn available now in the debian archive as I checked the latest version from sid and that lacked this option too. Maybe the configuration should be changed to use the other options from /etc/default/openvpn as well, but as I don't use those directives I don't know where they should go in the .service file. -- System Information: Debian Release: 8.9 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.56+deb8u1 ii init-system-helpers 1.22 ii iproute2 3.16.0-2 ii libc6 2.19-18+deb8u10 ii liblz4-1 0.0~r122-2 ii liblzo2-2 2.08-1.2 ii libpam0g 1.1.8-3.1+deb8u2+b1 ii libpkcs11-helper1 1.11-2 ii libssl1.0.0 1.0.1t-1+deb8u6 ii libsystemd0 215-17+deb8u7 ii lsb-base 4.1+Debian13+nmu1 Versions of packages openvpn recommends: ii easy-rsa 2.2.2-1 Versions of packages openvpn suggests: ii openssl 1.0.1t-1+deb8u6 ii resolvconf 1.76.1 -- Configuration Files: /etc/bash_completion.d/openvpn 5cab8dd1689cc5b338886557cf7a25a9 [Errno 2] No such file or directory: u'/etc/bash_completion.d/openvpn 5cab8dd1689cc5b338886557cf7a25a9' /etc/default/openvpn changed: AUTOSTART="all" OPTARGS="--script-security 2 " OMIT_SENDSIGS=0 -- debconf information excluded -- debsums errors found: debsums: changed file /lib/systemd/system/openvpn@.service (from openvpn package)
