OpenVPN is extremely flexible with a bit over 240 options. Unfortunately, this won't be the last round, we need to see what else comes up with. I really hope to get those fixes pushed out within this week at latest. Hence the scratch build to really test out these last adjustments to bring the Fedora package in-sync with the upstream project expectations. I am active in the upstream OpenVPN project (have been for many years) and I do intend to really sort this out ASAP. It's a road filled with traps, so when even upstream does several steps to improve the situation across all systemd distributions and these efforts are not taken into consideration, things tend to crash badly at some point. but it just shows what can happen when distro package maintainers don't talk to their upstream project whenĭoing the packaging job. I am truly sorry that all these issues appeared. so even though there will be some turbulence now while we're cleaning up things, I do expect things to be far better once all that is settled. We are currently in the phase of cleaning up the systemd integration mess which was caused when distro package maintainers in their best efforts did some quick decisions without getting in touch with OpenVPN upstream in the early days of the systemd introduction. In such a configuration, -daemon is even ignored. OpenVPN v2.4 is designed to use Type=notify which enables sd_notify() under the hood, where OpenVPN messages systemd directly about its state. That can definitely give you even more headaches. > /var/run/openvpn-server/%i.pid -cd /etc/openvpn/ -config %i.confĭo NOT add -writepid and PIDFile= with OpenVPN v2.4. > ExecStart=/usr/sbin/openvpn -daemon -writepid > openvpn-2.4.86_64 is what I have installed. So to avoid users from starting a server configuration through the or vice versa, it was decided to move configuration files into separate directories.įor more information, see the README.systemd file which will arrive in a later update. and the requirements for servers and clients are somewhat different when starting to harden the services. The expects configurations to reside in /etc/openvpn/server for a purpose, as there are setups where the box is both an openvpn server and an openvpn client. spec file in the pipe already to ensure the package sanity is better. If that directory does not exist, that's an error in the packaging. > directory does not exist (and that is also not were my config files are). > I tried switching to and it fails because Further, people in the OpenVPN community are already discussing the next steps to further harden running OpenVPN processes. This helps all OpenVPN users to have the same behaviour and usage, regardless of Linux distribution. And these two new unit files are being maintained by the upstream community and being included in other systemd based Linux distributions as well. With that said, is deprecated and will be removed in Fedora 27, as the newer and provides far better hardening and control of VPN tunnels. This build should fix this issue in the proper way. I have a scratch build ready which needs testing before final build can be sent to bodhi. So instead must be fixed to do things correctly. With all due respect, that is the wrong solution. > did mine), and as long as is shipped, the directory for the
Openvpn daemon upgrade#
> The missing tmpfiles entry does break exiting configurations on upgrade (it (In reply to Scott Shambarger from comment #1) There is no reason to use -daemon and -writepid with systemd systemd seems to do the Type=simple (systemd default) far better.
Openvpn daemon update#
I will however update the unit file for F26 and F25. I did not review Fedora specific unit file, but rather want to encourage you to try using either or I will add a new README.systemd file to document this better as well, see here for the current one in Rawhide: I will actually claim that the unit file is faulty here. > Options error: -writepid fails with '/var/run/openvpn/server.pid': No such > ExecStart=/usr/sbin/openvpn -daemon -writepid /var/run/openvpn/%i.pid -cd > Missing path for /var/run/openvpn in tmpfiles config: Additional comment from David Sommerseth on 19:08:47 EDT. Options error: -writepid fails with '/var/run/openvpn/server.pid': No such file or directory Missing path for /var/run/openvpn in tmpfiles config:ĮxecStart=/usr/sbin/openvpn -daemon -writepid /var/run/openvpn/%i.pid -cd /etc/openvpn/ -config %i.conf Additional comment from nucleo on 15:02:19 EDT. +++ This bug was initially created as a clone of Bug #1435036 +++