[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
Requires=iptables.service

[Service]
Type=notify
RuntimeDirectory=openvpn-client
RuntimeDirectoryMode=0710
WorkingDirectory=/etc/openvpn/client
ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/%i /usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
# until we get the next systemd version (233), which can do bind mounts
# inside a mnt namespace via systemd, we have to setup our own, which requires
# full priveledges.
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
# DeviceAllow=/dev/null rw
# DeviceAllow=/dev/net/tun rw

# ian: added just these  lines from upstream
ExecStartPre=+/a/bin/newns/newns -n 10.173.0 start %i
ExecStartPre=+/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStopPost=+/a/bin/newns/newns stop %i
PrivateNetwork=true


[Install]
WantedBy=multi-user.target