[Unit]


Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service

# ian, this is starting too early, added this from stretch's openvpn-client@.service
After=syslog.target network-online.target
Wants=network-online.target
# ian, commented out, we are starting too early, no need to be before anything.
Before=systemd-user-sessions.service

Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
# these cause ExecStart to fail with "nsenter: reassociate to namespace
# 'ns/mnt' failed: Invalid argument" on trisquel 8.  Probably because we
# get put into some mount namespace and the one that I setup does not
# exist within it or something stupid that systemd does not
# document. Whatev.
#PrivateTmp=true
#ProtectSystem=yes

KillMode=mixed
Type=forking
ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/%i /usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
# Ian: commented out these lines from upstream
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
LimitNPROC=10
#DeviceAllow=/dev/null rw
#DeviceAllow=/dev/net/tun rw

# ian: added just these  lines from upstream
ExecStartPre=/a/bin/newns/newns -n 10.173.0 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
# note, this doesnt get run on trisquel 8 when ExecStart command fails,
# documentation says it should
ExecStopPost=/a/bin/newns/newns stop %i
PrivateNetwork=true

[Install]
WantedBy=multi-user.target