iankelling.org Git - distro-setup/blob - filesystem/etc/systemd/system/openvpn-client-nn@.service

   1 [Unit]
   2 Description=OpenVPN tunnel for %I
   3 After=syslog.target network-online.target
   4 Wants=network-online.target
   5 Documentation=man:openvpn(8)
   6 Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
   7 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
   8 Requires=iptables.service
   9
  10 [Service]
  11 Type=notify
  12 RuntimeDirectory=openvpn-client
  13 RuntimeDirectoryMode=0710
  14 WorkingDirectory=/etc/openvpn/client
  15 ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/%i /usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
  16 # Ian: commented out these lines from upstream
  17 # until we get the next systemd version (233), which can do bind mounts
  18 # inside a mnt namespace via systemd, we have to setup our own, which requires
  19 # full priveledges.
  20 # when we enable CababilityBoundingSet, s/=/=+/ on these ExecStart/Stop lines.
  21 # systemd ver in flidas does not suppot =+
  22 #CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
  23 LimitNPROC=10
  24 # DeviceAllow=/dev/null rw
  25 # DeviceAllow=/dev/net/tun rw
  26
  27 ExecStartPre=/a/bin/newns/newns -n 10.173.0 start %i
  28 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
  29 ExecStopPost=/a/bin/newns/newns stop %i
  30 PrivateNetwork=true
  31
  32
  33 [Install]
  34 WantedBy=multi-user.target