iankelling.org Git - distro-setup/blob - machine_specific/x3/filesystem/etc/systemd/system/openvpn-client-tr@.service

   1 [Unit]
   2 Description=OpenVPN tunnel for %I
   3 After=syslog.target network-online.target
   4 Wants=network-online.target
   5 Documentation=man:openvpn(8)
   6 Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
   7 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
   8 Requires=iptables.service
   9
  10 [Service]
  11 Type=notify
  12 RuntimeDirectory=openvpn-client
  13 RuntimeDirectoryMode=0710
  14 WorkingDirectory=/etc/openvpn/client
  15 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
  16 # todo, try reenabling this from the default openvpn,
  17 # it was disabled so we could do bind mounts as a command,
  18 # but now systemd handles it
  19 #CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
  20 LimitNPROC=10
  21 # DeviceAllow=/dev/null rw
  22 # DeviceAllow=/dev/net/tun rw
  23
  24 # we use .1 to make this be on a different network than kd, so that we can
  25 # talk to transmission on kd from remote host, and still use this
  26 # vpn.
  27 ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.8 start %i
  28 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
  29 # allow wireguard network to connect
  30 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.8.1 dev veth1-client
  31 ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
  32 PrivateNetwork=true
  33 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
  34
  35 [Install]
  36 WantedBy=multi-user.target