+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/%i /usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# until we get the next systemd version (233), which can do bind mounts
+# inside a mnt namespace via systemd, we have to setup our own, which requires
+# full priveledges.
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# ian: added just these lines from upstream
+ExecStartPre=+/a/bin/nnnat/systemd-nnnat start %i
+ExecStartPre=+/sbin/iptables-restore /a/bin/transmission-firewall/netns.rules
+ExecStopPost=+/a/bin/nnnat/systemd-nnnat stop %i
+PrivateNetwork=true
+
+
+[Install]
+WantedBy=multi-user.target