Am 04.01.19 um 17:25 schrieb David Sommerseth:

Hi everyone,

> Okay, I was a bit unclear.  The approach used with openvpn.service and
> openvpn@.service are broken by (Debian) design.  Quite many users have
> reported that these service files does not work at all.  But I'll admit, I'm
> not really up-to-date if these service files have been updated by
> distro-packagers later on.

(One of the) Debian OpenVPN maintainer here. I'd like to get some input
about the perceived brokenness of the openvpn@.service in Debian. Freeze
is coming up, but we still have time to fix issues if they arise. I'm
not aware of any major bugs reported for this.

First of all, we ship both openvpn@.service (which is maintained in
Debian) and openvpn-client@.service and openvpn-server@.service from the
upstream sources. As a user of our package you are very much free (and
encouraged) to work with OpenVPN in the officially documented way.

openvpn@.service mostly comes from a compatibility layer. Since years in
Debian you could drop a .conf into /etc/openvpn and had it executed at
startup (controlled by a variable in /etc/default/openvpn). This is
pretty much remodeled by the use of a custom generator, see
https://sources.debian.org/src/openvpn/2.4.6-1/debian/openvpn-generator/
. openvpn.service just binds these instances together to allow for a
service openvpn restart to work. And I currently don't see a compelling
reason to drop this, since it allows upgrading users to keep working).

Since the .conf files are not split between client and server we have to
use one openvpn@.service that can accomodate both. But I really fail to
see the problem here. openvpn@.service and openvpn-server@.service are
not that much different. We do use systemd readyness notification, the
capability bounding set is the same (for server), the ExecStart line is
similar, we do restart on error.

openvpn@.service
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status
/run/openvpn/%i.status 10 --cd /etc/openvpn --config
/etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid

openvpn-server@.service
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
--status-version 2 --suppress-timestamps --config %i.conf

-client.service is a bit more restricted and uses --nobind and no status
file, but that's about it.

Bernhard


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to