2

By default, the systemd openvpn client unit file assumes all config files end with .conf. Many of my config files end with .ovpn. Changing file name extensions is undesirable in my environment.

The default openvpn client unit file is /usr/lib/systemd/system/openvpn-client@.service

[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process

[Install]
WantedBy=multi-user.target

Is there a reason I should not edit that file and change the ExecStart line by removing the .conf extension like so?

ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i

In that case, I would pass the full config file name with extension to systemctl. Does including the extension break anything as far as systemd is concerned? Is there another reason why a filename extension cannot be used?

Related questions regarding the ExecStart line:

Normally, my openvpn command line includes --daemon. Is that not required when starting via systemd? I see that it is not included above. If I want it to run as a daemon, do I need to include it?

Also, why is --suppress-timestamps included? Currently, I do not get duplicate timestamps in the logs/journal. Will that change if I start via systemd?

The following is my proposed (untested) unit file:

[Unit]
Description=OpenVPN tunnel for %i
After=syslog.target network-online.target
StartLimitIntervalSec=0
Wants=network-online.target

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --daemon --config %i
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
MountainX
  • 17,948

1 Answers1

2

It should work without the extension, it is just a convention established by the unit file. systemctl doesn't complain about dots in unit names.

The systemd units normally don't daemonize the commands they start, that makes it easier for systemd to keep track of the processes that are running.

--suppress-timestamps is probably because journald adds a time anyway. Just try both and see what the difference is.

RalfFriedl
  • 8,981
  • Actually, it is more than just the unit file that establishes the convention. https://unix.stackexchange.com/a/409689/5132 https://unix.stackexchange.com/a/378824/5132 And the simple reality is that it is pointless to attempt to dæmonize when one is already a dæmon. – JdeBP Aug 31 '18 at 07:09