|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
OpenVPN and systemd
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
===================
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
fine grained control of each OpenVPN configuration as well as trying to
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
restrict the capabilities the OpenVPN process have on a system.
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
Configuration profile types
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
---------------------------
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
These new unit files separates between client and server profiles. The
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
configuration files are kept in separate directories, to provide clarity
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
of the profile they run under.
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
Typically the client profile cannot bind to any ports below port 1024
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
and the client configuration is always started with --nobind.
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
The server profile is allowed to bind to any ports. In addition it enables
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
a client status file, usually found in the /run/openvpn-server directory.
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
The status format is set to version 2 by default. These settings may be
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
overridden by adding --status and/or --status-version in the OpenVPN
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
configuration file.
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
Neither of these profiles makes use of PID files, but OpenVPN reports back to
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
systemd its PID once it has initialized.
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
For configuration using a peer-to-peer mode (not using --mode server on one
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
of the sides) it is recommended to use the client profile.
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
Configuration files
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
-------------------
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
These new unit files expects client configuration files to be made available
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
in /etc/openvpn/client. Similar for the server configurations, it is expected
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
to be found in /etc/openvpn/server. The configuration files must have a .conf
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
file extension.
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
Managing VPN tunnels
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
--------------------
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
Use the normal systemctl tool to start, stop VPN tunnels, as well as enable
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
and disable tunnels at boot time. The syntax is:
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
- client configurations:
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
# systemctl $OPER openvpn-client@$CONFIGNAME
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
- server configurations:
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
# systemctl $OPER openvpn-server@$CONFIGNAME
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
Similarly, to view the OpenVPN journal log use a similar syntax:
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
# journalctl -u openvpn-client@$CONFIGNAME
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
or
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
# journalctl -u openvpn-server@$CONFIGNAME
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
* Examples
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
Say your server configuration is /etc/openvpn/server/tun0.conf, you
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
start this VPN service like this:
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
# systemctl start openvpn-server@tun0
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
A client configuration file in /etc/openvpn/client/corpvpn.conf is
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
started like this:
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
# systemctl start openvpn-client@corpvpn
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
To view the server configuration's journal only listing entries from
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
yesterday and until today:
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
# journalctl --since yesterday -u openvpn-server@tun0
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
d10d8ef |
|