This PR hardens existing openvpn service. It basically mounts whole filesystem read-only or inaccessible except few relevant directories. It allows for CAP_NET_ADMIN capability which gives openvpn daemon ability to run properly. All options are explained in https://manpages.debian.org/stretch/systemd/systemd.exec.5.en.html
This PR hardens existing openvpn service. It basically mounts whole filesystem read-only or inaccessible except few relevant directories. It allows for CAP_NET_ADMIN capability which gives openvpn daemon ability to run properly. All options are explained in https://manpages.debian.org/stretch/systemd/systemd.exec.5.en.html