search

slingamn / namespaced-openvpn

Wrapper for OpenVPN on Linux solving various privacy issues
MIT License
320 stars 45 forks source link

document / provide an example systemd unit file #15

Open slingamn opened 5 years ago

slingamn commented 5 years ago

Continued from #14. We should have an example of a systemd unit file that can be used in a dependency chain. My guess is that Type=forking together with openvpn's --daemon argument is the best strategy.

samlii commented 5 years ago

I made a unit file called nsopenvpn@.service, it is based on openvpn@.service Here is the file

[Unit]
Description=Namespaced OpenVPN connection to %i
Before=systemd-user-sessions.service
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/slingamn/namespaced-openvpn

[Service]
Type=notify
WorkingDirectory=/etc/openvpn
ExecStart=/usr/local/sbin/namespaced-openvpn --namespace %i --daemon nsovpn-%i --status /run/namespaced-openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/namespaced-openvpn/%i.pid
PIDFile=/run/namespaced-openvpn/%i.pid
KillMode=process
ExecReload=/bin/kill -HUP $MAINPID
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target
object88 commented 4 years ago

I followed the above example on my debian buster system, and had some issues with it starting up. In particular, I found the following in the journalctl -xe messages:

Options error: --writepid fails with '/run/namespaced-openvpn/foo.ovpn.pid': No such file or directory (errno=2)

I fixed this by adding another line to the systemd unit file:

[Service]
RuntimeDirectory=namespaced-openvpn

This directs systemd to create that directory in the /run directory, which allows parameters like --status /run/namespaced-openvpn/%i.status to work.

Thanks for this example!

SJ50 commented 4 years ago

Here is my rtorrent file connecting to named space created by systemd file posted by @samlii 

[Unit]
Description=rtorrent in namesapce 
Requires=network.target namespaced-openvpn@%i.service
After=network.target namespaced-openvpn@%i.service
[Service]
Type=oneshot
KillMode=none
User=%i
NetworkNamespacePath=/var/run/netns/protected-%i
WorkingDirectory=/var/torrent
ExecStart=/usr/bin/tmux -2u new -s rtorrent -n rT-PS -d '/opt/rtorrent/bin/rtorrent -n -o import=/var/torrent/rtorrent.rc'
ExecStop=/bin/bash -c "/usr/bin/tmux send-keys -t rtorrent:rT-PS 'C-q'"
Restart=on-failure

[Install]
WantedBy=multi-user.target

problem I am facing with above systemd file is I am not able resolve nameserver, but if launch rtorrent sudo ip netns exec protected-ubuntu sudo -u "$USER" /usr/bin/tmux -2u new -s rtorrent -n rT-PS -d '/opt/rtorrent/bin/rtorrent -n -o import=/var/torrent/rtorrent.rc' it works fine.