From f3d0d5131fc25dff2081f7259b34372d6be33f45 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Mar 25 2017 00:27:48 +0000 Subject: Cleaning up Mostly based on the changes in master (commit a9b2582ae9cdb) - Use systemd-rpm macros - Remove %triggerun for openvpn < 2.2.1 (which is way too old anyhow for newer Fedoras) - Fixed several issues with installed files - Fixed ./configure arguments - several of them where outdated or used wrong - Updated deprecated openvpn@.service to use Type=notify instead of Type=forking. OpenVPN v2.4 have built-in support for Type=notify - Added README.systemd which describes the new unit files - Fixed wrong mixing of %doc and %{_pkgdocdir} causing duplication of sample and contrib directories - Install management-notes.txt, which contains useful information about the OpenVPN management interface commands - Don't own %{_localstatedir}/run/%{name} ... that's handled by tmpfiles.d/openvpn.conf instead. - Own /etc/openvpn{,client,server}/ Resolves: rhbz#1435831, rhbz#1435036, rhbz#850257 --- diff --git a/README.systemd b/README.systemd new file mode 100644 index 0000000..cf0003e --- /dev/null +++ b/README.systemd @@ -0,0 +1,71 @@ +OpenVPN and systemd +=================== + +As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a +fine grained control of each OpenVPN configuration as well as trying to +restrict the capabilities the OpenVPN process have on a system. + + +Configuration profile types +--------------------------- +These new unit files separates between client and server profiles. The +configuration files are kept in separate directories, to provide clarity +of the profile they run under. + +Typically the client profile cannot bind to any ports below port 1024 +and the client configuration is always started with --nobind. + +The server profile is allowed to bind to any ports. In addition it enables +a client status file, usually found in the /run/openvpn-server directory. +The status format is set to version 2 by default. These settings may be +overridden by adding --status and/or --status-version in the OpenVPN +configuration file. + +Neither of these profiles makes use of PID files, but OpenVPN reports back to +systemd its PID once it has initialized. + +For configuration using a peer-to-peer mode (not using --mode server on one +of the sides) it is recommended to use the client profile. + + +Configuration files +------------------- +These new unit files expects client configuration files to be made available +in /etc/openvpn/client. Similar for the server configurations, it is expected +to be found in /etc/openvpn/server. The configuration files must have a .conf +file extension. + + +Managing VPN tunnels +-------------------- +Use the normal systemctl tool to start, stop VPN tunnels, as well as enable +and disable tunnels at boot time. The syntax is: + + - client configurations: + # systemctl $OPER openvpn-client@$CONFIGNAME + + - server configurations: + # systemctl $OPER openvpn-server@$CONFIGNAME + +Similarly, to view the OpenVPN journal log use a similar syntax: + + # journalctl -u openvpn-client@$CONFIGNAME + or + # journalctl -u openvpn-server@$CONFIGNAME + +* Examples + Say your server configuration is /etc/openvpn/server/tun0.conf, you + start this VPN service like this: + + # systemctl start openvpn-server@tun0 + + A client configuration file in /etc/openvpn/client/corpvpn.conf is + started like this: + + # systemctl start openvpn-client@corpvpn + + To view the server configuration's journal only listing entries from + yesterday and until today: + + # journalctl --since yesterday -u openvpn-server@tun0 + diff --git a/openvpn.spec b/openvpn.spec index 1ed7d7e..de449bc 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -5,23 +5,17 @@ Name: openvpn Version: 2.4.1 -Release: 1%{?prerelease:.%{prerelease}}%{?dist} +Release: 2%{?prerelease:.%{prerelease}}%{?dist} Summary: A full-featured SSL VPN solution URL: https://community.openvpn.net/ Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz Source1: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc -# Sample 2.0 config files Source2: roadwarrior-server.conf Source3: roadwarrior-client.conf -# Systemd service (deprecated) -Source4: openvpn@.service - -# Don't start openvpn by default. -#Patch0: openvpn-init.patch -#Patch1: openvpn-script-security.patch -#Patch2: openvpn-2.1.1-init.patch -#Patch3: openvpn-2.1.1-initinfo.patch -Patch4: 0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch +Source4: README.systemd +# Deprecated systemd unit file. Will be removed in Fedora 27 +Source5: openvpn@.service +Patch0: 0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch License: GPLv2 Group: Applications/Internet BuildRequires: systemd-devel @@ -56,11 +50,7 @@ for compression. %prep %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} -#%patch0 -p0 -#%patch1 -p1 -#%patch2 -p0 -#%patch3 -p0 -%patch4 -p1 +%patch0 -p1 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8 @@ -69,24 +59,16 @@ find contrib sample -type f -perm /100 \ -exec chmod a-x {} \; %build -# --enable-pthread Enable pthread support (Experimental for OpenVPN 2.0) -# --enable-password-save Allow --askpass and --auth-user-pass passwords to be -# read from a file -# --enable-iproute2 Enable support for iproute2 -# --with-ifconfig-path=PATH Path to ifconfig tool -# --with-iproute-path=PATH Path to iproute tool -# --with-route-path=PATH Path to route tool %configure \ --enable-iproute2 \ - --with-iproute-path=/sbin/ip \ - --enable-plugins \ - --enable-plugin-down-root \ - --enable-plugin-auth-pam \ --with-crypto-library=mbedtls \ + --enable-selinux \ --enable-systemd \ --docdir=%{_pkgdocdir} \ SYSTEMD_UNIT_DIR=%{_unitdir} \ - TMPFILES_DIR=%{_tmpfilesdir} + TMPFILES_DIR=%{_tmpfilesdir} \ + IPROUTE=/sbin/ip +# --enable-pkcs11 \ %{__make} #%check @@ -119,29 +101,18 @@ find contrib sample -type f -perm /100 \ # %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server %install -#install -D -m 0644 doc/%{name}.8 $RPM_BUILD_ROOT%{_mandir}/man8/%{name}.8 -#install -D -m 0755 src/openvpn/%{name} $RPM_BUILD_ROOT%{_sbindir}/%{name} - -mkdir -p %{buildroot}%{_unitdir} -install -D -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/ -rm -rf %{buildroot}%{_initrddir} -install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/%{name} - -#mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name} -#cp -pR easy-rsa $RPM_BUILD_ROOT%{_datadir}/%{name}/ -#rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}/easy-rsa/Windows -cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/ - %{__make} install DESTDIR=$RPM_BUILD_ROOT find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f +mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server +cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/ + +# DEPRECATED openvpn@.service ... this unit file will be removed in Fedora 27 +install -D -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/ # Package installs into %%{_pkgdocdir} directly # Add further files -cp -a AUTHORS PORTS INSTALL contrib sample $RPM_BUILD_ROOT%{_pkgdocdir} +cp -a AUTHORS contrib sample %{SOURCE4} $RPM_BUILD_ROOT%{_pkgdocdir} -# tmpfiles.d -mkdir -p %{buildroot}%{_localstatedir}/run/ -install -d -m 0710 %{buildroot}%{_localstatedir}/run/%{name}/ %pre getent group openvpn &>/dev/null || groupadd -r openvpn @@ -150,43 +121,24 @@ getent passwd openvpn &>/dev/null || \ -d /etc/openvpn openvpn %post -if [ $1 -eq 1 ] ; then - # Initial installation - /bin/systemctl daemon-reload >/dev/null 2>&1 || : -fi +%systemd_post openvpn-client@\*.service +%systemd_post openvpn-server@\*.service %preun -if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /bin/systemctl --no-reload disable openvpn.service > /dev/null 2>&1 || : - /bin/systemctl stop openvpn.service > /dev/null 2>&1 || : -fi +%systemd_preun openvpn-client@\*.service +%systemd_preun openvpn-server@\*.service %postun -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -# Normally, we'd try a restart here, but in this case, it could be troublesome. - -%triggerun -- openvpn < 2.2.1-2 -# Save the current service runlevel info -# User must manually run systemd-sysv-convert --apply openvpn -# to migrate them to systemd targets -/usr/bin/systemd-sysv-convert --save openvpn >/dev/null 2>&1 ||: - -# Run these because the SysV package being removed won't do them -/sbin/chkconfig --del openvpn >/dev/null 2>&1 || : -/bin/systemctl try-restart openvpn.service >/dev/null 2>&1 || : +%systemd_postun openvpn-client@\*.service +%systemd_postun openvpn-server@\*.service %files %{_pkgdocdir} %exclude %{_pkgdocdir}/README.IPv6 %exclude %{_pkgdocdir}/README.polarssl -%exclude %{_pkgdocdir}/management-notes.txt - -%doc contrib sample %{_mandir}/man8/%{name}.8* %{_sbindir}/%{name} -#%{_datadir}/%{name}/ %{_includedir}/openvpn-plugin.h %{_includedir}/openvpn-msg.h %{_libdir}/%{name}/ @@ -194,10 +146,19 @@ fi %{_unitdir}/%{name}-client@.service %{_unitdir}/%{name}-server@.service %{_tmpfilesdir}/%{name}.conf -%attr(0710,root,openvpn) %dir %{_localstatedir}/run/%{name}/ %config %dir %{_sysconfdir}/%{name}/ +%config %dir %{_sysconfdir}/%{name}/client +%config %dir %{_sysconfdir}/%{name}/server + %changelog +* Fri Mar 24 2017 David Sommerseth - 2.4.1-2 +- Various cleanups +- Use systemd-rpm macros (rhbz#850257) +- Updated openvpn@.service to use Type=notify instead of Type=forking (rhbz#1435831) + BEWARE: openvpn@.service is DEPRECATED. +- Added README.systemd describing new systemd unit files (openvpn-client/server@.service) + * Thu Mar 23 2017 David Sommerseth - 2.4.1-1 - Updating to upstream release, v2.4.1 - Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 diff --git a/openvpn@.service b/openvpn@.service index 41dab63..f6af6d7 100644 --- a/openvpn@.service +++ b/openvpn@.service @@ -3,10 +3,9 @@ Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I After=network.target [Service] +Type=notify PrivateTmp=true -Type=forking -PIDFile=/var/run/openvpn/%i.pid -ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf +ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf [Install] WantedBy=multi-user.target