| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: Ic377958d303b1dcfa9d877d3a63ecf39bdff7aef
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240315170054.2368254-1-frank@lichtenheld.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/58749316/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The systemd unit files for both client and server were referencing
outdated documentation as they were hard-coded to the OpenVPN 2.4.x
release branch.
Github: closes OpenVPN/openvpn#457
Change-Id: Iee289aa5df9ee0e9a03c0dc562e45dd39836e794
Signed-off-by: Christoph Schug <com+github@schug.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240308140346.4058419-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28369.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Change-Id: If825e5b1ebc6eecc9e5398f0d8274927b53e5b83
Signed-off-by: Martin Rys <martin@rys.pw>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240304163313.2326923-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28318.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Manually excluded ovpn_dco_win.h because it is an
imported file. ovpn_dco_linux.h is already excluded
because it still says 2021.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110160531.81010-1-frank@lichtenheld.com>
URL: https://patchwork.openvpn.net/project/openvpn2/patch/20230110160531.81010-1-frank@lichtenheld.com/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
On Linux, when dropping privileges, interaction with
the network configuration, such as tearing down routes
or ovpn-dco interfaces will fail when --user/--group are
used.
This patch sets the CAP_NET_ADMIN capability, which grants
the needed privileges during the lifetime of the OpenVPN
process when dropping root privileges.
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
Reviewed-By: David Sommerseth <davids@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220514103717.235-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24360.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Found this when trying to build the Debian package
twice in a row. Which failed since then there were
additional files.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220726083313.14067-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24740.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Update performed by means of: dev-tools/update-copyright.sh
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220125142456.18176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23650.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- Update the update-copyright script to include more contributors as well
as correcting a few typos
- Correct a copyright address in the source code to now used address
(dazo)
- Update copyright year to 2021
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210609213231.22576-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/search?l=mid&q=20210609213231.22576-1-openvpn@sf.lists.topphemmelig.net
URL: https://sourceforge.net/p/openvpn/mailman/message/37299719/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Linux packaging is quite a comprehensive task these days, with many
Linux distributions and each with their own packaging guidelines. In
addition OpenVPN is packaged for most important Linux distributions
already.
The OpenVPN developers is not capable of keeping track of how all the
various recommend packaging guidelines evoloves and our RPM build
process is no longer consistent with guidelines from Fedora, RHEL or
SUSE packaging. We also don't receive any updates improving this
situation. Most likely due to packaging being handled fairly well by
the Linux distributions directly.
In addition comes systemd into play, which more and more Linux
distributions embraces - and even our own RPM openvpn.spec file didn't
account for that move.
This removes all RPM related packaging files and updates the INSTALL
file with pointers to several popular Linux distributions with
accessible information of the OpenVPN packages they provide. Linux
distributions is most likely much better at keeping the packaging
up-to-shape much better than we.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20190220131906.22970-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18222.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
New patch, omitted changes to copyrights/licenses & changelog.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190123201717.15048-1-jonathan@reliablehosting.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18177.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In RHEL 7 /etc/sysconfig/network is no longer used (still there but
empty). This results in the following error when openvpn starts:
Dec 20 09:01:25 localhost openvpn: /etc/rc.d/init.d/openvpn:
line 94: [: =: unary operator expected
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <c042fd01f62d707477c37e0298e303f1@vdberg.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18057.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Auth_pam will require audit writes or the connection will be rejected
as the plugin fails to initialize like:
openvpn[1111]: sudo: unable to send audit message
openvpn[1111]: sudo: pam_open_session: System error
openvpn[1111]: sudo: policy plugin failed session initialization
See links from https://community.openvpn.net/openvpn/ticket/918 for
more.
auth_pam is a common use case and capabilties for it should be allowed
by the .service file.
Fixes: #918
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20180829142715.417-2-christian.ehrhardt@canonical.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17432.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The autumn of 2017, OpenVPN Technologies, Inc changed name to just
OpenVPN Inc. Otherwise, extend the copyright to cover 2018 as well.
With the exception of the company name change, all changes have been
performed by the dev-tools/update-copyright.sh script.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180131140314.11103-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16418.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This new README file describes how to use the new
openvpn-client@.service and openvpn-server@.service unit files properly.
The purpose of this file is primarily for all systemd based
distributions to have a common set of documentation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170327221620.24639-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14311.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Systemd supervises services it has started and can act upon unexpected
scenarios. This change will restart OpenVPN after 5 seconds if the OpenVPN
process exits unexpectedly.
The on-failure mode is the recommended mode by upstream systemd.
This change have been tested on a test server for some month, and it
works indeed as intended when provoking the OpenVPN process to stop.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170906235202.26551-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15370.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
By default, when systemd is stopping OpenVPN it will send the SIGTERM
to all processes within the same process control-group. This can come
as a surprise to plug-ins which may have fork()ed out child processes.
So we tell systemd to only send the SIGTERM signal to the main OpenVPN
process and let OpenVPN take care of the shutdown process on its own.
If the main OpenVPN process does not stop within 90 seconds (unless
changed), it will send SIGKILL to all remaining processes within
the same process control-group.
This issue have been reported in both Debian and Fedora.
Trac: 581
Message-Id: <20170906234705.26202-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
[DS: Applied lazy-ack policy]
|
|
ProtectSystem=true mounts the /usr and /boot directories read-only.
ProtectHome=true makes the directories /home, /root and /run/user
inaccessible and empty for the process.
See systemd.exec(5) [0] for details.
v2: Replace ProtectSystem=strict with ProtectSystem=true. Some
configurations may want to write to /etc or the like.
[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161227221832.610-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13743.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.
So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-2-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13939.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
If systemd is enabled we install unit files to $libdir/systemd/system
(or the path specified by SYSTEMD_UNIT_DIR).
The unit files are generated on the fly with matching $sbindir.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13940.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1482350454-27280-2-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13653.html
|
|
We start with systemd Type=notify, so refuse to daemonize. This does not
affect starting openvpn from script or command line.
v2: Update commit message about script and command line.
Signed-off-by: Christian Hesse <mail@eworm.de>
Tested-By: Richard Bonhomme <fragmentux@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161201213104.5667-2-list@eworm.de>
URL: http://www.mail-archive.com/search?l=mid&q=20161201213104.5667-2-list@eworm.de
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
Notify systemd service manager when our initialization sequence
completed. This helps ordering services as dependencies can rely on vpn
being available.
v2: Add curly brackets (and indention) to block the else-part, msg()
call was non-conditional before.
v3: Move systemd header include from init.h to init.c.
Signed-off-by: Christian Hesse <mail@eworm.de>
Tested-By: Richard Bonhomme <fragmentux@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161201213104.5667-1-list@eworm.de>
URL: http://www.mail-archive.com/search?l=mid&q=20161201213104.5667-1-list@eworm.de
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
There are several changes which allows systemd to take care of several
aspects of hardening the execution of OpenVPN.
- Let systemd take care of the process tracking directly, instead
of doing that via PID files
- Make systemd prepare proper runtime directories for the OpenVPN
process.
- Let systemd do the chdir() before starting OpenVPN. This allows
us to avoid using the --cd option when executing openvpn.
- CAP_DAC_OVERRIDE was needed when using --chroot. Otherwise
the root user would not be allowed to access files/directories
not owned by root. This will change in the future, when we
find better ways to avoid calling chroot() in OpenVPN and
rather let systemd prepare a more isolated namespace.
- Client configurations are now started with --nobind and
the OpenVPN client process have lost the CAP_NET_BIND_SERVICE
capability which allows binding to port < 1024.
- Documentation URL now points at the OpenVPN 2.4 man page URL
The majority of these changes have been proposed by Elias Probst
(eliasp) in the GitHub PR #22.
v3 - Add ExecPreStart= to check if OpenVPN configuration contains
'daemon'. That can break the process tracking as we now use
Type=simple (default)
v2 - Change RuntimeDirectory= to a profile specific (client, server)
directory to avoid clashing with older distro unit files
Commit note: As this is not a critical security change, we apply this
without any formal ACKs. It has been thoroghly tested by
several users. See mailing list for details.
Contribution-by: Elias Probst <mail@eliasprobst.eu>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1479122408-6867-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13039.html
|
|
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1417548862-24990-1-git-send-email-floppym@gentoo.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/9299
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
better
Systemd can delay starting a service if the network isn't fully available
yet. This feature is useful in client configurations, where OpenVPN will
not be started before the client can reach the Internet. It is the network
service manager which tells systemd if the system is "online" or not.
For server configurations, the OpenVPN should be able to be started,
regardless if the system is "online" or not. This is also the old
behaviour of most of the old init.d script and the last systemd unit file.
This patch splits the previous systemd unit file into to two files. One
which is aimed at clients (openvpn-client@.service) and one for server
configurations (openvpn-server@.service). These files will also pick
the configurations from different sub-directories. The unit file for
openvpn-client@ will use /etc/openvpn/client and the server unit file
will use /etc/openvpn/server. This also ensures that config files
are not started in the wrong manner.
The arguments given to the openvpn binary have also shifted order,
to ensure that some of them cannot be overridden by the config file,
such as --daemon and --writepid. For server configurations a
--status file is also added with the status format set to 2. This
can be overridden by the configuration file.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1415889817-28049-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9222
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This is to encourage all Linux distributions to use a unified systemd
unit file.
This unit file also tries to reduce the capabilities of the running
openvpn process.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9043
|
|
The provided OpenVPN init scripts scan /etc/openvpn for *.conf and run
an OpenVPN process for each, and if a .sh script with the same base name
exists, this is run before openvpn. Change from running "$name.sh" to
"./$name.sh" - depending on the shell used, the script won't be found
otherwise, and ensuring that the script isn't searched in $PATH is the
right thing anyway.
Reported in trac #423
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1404804054-32424-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8858
|
|
As disucssed[1], keep plugins in repository.
1, Proper automake/libtool build.
2. Move example plugins to samples/sample-plugins.
3. Plugins are installed at LIBDIR/openvpn/plugins.
[1] http://comments.gmane.org/gmane.network.openvpn.devel/6436
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1337035323-27465-1-git-send-email-alon.barlev@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6591
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Purpose: make distro packager task simpler, more flexible to provide
more documentation without changing the packaging script.
Remove installation related documents from rpm as package already
installed when viewed.
+Workaround rpm bug[1].
[1] http://rpm.org/ticket/836
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1336849433-23066-1-git-send-email-alon.barlev@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6536
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1337034580-26987-2-git-send-email-alon.barlev@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6589
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1337034580-26987-1-git-send-email-alon.barlev@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6590
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Suitable for mature project.
root - administrative stuff
doc - documents
src - sources
tests - tests
distro - distro specific files
sample - samples
SIDE EFFECT: many changes to rpm spec.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
