Openvpn service

2021-03-04 16:40:00 +03:00 · 2021-03-04 16:40:00 +03:00 · 78b928156b
parent 3a7684ce66
commit 78b928156b
2 changed files with 57 additions and 0 deletions
--- a/etc/systemd/system/openvpn-client-netns@.service
+++ b/etc/systemd/system/openvpn-client-netns@.service
@ -0,0 +1,25 @@
+[Unit]
+Description=OpenVPN tunnel for %I namespace
+BindsTo=netns@%i.service
+After=network-online.target netns@%i.service
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+Type=notify
+PrivateTmp=true
+WorkingDirectory=/etc/openvpn/client
+Environment="NETNS_NAME=%i"
+ExecStart=/usr/sbin/openvpn --ifconfig-noexec --route-noexec --up "/usr/local/bin/netns-openvpn-script %i" --route-up "/usr/local/bin/netns-openvpn-script %i" --down "/usr/local/bin/netns-openvpn-script %i" --script-security 3 --suppress-timestamps --nobind --config %i.conf
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+#LimitNPROC=10
+#DeviceAllow=/dev/null rw
+#DeviceAllow=/dev/net/tun rw
+#ProtectSystem=true
+#ProtectHome=true
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
--- a/usr/local/bin/netns-openvpn-script
+++ b/usr/local/bin/netns-openvpn-script
@ -0,0 +1,32 @@
+#!/bin/sh
+NETNS_NAME=$1
+if [ -z $NETNS_NAME ]
+then
+    echo "NETNS_NAME is empty"
+    exit 1
+fi
+
+ns=$NETNS_NAME
+case $script_type in
+        up)
+                #ip netns add $ns
+                #ip netns exec $ns ip link set dev lo up
+                ip link set dev "$2" up netns $ns mtu "$3"
+                ip netns exec $ns ip addr add dev "$2" \
+                        "$5/${ifconfig_netmask:-30}" \
+                        ${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
+                if [ -n "$ifconfig_ipv6_local" ]; then
+                        ip netns exec $ns ip addr add dev "$2" \
+                                "$ifconfig_ipv6_local"/112
+                fi
+                ;;
+        route-up)
+                ip netns exec $ns ip route add default via "$route_vpn_gateway"
+                if [ -n "$ifconfig_ipv6_remote" ]; then
+                        ip netns exec $ns ip route add default via \
+                                "$ifconfig_ipv6_remote"
+                fi
+                ;;
+        down)
+                ;;
+esac