On 01/02/16 18:37, Simon Déziel wrote:
> I just check on 14.04 and 16.04 and the init script automatically adds
> "--script-security 2" unless the VPN config contains a script-security
> directive.
>
> Problem is that since the switch to systemd, the init script is no
> longer used and the daemon is used like this:
>
> $ systemctl cat openvpn@.service | grep ^ExecStart
> ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
>
> This probably breaks setups relying on "--script-security 2" like yours.
> Could you try adding "script-security 2" to /etc/openvpn/infra.conf and
> see if it helps?
Yes, it solves the problem. I thought I reported that before. The
problem is the migration mechanism that has to be corrected. The way I
used "--script-security 2" was the one put forward in the official doc.
The problem shall be the same for the migration 14.04 -> 16.04 (I presume).
On 01/02/16 18:37, Simon Déziel wrote: /usr/sbin/ openvpn --daemon ovpn-%i --status /run/openvpn/ %i.status 10 --cd /etc/openvpn --config /etc/openvpn/ %i.conf --writepid /run/openvpn/%i.pid infra.conf and
> I just check on 14.04 and 16.04 and the init script automatically adds
> "--script-security 2" unless the VPN config contains a script-security
> directive.
>
> Problem is that since the switch to systemd, the init script is no
> longer used and the daemon is used like this:
>
> $ systemctl cat openvpn@.service | grep ^ExecStart
> ExecStart=
>
> This probably breaks setups relying on "--script-security 2" like yours.
> Could you try adding "script-security 2" to /etc/openvpn/
> see if it helps?
Yes, it solves the problem. I thought I reported that before. The
problem is the migration mechanism that has to be corrected. The way I
used "--script-security 2" was the one put forward in the official doc.
The problem shall be the same for the migration 14.04 -> 16.04 (I presume).