Opened 5 years ago

Last modified 5 years ago

#945 accepted Bug / Defect

systemd: LimitNPROC too low, wrong knob

Reported by: berni Owned by: David Sommerseth
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


This has been originally reported to Debian at There is a way to reproduce this inside the bugreport. Basically you need to start several instances that run code as non-root

Since the very first version of the systemd unit it contains the setting


according to systemd.exec this translates to "ulimit -u".

Even if set in the systemd unit this seems to translate to a generic "limit the number of processes per UID on the whole system" thing, which is certainly not the thing the author had in mind.

Change History (3)

comment:1 Changed 5 years ago by tct

CC for systemd

comment:2 Changed 5 years ago by Gert Döring

Owner: set to David Sommerseth
Status: newassigned

comment:3 Changed 5 years ago by David Sommerseth

Status: assignedaccepted

I've chimed into the Debian bug tracker with some background information on why we added LimitNPROC=.

This needs to be improved, but I don't think removing it is the right approach (it is the quickest workaround though, which does sacrifice some security aspects). So my current proposal is to increase the LimitNPROC= somewhat (somewhere between 30-50 processes) but with improved documentation on how to further adjust this value via systemctl edit openvpn-{client,server}@.service.

Note: See TracTickets for help on using tickets.