Changes between Version 20 and Version 21 of UnprivilegedUser


Ignore:
Timestamp:
12/05/23 18:11:23 (5 months ago)
Author:
grzeg0rz
Comment:

Updates to rootless openvpn in podman section - updates in configuration to match recent openvpn updates, ensuring this section of article results in functional installation

Legend:

Unmodified
Added
Removed
Modified

  • UnprivilegedUser

    v20 v21  
    300300
    301301[Link]
    302 MTUBytes=1500
     302MTUBytes=1389
    303303EOF
    304304
     
    319319tls-auth /server/ssl/ta.key 0
    320320server 10.254.254.0 255.255.255.0
     321client-config-dir /server/ccd
     322status /server/status/openvpn-status.log
     323log-append  /server/status/openvpn.log
     324explicit-exit-notify 1
     325ccd-exclusive
     326# Below was manually calculated, since openvpn is not allowed to update tun device
     327link-mtu 1442
     328ifconfig-noexec
    321329}}}
    322330
     
    335343User=openvpn
    336344Group=openvpn
     345
    337346DeviceAllow=/dev/null rw
    338347DeviceAllow=/dev/net/tun rw
    339348DeviceAllow=/dev/fuse rw
     349
    340350WorkingDirectory=/opt/openvpn
    341 ExecStart=/usr/bin/podman run --rm --name openvpn -v /opt/openvpn/server:/server --network="host" -p 37898:37898 --device /dev/net/tun --device /dev/null archlinux:latest /usr/bin/bash /server/entrypoint.sh
     351
     352ExecStartPre=/usr/bin/bash -c 'if [ -n "$(podman ps | grep openvpn | head -n 1)" ]; then podman stop -t 0 -i openvpn; fi'
     353ExecStartPre=/usr/bin/bash -c 'if [ -n "$(podman ps -a | grep openvpn | head -n 1)" ]; then podman rm -i openvpn; fi'
     354ExecStart=/usr/bin/podman run --rm --name openvpn -v /opt/openvpn/server:/server -v /run/systemd/resolve/resolv.conf:/etc/resolv.conf --network="host" -p 37898:37898 --device /dev/net/tun --device /dev/null archlinux:latest /usr/bin/bash /server/entrypoint.sh
     355
    342356ExecStop=/usr/bin/podman stop -t 0 openvpn
    343357ProtectSystem=true
     
    358372
    359373pacman -Sy --noconfirm openvpn net-tools nano
    360 
    361 # we have done all required network configuration so openvpn does not have to
    362 cp -p /usr/bin/ip /usr/bin/ip.bak
    363 echo "#!/bin/bash" > /usr/bin/ip
    364 echo 'echo "$@" >> /tmp/ip_res' >> /usr/bin/ip
    365 echo "exit 0" >> /usr/bin/ip
    366 chmod ugo+x /usr/bin/ip
    367 
    368 openvpn --cd /server --config /server/server.conf
     374openvpn --cd /server --config /server/openvpn.conf
    369375
    370376EOF