What is the purpose of OpenVPN's /etc/openvpn/{client,server} directories?
Ubuntu/Debian OpenVPN package contains 2 mysterious directories:
dpkg -L openvpn
...
/etc/openvpn/client
/etc/openvpn/server
...
I'm wondering what is the purpose of those directories? All tutorials advice placing files directly in /etc/openvpn/
and init/systemd scripts also pick config files from there.
Chroot? But then, why 2?
Solution 1:
In v2.4 they introduced new systemd service profiles tailored for client resp. server applications.
As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a fine grained control of each OpenVPN configuration as well as trying to restrict the capabilities the OpenVPN process have on a system.
These new unit files separates between client and server profiles. The configuration files are kept in separate directories, to provide clarity of the profile they run under.
Typically the client profile cannot bind to any ports below port 1024 and the client configuration is always started with --nobind.
source
It remains backward compatible, i.e. you can still store your .conf
file in /etc/openvpn
.
If your configuration is in
/etc/openvpn/MyVpn.conf
,
usesystemctl start openvpn@MyVpn
to start the serviceIf your configuration is in
/etc/openvpn/client/MyVpn.conf
,
usesystemctl start openvpn-client@MyVpn
to start the serviceIf your configuration is in
/etc/openvpn/server/MyVpn.conf
,
usesystemctl start openvpn-server@MyVpn
to start the service
Solution 2:
I'm unable to post a comment above in response to 3dGrabber's answer since my reputation in this neck of the SE woods is too low. I wanted to point out a mistake in said answer for those who come via searching so they aren't left scratching their heads when this fails somewhat cryptically.
systemctl start [email protected]
should be:
systemctl start openvpn-client@MyVpn
and
systemctl start [email protected]
should be:
systemctl start openvpn-server@MyVpn
The .service
suffix was likely mistaken from the file that's created upon systemctl enable ...