Hello,
Thanks for updating the discussion and for posting the solution that fits your needs.If I understand correctly, the "add-bridge.sh" and "remove-bridge.sh" scripts are custom-made and they enable/disable packet forwarding from the openvpn tun0 interface to the local network interface (enp1s0 in the example below); in detail:and:Did you configure the packet routing in openvpn configuration ?
Thanks for updating the discussion and for posting the solution that fits your needs.
If my reading of the Debian git repository is correct, the two lines above were never removed in openvpn-server@.service; they were simply not in the openvpn-server@.service at all:So not sure the issue can be attributed to the openvpn upgrade or not, but the change appears to be some lines removed fromI had followed instructions from https://www.server-world.info/en/note?o ... penvpn&f=1https://www.server-world.info/en/note?os=Debian ... penvpn&f=1Code:
/lib/systemd/system/openvpn-server@.service
these were the lines I had to put back inCode:
[Service]ExecStartPost=/etc/openvpn/server/add-bridge.shExecStopPost=/etc/openvpn/server/remove-bridge.sh
Code:
$ git clone https://salsa.debian.org/debian/openvpn.git$ cd openvpn/distro/systemd/$ git log -p -- openvpn-server@.service.incommit e3ecb42b0c1fcac7e5004301e370f1781f482b6a (tag: upstream/2.6.0_git20220811)Author: Bernhard Schmidt <berni@debian.org>Date: Thu Aug 11 16:02:47 2022 +0200 New upstream version 2.6.0~git20220811diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.inindex d1cc72c..6e8e7d9 100644--- a/distro/systemd/openvpn-server@.service.in+++ b/distro/systemd/openvpn-server@.service.in@@ -11,7 +11,7 @@ Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rwcommit 87356242baf10c8b2a94d9013e436ed2a0dada53 (tag: upstream/2.4.7)Author: Bernhard Schmidt <berni@debian.org>Date: Wed Feb 20 14:11:46 2019 +0100 New upstream version 2.4.7diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.inindex a8366a0..d1cc72c 100644--- a/distro/systemd/openvpn-server@.service.in+++ b/distro/systemd/openvpn-server@.service.in@@ -11,7 +11,7 @@ Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rwcommit a6daf938f5f616a4a67caa6580b0c99e9a8c3779 (tag: upstream/2.4.4)Author: Jörg Frings-Fürst <debian@jff-webhosting.net>Date: Mon Oct 2 06:57:04 2017 +0200 New upstream version 2.4.4diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.inindex 9a8a2c7..a8366a0 100644--- a/distro/systemd/openvpn-server@.service.in+++ b/distro/systemd/openvpn-server@.service.in@@ -17,6 +17,9 @@ DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true+KillMode=process+RestartSec=5s+Restart=on-failure [Install] WantedBy=multi-user.targetcommit 9683f890944ffb114f5f8214f694e0b339cf5a5a (tag: upstream/2.4.3)Author: Alberto Gonzalez Iniesta <agi@inittab.org>Date: Thu Jun 22 13:16:46 2017 +0200 New upstream version 2.4.3diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.innew file mode 100644index 0000000..9a8a2c7--- /dev/null+++ b/distro/systemd/openvpn-server@.service.in@@ -0,0 +1,22 @@+[Unit]+Description=OpenVPN service for %I+After=syslog.target network-online.target+Wants=network-online.target+Documentation=man:openvpn(8)+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO++[Service]+Type=notify+PrivateTmp=true+WorkingDirectory=/etc/openvpn/server+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE+LimitNPROC=10+DeviceAllow=/dev/null rw+DeviceAllow=/dev/net/tun rw+ProtectSystem=true+ProtectHome=true++[Install]+WantedBy=multi-user.targetCode:
root@dlp:~# vi /etc/openvpn/server/add-bridge.sh#!/bin/bash# network interface which can connect to local networkIF=enp1s0# interface VPN tunnel uses# for the case of this example like specifying [tun] on the config, generally this param is [tun0]VPNIF=tun0echo 1 > /proc/sys/net/ipv4/ip_forwardiptables -A FORWARD -i ${VPNIF} -j ACCEPTiptables -t nat -A POSTROUTING -o ${IF} -j MASQUERADECode:
root@dlp:~# vi /etc/openvpn/server/remove-bridge.sh#!/bin/bash# network interface which can connect to local networkIF=enp1s0# interface VPN tunnel uses# for the case of this example like specifying [tun] on the config, generally this param is [tun0]VPNIF=tun0echo 0 > /proc/sys/net/ipv4/ip_forwardiptables -D FORWARD -i ${VPNIF} -j ACCEPTiptables -t nat -D POSTROUTING -o ${IF} -j MASQUERADEStatistics: Posted by Aki — 2023-12-28 10:04