Arch Linux

There is  FS#6231  with a similar request. Also openvpn related  FS#5562 

Your initscript doesn't handle TAP interfaces (this is needed for network bridging). I've created a proper rc.d script. It still outputs a bit too much when restarting, but it's the way to go.

Thanks for adding this, Glenn. I use openvpn with a TUN interface, so that's why I overlooked it.

I was about to add the init script contributed by Guillermo in  FS#6231 , but it doesn't handle tap interfaces either. The tarball contains some init examples for gentoo, suse, etc, and they all suggest the use of a separate script for any commands that need to be run before openvpn is started i.e. for any foo.conf in /etc/openvpn, run foo.sh if it exists, then start openvpn. The given example has openvpn --mktun... as a typical use of this script. I'm inclined to go with that option, as it will keep the init script cleaner.

I currently use openvpn as a client only, so I'd appreciate any additional input on this. If necessary, however, I will put something together myself - it will be going to [testing] first anyway.

Gentoo example attached.

I wrote my own because I think the previous scripts are too complex. For example the one in  FS#6231  does way too many things like setting ip_forward on its own (potentially dangerous). My script is better because it leaves the responsibility to the parts that are supposed to be responsible for them. In my scripts, if you wanted to created a bridged VPN server, you would

* Put tun in MODULES in rc.conf
* Set ip_forward in /etc/sysctl.conf if appropriate (I don't think this is even needed for bridging?)
* use conf.d/bridges to create a bridge
* set in in your conf.d/openvpn:
OPENVPN_TAP=(tap0)
* create an "up" script in /etc/openvpn with:
brctl addif NameOfTheBridge $1
ifconfig $1 up
* set in server.conf:
up /etc/openvpn/up

This sounds more logical than the other solutions, and it keeps rc.openvpn simple stupid.

I like where that's going, but we're still missing the ability to start multiple tunnels, as provided in both Guillermo's suggestion and the upstream example. Can you work that in?

darose - logrotate whould be welcome too, if you still feel like it. Or I could just do it myself. :)

Tomk: you can add multiple tunnels, OPENVPN_TAP is an array. So if you need multiple tunnels just do OPENVPN_TAP=(tap0 tap1) etc...

OK, but you're only passing one conf file from conf.d/openvpn, right? The alternatives can handle multiple conf files.

@tomk: hmmm ... I'm a bit swamped just now. (Employment matters have been vaulted into top priority lately.) I'm still willing to commit to doing the logrotate script, but I can't tell you just now when I'll be able to get to it. Whoever gets to it first, then, I guess.

Tomk: hmmm. I'll have a look at that how that can be cleanly implemented.

David (should have called you by name last time too) - no problem, those pesky employment matters have to come first, I suppose. :P

Glenn - as per the gentoo example, something like
for conf in $(ls /etc/openvpn/*.conf); do
openvpn --daemon ... --config $conf
done

Guillermo's does it with a vpnX array per conf in conf.d/openvpn, making it a fair bit more complicated in the process.

Ok, I've been thinking, what about something like this:

In conf.d:

vpn0="--daemon openvpn0 --config /etc/openvpn/server.conf"
vpn1="--daemon openvpn1 --config /etc/openvpn/server2.conf"

OPENVPNS=(vpn0 vpn1)

In rc.d:

for vpn in ${OPENVPNS[@]}; do
eval vpncfg="\$${vpn}"
/usr/sbin/openvpn ${vpncfg} & 2> /dev/null
echo $! > /var/run/openvpn/${vpn}.pid
done

I've written another script which manage different connection a-la-gentoo: create one symbolic link to the script for each config file. A symbolic link openvpn.<name> refer to /etc/openvpn/<name>.conf. It also load /etc/openvpn/<name>.sh if defined.

I found this FS entry because I too have been trying to fix the "openvpn has no rc script" problem, and have coded something up. The way I achieved the ability to start multiple tunnels is to look in /etc/openvpn and start an openvpn instance for every *.conf file there. I quite like the option of letting the script work it out rather than having to fiddle with /etc/conf.d/openvpn too much. If we think that the rc script is always going to daemonise openvpn, why have that as an option in the config file?

Grasping the moment, I've taken Glenn's code from the 7th December and added his TAP stuff to what I'd already written. So what I've got is a rc script that handles multiple tunnels, and tap without needing a /etc/conf.d/openvpn configuration - it just works it out. Does this suit what everyone is after?

Okay, this report is old, but I just got to fixing openvpn. All the scripts here are too complex, the rc.d script should only look for .conf files in /etc/openvpn and start/stop the appropriate daemons.

Setting up tap devices could be handled by a script that is called before the network script, so a tap device can be added to a bridge permanently. I will write something simple later.