| blob | aa0e37b656d35ac6f4264e1d03a10832d66fc0e8 |
1 diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in
2 index 159fb4dc..2277a7d9 100644
3 --- a/distro/systemd/openvpn-client@.service.in
4 +++ b/distro/systemd/openvpn-client@.service.in
5 @@ -11,6 +11,9 @@ Type=notify
6 PrivateTmp=true
7 WorkingDirectory=/etc/openvpn/client
8 ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
9 +User=openvpn
10 +Group=network
11 +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
12 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
13 LimitNPROC=10
14 DeviceAllow=/dev/null rw
15 diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
16 index 6e8e7d94..b2814e4b 100644
17 --- a/distro/systemd/openvpn-server@.service.in
18 +++ b/distro/systemd/openvpn-server@.service.in
19 @@ -11,6 +11,9 @@ Type=notify
20 PrivateTmp=true
21 WorkingDirectory=/etc/openvpn/server
22 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
23 +User=openvpn
24 +Group=network
25 +AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
26 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
27 LimitNPROC=10
28 DeviceAllow=/dev/null rw