Start a service after openvpn connection has been established using systemd

I like to provide services only via VPN for security reasons. That means a server only accepts connections to a service (e.g. imap, jabber) only from a vpn network and not coming from a really network device. Usually it this is easy to do by configuring a service to just listen on the vpn interface.

Unfortunately this creates a problem when starting up a machine. The vpn connection is usually established some time after the networking is established. The services that should listen on the vpn interface are usually started before the vpn service has setup the vpn connection. Most services fail to startup in that case because the interface they should bind to is not there (yet).

Systemd can be configured to start the services in the right order but I found it hard to find working advice for doing that. So this is the way.

  1. Create a copy of the .service-file responsible for the service you want to start after openvpn in /etc/systemd/system. This is required as you are not supposed to ever modify .service files in /usr/lib/systemd directly.

    cp /usr/lib/systemd/system/[yourService].service /etc/systemd/system

    Units found in /etc/systemd/system will overrule the units from /usr/lib/systemd/system
  2. You need to modify the copied service file in /etc/systemd/system. Place this lines in its [Unit] section:

    [Unit]
    Wants=sys-devices-virtual-net-tun0.device
    After=sys-devices-virtual-net-tun0.device

    Note: If there are already Wants or After directives in the file, place the sys-devices-virtual-net-tun0.device behind the existing directive seperated with a space. Wants and After accept multiple units but they must be space seperated.
    Note: This assumes that the vpn you want the service to wait creates the tun0 device. Systemd creates units files for network interfaces that show up. The lines above make systemd wait for tun0 to show up before it starts the modified service.

When you have enabled your service with “systemctl enable” it should now startup after the vpn connection has been established.

This should work with any vpn technology as long as you make sure to use the right device file. If your vpn is behind interface tun1 you should use sys-devices-virtual-net-tun1.device instead of sys-devices-virtual-net-tun0.device.

Advertisements

2 thoughts on “Start a service after openvpn connection has been established using systemd

  1. Hash DuOrden

    Thank you for info, I was tried really hard to find but I haven’t finished reading systemd documentation but already needed that for x11vnc socket service.
    But You don’t really need to copy service file to change only couple of strings, you can just create /etc/systemd/system/[yourService].service.d/[any_name].conf with contents:

    [Unit]
    Wants=sys-devices-virtual-net-tun0.device
    After=sys-devices-virtual-net-tun0.device

    And to add more than one “Wants” or “After” you not necessary need to list all of that in one line, you can include multiple lines of “Wants” or “After”.

    Reply
  2. Bill McGonigle

    Thanks for your posts Ruberb & Hash. I have some systems that need to bring up an openvpn ‘client’ before starting some openvpn ‘servers’ (the puppet templates depend on tun0 being the ‘phone home’ connection for monitoring and your solution works nicely for delaying the startup of the subsequent servers). For a reason I don’t yet understand, systemd will wait for sys-devices-virtual-net-tun0.device but won’t wait for openvpn@my-client-connection.service in Want/After. tun0 is just fine for my need, but I can imagine some others might need to reference connections symbolically.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s