Tag Archives: systemd

Start a service after openvpn connection has been established using systemd

I like to provide services only via VPN for security reasons. That means a server only accepts connections to a service (e.g. imap, jabber) only from a vpn network and not coming from a really network device. Usually it this is easy to do by configuring a service to just listen on the vpn interface.

Unfortunately this creates a problem when starting up a machine. The vpn connection is usually established some time after the networking is established. The services that should listen on the vpn interface are usually started before the vpn service has setup the vpn connection. Most services fail to startup in that case because the interface they should bind to is not there (yet).

Systemd can be configured to start the services in the right order but I found it hard to find working advice for doing that. So this is the way.

  1. Create a copy of the .service-file responsible for the service you want to start after openvpn in /etc/systemd/system. This is required as you are not supposed to ever modify .service files in /usr/lib/systemd directly.

    cp /usr/lib/systemd/system/[yourService].service /etc/systemd/system

    Units found in /etc/systemd/system will overrule the units from /usr/lib/systemd/system
  2. You need to modify the copied service file in /etc/systemd/system. Place this lines in its [Unit] section:

    [Unit]
    Wants=sys-devices-virtual-net-tun0.device
    After=sys-devices-virtual-net-tun0.device

    Note: If there are already Wants or After directives in the file, place the sys-devices-virtual-net-tun0.device behind the existing directive seperated with a space. Wants and After accept multiple units but they must be space seperated.
    Note: This assumes that the vpn you want the service to wait creates the tun0 device. Systemd creates units files for network interfaces that show up. The lines above make systemd wait for tun0 to show up before it starts the modified service.

When you have enabled your service with “systemctl enable” it should now startup after the vpn connection has been established.

This should work with any vpn technology as long as you make sure to use the right device file. If your vpn is behind interface tun1 you should use sys-devices-virtual-net-tun1.device instead of sys-devices-virtual-net-tun0.device.