0

For general purposes it would be nice to know how to detect network changes and restart services - but my specific use case is wanting to restart sshd after my OpenVPN client connects. Without extensive reconfiguring the default services (which I want to avoid) it seems sshd starts immediately upon basic network services (which makes sense as the unit file contains After=network.target).

Also sshd specific - I don't want it listening to port 22 on the external interface. Initially I thought I could simply protect that via my firewall but since I found my firewall script wasn't running correctly...better to protect both ways. And yes, I already found the stupid error and fixed the firewall (for the record - needed to configure START_FIREHOL=yes in /etc/default/firehol).

It appears that if sshd is configured to listen on an explicit IP, but that IP isn't active, the listener will not be started nor automatically bind when the IP does go active. Since it's probably better to let sshd start any other valid listeners when it can rather than possibly not start at all I don't want to "require" the OpenVPN client to complete prior to sshd starting. Hence my challenge.

I found the "ipchange" setting in OpenVPN - but I couldn't get it to work with a brief effort and I'd rather have a more generic solution for future use anyway.

Any dependency I've tried against the OpenVPN client instance triggers too soon - the client unit shows as "started" even though it hasn't completed DHCP initialization. Which means the IP isn't active yet.

I'm not finding any documentation for systemd unit dependencies related to network interface statuses - so I'm asking for ideas.

Daniel Miller
  • 209
  • 4
  • 7

1 Answers1

0

I don't know if this is the best solution - but it's a working one.

Systemd automatically creates network device units when the interfaces are created/activated. In my case, as the first OpenVPN connection, the unit involved is "sys-devices-virtual-net-tun0.device". It appears that this unit counts as "started" when the IP is configured.

I don't find a explicit "restart" configuration setting for systemd units - so I created the following service:

openvpn-online.service

[Unit]
Description=Restart Network Services on VPN Connection
Conflicts=shutdown.target
Requires=openvpn-client@myclient.service sys-devices-virtual-net-tun0.device
BindsTo=openvpn-client@myclient.service sys-devices-virtual-net-tun0.device
After=openvpn-client@myclient.service sys-devices-virtual-net-tun0.device

[Service]
Type=oneshot
ExecStart=/bin/systemctl restart sshd
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

This feels...inelegant...but it works perfectly. Now sshd starts early then restarts upon the OpenVPN client completing DHCP.

Systemd also allows for multiple ExecStart= lines for oneshot units - so I can adjust this if needed for other services.

Daniel Miller
  • 209
  • 4
  • 7