Can't make it work via systemd service

[GentleHoneyLover]

Thx for the great script! One question: what is the correct way to run this script via a systemd service (I'm running Ubuntu 16.04)?

When I issue the following command in terminal everything works as expected: a name space is created and openvpn tunnel is successfully running within it.

openvpn --ifconfig-noexec --route-noexec --setenv NETNS "vpn-ns" --up /opt/openvpn-netns/openvpn-scripts/netns --route-up /opt/openvpn-netns/openvpn-scripts/netns --down /opt/openvpn-netns/openvpn-scripts/netns --daemon ovpn-de9 –status /run/openvpn/de9.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/de9.conf --writepid /run/openvpn/de9.pid

However, when I try to run the same via a systemd service at boot, the service starts and runs, but when I try to run anything in the name space I get the following:

RTNETLINK answers: Invalid argument
setting the network namespace "vpn-ns" failed: Invalid argument

When I do sudo ip netns list I get this:

RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
vpn-ns

Here's the systemd service file I'm using (which is a modification of a standard servis file that comes with openvpn package on Ubuntu 16.04):

[Unit]
Description=OpenVPN connection to %i
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
After=network.target

[Service]
RuntimeDirectory=openvpn
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --ifconfig-noexec --route-noexec --setenv NETNS "vpn-ns" --up /opt/openvpn-netns/openvpn-scripts/netns --route-up /opt/openvpn-netns/openvpn-scripts/netns --down /opt/openvpn-netns/openvpn-scripts/netns --daemon ovpn-%i –status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
Restart=on-failure
RestartSec=3
ProtectSystem=yes
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

What am I doing wrong? Your help would be greatly appreciated!

[GentleHoneyLover]

I finally got it to work with the following service file (in my case, netns script was symlinked to /usr/local/sbin/).

[Unit]
Description=OpenVPN inside network namespace to %i
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/var/run/openvpn/%i.pid
WorkingDirectory=/etc/openvpn/
ExecStart=/usr/sbin/openvpn --ifconfig-noexec --route-noexec --setenv NETNS vpn-ns --up /usr/local/sbin/netns --route-up /usr/local/sbin/netns --down /usr/loca$
Restart=on-failure
RestartSec=3

[Install]
WantedBy=multi-user.target

Now, vpn starts within a network namespace automatically at boot. Then I start deluge daemon in the namespace (under user "deluge") the following way:

/sbin/ip netns exec vpn-ns sudo -u deluge /usr/bin/deluged -d

My problem is that now I cannot figure out how to connect to the daemon from deluge webui (previously the daemon was reachable under 127.0.0.1:58846)

[lebomb44]

Hi, see may script:
https://github.com/lebomb44/osmc/blob/develop/osmc.txt

I use nginx to route the port to the VPN namespace using a point to point internal network

[zackherbert]

I made a fork with a systemd service with optional failover to other backends.