Bug report
The instructions for starting ivpn at sytem boot using systemd have a couple of problems.
Describe your environment
Arch, Headless server. Installed from the AUR.
- Browser: N/A
- OS name and version: Arch GNU/Linux
Describe the problem
The unit file in the example depends on ivpn-service.service.
This service uses Type=simple
. system assumes that the service is available the instant the process is spawned. In reality, it takes a fraction of a second before the process begins listening on local TCP sockets.
systemd will then instantly run the ivpn-autoconnect.service
.
Sometimes, this script fails, because ivpn-service is not yet listening.
No VPN connection is activated.
A second problem, is that ivpn-autoconnect.service also uses Type=simple.
The script can fail, but, systemd will assume its success, and move on to the next unit files as soon as the process has started, and not yet failed.
I have my own systemd service, that i only want to start, IF the vpn has successfully connected.
And I only want my service started after the VPN connection is fully established.
When I follow these instructions in their unmodified form, even though my service is set:
Requires=ivpn-autoconnect.service
After=ivpn-autoconnect.service
My service is started, regardless of whether the VPN connected successfully.
Steps to reproduce:
- Follow systemd instructions
- (optional) make ivpn-autoconnect a dependancy (Requires=ivpn-autoconnect, After=ivpn-autoconnect) of a 3rds patry service.
- Reboot.
Observed Results:
Sometimes, ivpn-autoconnect
failed to connect to ivpn-service, because altho the process was running, it had not yet started to listen on local TCP sockets.
Any services that depended on ivpn-autoconnect had eroniously started, because Type=simple
is the wrong choice of service Type for this type of action.
Expected Results:
The VPN should have started.
In the event that it did not start for any reason, and dependant services should not have started.
Workaround:
- Add a small delay after ivpn-service is started, but before continueing on to dependant units, to give the process some time to become available.
sudo systemctl edit ivpn-service
[Service]
ExecStartPost=sleep 2
- ivpn-autoconnect.service should look a little something like the following.
Tailoring ExecStart/ExecStop to the users needs.
[Unit]
Description=Connect to iVPN
After=network.target ivpn-service.service
Requires=network-online.target ivpn-service.service
[Service]
Type=oneshot
ExecStart=ivpn connect -fastest -p OpenVPN
ExecStop=ivpn disconnect
RemainAfterExit=yes
RemainAfterExit=yes
is needed to keep the service marked available after the ivpn cli has exited.
Type=oneshot
means that any dependant unit files will not be processed untill after the ivpn cli has finished connecting.
This also means, that any failed attempt at connecting would prevent dependant units from running.
Which is certainly what a user would expect, and desire. (Otherwise, they would have used Wants=
)