Description of problem:
Openvpn's behavior from el6 Epel is this: When exists .sh script in /etc/openvpn directory with the same name as .conf file then it is executed on openvpn startup. It is done by startup script.
Epel7 version doesn't behave this way.
Version-Release number of selected component (if applicable):
have myvpn.conf configuration file and myvpn.sh shell script (btw. mostly used for setting-up bridging).
Steps to Reproduce:
script is not executed on startup
script is executed on startup
my workaround is to modify systemd startup script at /lib/systemd/system/openvpn@.service
I added line
ExecStartPre=-/bin/bash -c /etc/openvpn/%i.sh
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
The workaround here is in this case a far better approach than to let OpenVPN do this execution. Systemd can ensure the script runs with the proper privileges, while the OpenVPN binary will not be capable of that in the same degree.
The script hooks in OpenVPN will have issues on modern Linux distributions when it wants to modify the system configuration on-the-fly, often due to restrictions set by SELinux or capabilities via systemd. There are no good solutions to that without reducing the security measurements around OpenVPN.
So the best approach is to let OpenVPN take care of the VPN tunnel itself and the changes to the system configuration to be done outside of OpenVPN.