Added hardening to confine its system capability to what SoftEther requires

3 files changed, 26 insertions, 0 deletions

diff --git a/systemd/softether-vpnbridge.service b/systemd/softether-vpnbridge.service
index df007747..d8b35d71 100644
--- a/systemd/softether-vpnbridge.service
+++ b/systemd/softether-vpnbridge.service
@@ -10,6 +10,15 @@ ExecStop=/opt/vpnbridge/vpnbridge stop
 KillMode=process
 Restart=on-failure
 
+# Hardening
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/opt/vpnbridge
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE
+
+
 [Install]
 WantedBy=multi-user.target
 
diff --git a/systemd/softether-vpnclient.service b/systemd/softether-vpnclient.service
index ad1f94f6..f74b1cf8 100644
--- a/systemd/softether-vpnclient.service
+++ b/systemd/softether-vpnclient.service
@@ -11,6 +11,14 @@ ExecStop=/opt/vpnclient/vpnclient stop
 KillMode=process
 Restart=on-failure
 
+# Hardening
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/opt/vpnclient
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE
+
 [Install]
 WantedBy=multi-user.target
 
diff --git a/systemd/softether-vpnserver.service b/systemd/softether-vpnserver.service
index 08c302fd..553b5290 100644
--- a/systemd/softether-vpnserver.service
+++ b/systemd/softether-vpnserver.service
@@ -11,6 +11,15 @@ ExecStop=/opt/vpnserver/vpnserver stop
 KillMode=process
 Restart=on-failure
 
+# Hardening
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/opt/vpnserver
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE 
+
+
 [Install]
 WantedBy=multi-user.target