openvpn: T4230: globally enable ip_nonlocal_bind

2 files changed, 8 insertions, 7 deletions

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 329399274..29a25eedc 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -649,13 +649,6 @@ def apply(openvpn):
 
         return None
 
-    # verify specified IP address is present on any interface on this system
-    # Allow to bind service to nonlocal address, if it virtaual-vrrp address
-    # or if address will be assign later
-    if 'local_host' in openvpn:
-        if not is_addr_assigned(openvpn['local_host']):
-            cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1')
-
     # No matching OpenVPN process running - maybe it got killed or none
     # existed - nevertheless, spawn new OpenVPN process
     call(f'systemctl reload-or-restart openvpn@{interface}.service')
diff --git a/src/etc/sysctl.d/33-vyos-nonlocal-bind.conf b/src/etc/sysctl.d/33-vyos-nonlocal-bind.conf
new file mode 100644
index 000000000..aa81b5336
--- /dev/null
+++ b/src/etc/sysctl.d/33-vyos-nonlocal-bind.conf
@@ -0,0 +1,8 @@
+### Added by vyos-1x ###
+#
+# ip_nonlocal_bind - BOOLEAN
+#     If set, allows processes to bind() to non-local IP addresses,
+#     which can be quite useful - but may break some applications.
+#     Default: 0
+net.ipv4.ip_nonlocal_bind = 1
+net.ipv6.ip_nonlocal_bind = 1