diff --git a/ocserv-forwarding.sh b/ocserv-forwarding.sh
new file mode 100644
index 0000000..c8bea0d
--- /dev/null
+++ b/ocserv-forwarding.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+
+set -o errexit
+
+# This script enables IP forwarding only for the time of ocserv running
+#
+# The script should be run as a pre and post script via the systemd service
+# unit.
+#
+# It only touches a sysctl if it doesn't have the required value and is able
+# to restore it back to the original value by keeping track of changed
+# settings in a state file.
+
+STATEDIR="/run/ocserv"
+STATEFILE="$STATEDIR/changed_sysctls"
+# the sysctls that need to be at '1' for ocserv to work properly
+CONTROLS=("net.ipv4.ip_forward" "net.ipv6.conf.default.forwarding" "net.ipv6.conf.all.forwarding")
+
+errecho() {
+	echo $* 1>&2
+}
+
+usage() {
+	errecho "Usage: $0 [--enable|--disable]"
+	errecho
+	errecho "--enable: enable IP forwarding kernel settings, if necessary"
+	errecho "--disable: restore IP forwarding kernel settings that have previously been changed via --enable"
+	errecho
+	errecho "This script temporarily enables IP forwarding while ocserv is running"
+	exit 1
+}
+
+# make sure we don't create anything world readable for other users
+umask 077
+
+if [ $# -ne 1 ]; then
+	usage
+fi
+
+SYSCTL=`which sysctl`
+if [ -z "$SYSCTL" ]; then
+	errecho "Couldn't find 'sysctl'. You need to be root to run this script."
+	exit 1
+fi
+
+operation="$1"
+
+if [ "$operation" = "-h" -o "$operation" = "--help" ]; then
+	usage
+elif [ "$operation" = "--enable" ]; then
+	changed=()
+	for control in ${CONTROLS[@]}; do
+		val=$($SYSCTL -n "$control")
+		if [ $? -ne 0 ]; then
+			errecho "failed to run sysctl"
+			exit 2
+		fi
+
+		if [ "$val" -eq 0 ]; then
+			echo -n "enabling $control: "
+			$SYSCTL "${control}=1"
+			if [ $? -eq 0 ]; then
+				changed+=("$control")
+			fi
+		fi
+	done
+
+	if (( ${#changed[@]} )); then
+		mkdir -p "$STATEDIR"
+		for changed in ${changed[@]}; do
+			echo "$changed" >>"$STATEFILE"
+		done
+	fi
+elif [ "$operation" = "--disable" ]; then
+	if [ ! -f "$STATEFILE" ]; then
+		# nothing to restore
+		exit 0
+	fi
+
+	for control in `cat $STATEFILE`; do
+		echo -n "restoring $control: "
+		$SYSCTL "${control}=0" || continue
+	done
+
+	rm -f "$STATEFILE"
+else
+	errecho "invalid argument: $operation"
+	usage
+fi
diff --git a/ocserv.changes b/ocserv.changes
index c324303..acaadbe 100644
--- a/ocserv.changes
+++ b/ocserv.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jan 18 13:17:42 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
+  installed into /etc by a more tailored mechanism. Enabling IP routing
+  globally and permanently, just because the package is installed is quite
+  invasive. This new script will be invoked before and after the ocserv
+  service to switch on and off forwarding, if necessary (bsc#1174722).
+
 -------------------------------------------------------------------
 Sun Aug 14 14:11:34 UTC 2022 - Michael Du <duyizhaozj321@yahoo.com>
 
diff --git a/ocserv.spec b/ocserv.spec
index 0ac84f2..bb43c66 100644
--- a/ocserv.spec
+++ b/ocserv.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package ocserv
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@ Source1:        ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
 Source2:        ca.tmpl
 Source3:        server.tmpl
 Source4:        user.tmpl
-Source5:        ocserv.sysctl
+Source5:        ocserv-forwarding.sh
 Source6:        ocserv.firewalld.xml
 Source99:       README.SUSE
 Source100:      gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
@@ -109,7 +109,7 @@ make V=1 %{?_smp_mflags}
 %install
 make %{?_smp_mflags} DESTDIR=%{buildroot} install
 
-install -Dm 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysctl.d/60-ocserv.conf
+install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/ocserv-forwarding
 %if 0%{suse_version} >= 1500
 install -D -m 644 %{SOURCE6} %{buildroot}%{_prefix}/lib/firewalld/services/ocserv.xml
 %endif
@@ -128,6 +128,9 @@ install -d %{buildroot}%{_unitdir}
 install -m 0644 doc/systemd/socket-activated/ocserv.socket %{buildroot}%{_unitdir}
 install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitdir}
 
+sed -i '/^\[Service\].*/a ExecStopPost=%{_sbindir}/ocserv-forwarding --disable' %{buildroot}%{_unitdir}/ocserv.service
+sed -i '/^\[Service\].*/a ExecStartPre=%{_sbindir}/ocserv-forwarding --enable' %{buildroot}%{_unitdir}/ocserv.service
+
 %pre
 %service_add_pre ocserv.service ocserv.socket
 
@@ -148,7 +151,6 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd
 %doc AUTHORS NEWS README.md
 %license COPYING LICENSE
 %config %{_sysconfdir}/ocserv
-%config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf
 %if 0%{suse_version} >= 1500
 %dir %{_prefix}/lib/firewalld
 %dir %{_prefix}/lib/firewalld/services
@@ -159,6 +161,7 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd
 %{_bindir}/ocserv-script
 %{_bindir}/ocserv-fw
 %{_sbindir}/ocserv
+%{_sbindir}/ocserv-forwarding
 %{_sbindir}/ocserv-worker
 %{_unitdir}/ocserv.service
 %{_unitdir}/ocserv.socket
diff --git a/ocserv.sysctl b/ocserv.sysctl
deleted file mode 100644
index 5c37e8c..0000000
--- a/ocserv.sysctl
+++ /dev/null
@@ -1,3 +0,0 @@
-net.ipv4.ip_forward=1
-net.ipv6.conf.default.forwarding=1
-net.ipv6.conf.all.forwarding=1