Context Navigation

← Previous Ticket
Next Ticket →

#1059 closed Bug / Defect (fixed)

Out of Memory caused by --mlock at --reneg-sec with EC cert

Reported by:	tct	Owned by:
Priority:	minor	Milestone:
Component:	Documentation	Version:
Severity:	Not set (select this one, unless your'e a OpenVPN developer)	Keywords:
Cc:	Selva Nair

Description

SERVER:

verb 4
log defaults/108.log
client-to-client
cd /etc/openvpn
dev tun
port 11948
proto udp

server 10.8.0.0 255.255.255.0
;server-ipv6 12fc:1918::10:8:0:0/112

# https://forums.openvpn.net/viewtopic.php?f=6&t=26100&p=77744#p77744
;server-ipv6 fda6:b39a:4037::/64

;management 127.0.0.1 51948

client-config-dir defaults/ccd_net30
ccd-exclusive

remote-cert-tls client

script-security 3
auth-user-pass-optional
auth-user-pass-verify defaults/auth-user-pass-verify.sh via-env

client-connect defaults/client-connect.sh

mlock
nice -2
fast-io


keepalive 15 60
reneg-sec 180 180
# 2048bit EC PKI 
ca ca.crt
cert defs108.crt
key defs108.key
tls-auth ta-defs.key 0
dh dh-2048.pem

Note: CCD provides fixed IP only; all scripts do nothing, exit 0

CLIENT:

          connect-retry 10 10

;                    cd /etc/openvpn

                   dev tun108
                nobind
                client
       remote-cert-tls server

                remote x 
                  port 11948
                 proto udp
;                 proto tcp-client

                   log defc108.log
                  verb 4

  explicit-exit-notify 2

;        auth-user-pass /etc/openvpn/defaultc/userpass.txt

                  user nobody
                 group nobody
;           persist-key
;           persist-tun

             reneg-sec 0
       remote-cert-tls server

# Is it one of these ?
                 mlock
;                  nice -2
;               fast-io

# EC PKI

CLIENT systemd unit:

[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
#ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf
ExecStart=/usr/bin/openvpn --config /etc/openvpn/client/defaultc.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
LimitMEMLOCK=80M
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process

[Install]
WantedBy=multi-user.target

NOTE: Increasing LimitMEMLOCK to 96M solved this problem.

CLIENT LOG

i Apr 20 14:10:16 2018 us=821019 Current Parameter Settings:
Fri Apr 20 14:10:16 2018 us=821143 config = '/etc/openvpn/client/defaultc.conf'
Fri Apr 20 14:10:16 2018 us=821175 mode = 0
Fri Apr 20 14:10:16 2018 us=821205 persist_config = DISABLED
Fri Apr 20 14:10:16 2018 us=821258 persist_mode = 1
Fri Apr 20 14:10:16 2018 us=821273 show_ciphers = DISABLED
Fri Apr 20 14:10:16 2018 us=821336 show_digests = DISABLED
Fri Apr 20 14:10:16 2018 us=821352 show_engines = DISABLED
Fri Apr 20 14:10:16 2018 us=821375 genkey = DISABLED
Fri Apr 20 14:10:16 2018 us=821389 key_pass_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=821418 show_tls_ciphers = DISABLED
Fri Apr 20 14:10:16 2018 us=821447 connect_retry_max = 0
Fri Apr 20 14:10:16 2018 us=821476 Connection profiles [0]:
Fri Apr 20 14:10:16 2018 us=821504 proto = udp
Fri Apr 20 14:10:16 2018 us=821532 local = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=821547 local_port = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=821575 remote = 'x'
Fri Apr 20 14:10:16 2018 us=821603 remote_port = '11948'
Fri Apr 20 14:10:16 2018 us=821632 remote_float = DISABLED
Fri Apr 20 14:10:16 2018 us=821660 bind_defined = DISABLED
Fri Apr 20 14:10:16 2018 us=821688 bind_local = DISABLED
Fri Apr 20 14:10:16 2018 us=821703 bind_ipv6_only = DISABLED
Fri Apr 20 14:10:16 2018 us=821731 connect_retry_seconds = 10
Fri Apr 20 14:10:16 2018 us=821760 connect_timeout = 120
Fri Apr 20 14:10:16 2018 us=821773 socks_proxy_server = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=821783 socks_proxy_port = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=821809 tun_mtu = 1500
Fri Apr 20 14:10:16 2018 us=821864 tun_mtu_defined = ENABLED
Fri Apr 20 14:10:16 2018 us=821896 link_mtu = 1500
Fri Apr 20 14:10:16 2018 us=821924 link_mtu_defined = DISABLED
Fri Apr 20 14:10:16 2018 us=821952 tun_mtu_extra = 0
Fri Apr 20 14:10:16 2018 us=821980 tun_mtu_extra_defined = DISABLED
Fri Apr 20 14:10:16 2018 us=821995 mtu_discover_type = -1
Fri Apr 20 14:10:16 2018 us=822023 fragment = 0
Fri Apr 20 14:10:16 2018 us=822051 mssfix = 1
Fri Apr 20 14:10:16 2018 us=822081 explicit_exit_notification = 2
Fri Apr 20 14:10:16 2018 us=822109 Connection profiles END
Fri Apr 20 14:10:16 2018 us=822138 remote_random = DISABLED
Fri Apr 20 14:10:16 2018 us=822152 ipchange = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822162 dev = 'tun108'
Fri Apr 20 14:10:16 2018 us=822171 dev_type = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822183 dev_node = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822192 lladdr = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822222 topology = 1
Fri Apr 20 14:10:16 2018 us=822253 ifconfig_local = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822269 ifconfig_remote_netmask = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822326 ifconfig_noexec = DISABLED
Fri Apr 20 14:10:16 2018 us=822338 ifconfig_nowarn = DISABLED
Fri Apr 20 14:10:16 2018 us=822368 ifconfig_ipv6_local = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822396 ifconfig_ipv6_netbits = 0
Fri Apr 20 14:10:16 2018 us=822425 ifconfig_ipv6_remote = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822453 shaper = 0
Fri Apr 20 14:10:16 2018 us=822481 mtu_test = 0
Fri Apr 20 14:10:16 2018 us=822496 mlock = ENABLED
Fri Apr 20 14:10:16 2018 us=822525 keepalive_ping = 0
Fri Apr 20 14:10:16 2018 us=822554 keepalive_timeout = 0
Fri Apr 20 14:10:16 2018 us=822583 inactivity_timeout = 0
Fri Apr 20 14:10:16 2018 us=822612 ping_send_timeout = 0
Fri Apr 20 14:10:16 2018 us=822640 ping_rec_timeout = 0
Fri Apr 20 14:10:16 2018 us=822668 ping_rec_timeout_action = 0
Fri Apr 20 14:10:16 2018 us=822683 ping_timer_remote = DISABLED
Fri Apr 20 14:10:16 2018 us=822706 remap_sigusr1 = 0
Fri Apr 20 14:10:16 2018 us=822719 persist_tun = DISABLED
Fri Apr 20 14:10:16 2018 us=822728 persist_local_ip = DISABLED
Fri Apr 20 14:10:16 2018 us=822737 persist_remote_ip = DISABLED
Fri Apr 20 14:10:16 2018 us=822747 persist_key = DISABLED
Fri Apr 20 14:10:16 2018 us=822756 passtos = DISABLED
Fri Apr 20 14:10:16 2018 us=822765 resolve_retry_seconds = 1000000000
Fri Apr 20 14:10:16 2018 us=822774 resolve_in_advance = DISABLED
Fri Apr 20 14:10:16 2018 us=822818 username = 'nobody'
Fri Apr 20 14:10:16 2018 us=822830 groupname = 'nobody'
Fri Apr 20 14:10:16 2018 us=822839 chroot_dir = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822848 cd_dir = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822857 writepid = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822867 up_script = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822876 down_script = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=822885 down_pre = DISABLED
Fri Apr 20 14:10:16 2018 us=822894 up_restart = DISABLED
Fri Apr 20 14:10:16 2018 us=822903 up_delay = DISABLED
Fri Apr 20 14:10:16 2018 us=822912 daemon = DISABLED
Fri Apr 20 14:10:16 2018 us=822921 inetd = 0
Fri Apr 20 14:10:16 2018 us=822930 log = ENABLED
Fri Apr 20 14:10:16 2018 us=822939 suppress_timestamps = DISABLED
Fri Apr 20 14:10:16 2018 us=822948 machine_readable_output = DISABLED
Fri Apr 20 14:10:16 2018 us=822957 nice = 0
Fri Apr 20 14:10:16 2018 us=822966 verbosity = 4
Fri Apr 20 14:10:16 2018 us=822975 mute = 0
Fri Apr 20 14:10:16 2018 us=822985 gremlin = 0
Fri Apr 20 14:10:16 2018 us=822995 status_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823004 status_file_version = 1
Fri Apr 20 14:10:16 2018 us=823013 status_file_update_freq = 60
Fri Apr 20 14:10:16 2018 us=823022 occ = ENABLED
Fri Apr 20 14:10:16 2018 us=823031 rcvbuf = 0
Fri Apr 20 14:10:16 2018 us=823040 sndbuf = 0
Fri Apr 20 14:10:16 2018 us=823049 mark = 0
Fri Apr 20 14:10:16 2018 us=823058 sockflags = 0
Fri Apr 20 14:10:16 2018 us=823067 fast_io = DISABLED
Fri Apr 20 14:10:16 2018 us=823077 comp.alg = 0
Fri Apr 20 14:10:16 2018 us=823086 comp.flags = 0
Fri Apr 20 14:10:16 2018 us=823095 route_script = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823104 route_default_gateway = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823113 route_default_metric = 0
Fri Apr 20 14:10:16 2018 us=823122 route_noexec = DISABLED
Fri Apr 20 14:10:16 2018 us=823131 route_delay = 0
Fri Apr 20 14:10:16 2018 us=823141 route_delay_window = 30
Fri Apr 20 14:10:16 2018 us=823150 route_delay_defined = DISABLED
Fri Apr 20 14:10:16 2018 us=823159 route_nopull = DISABLED
Fri Apr 20 14:10:16 2018 us=823168 route_gateway_via_dhcp = DISABLED
Fri Apr 20 14:10:16 2018 us=823197 allow_pull_fqdn = DISABLED
Fri Apr 20 14:10:16 2018 us=823208 management_addr = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823217 management_port = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823227 management_user_pass = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823236 management_log_history_cache = 250
Fri Apr 20 14:10:16 2018 us=823246 management_echo_buffer_size = 100
Fri Apr 20 14:10:16 2018 us=823255 management_write_peer_info_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823265 management_client_user = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823292 management_client_group = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823304 management_flags = 0
Fri Apr 20 14:10:16 2018 us=823314 shared_secret_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823324 key_direction = 1
Fri Apr 20 14:10:16 2018 us=823333 ciphername = 'BF-CBC'
Fri Apr 20 14:10:16 2018 us=823343 ncp_enabled = ENABLED
Fri Apr 20 14:10:16 2018 us=823352 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Fri Apr 20 14:10:16 2018 us=823361 authname = 'SHA1'
Fri Apr 20 14:10:16 2018 us=823371 prng_hash = 'SHA1'
Fri Apr 20 14:10:16 2018 us=823380 prng_nonce_secret_len = 16
Fri Apr 20 14:10:16 2018 us=823390 keysize = 0
Fri Apr 20 14:10:16 2018 us=823399 engine = DISABLED
Fri Apr 20 14:10:16 2018 us=823409 replay = ENABLED
Fri Apr 20 14:10:16 2018 us=823418 mute_replay_warnings = DISABLED
Fri Apr 20 14:10:16 2018 us=823427 replay_window = 64
Fri Apr 20 14:10:16 2018 us=823437 replay_time = 15
Fri Apr 20 14:10:16 2018 us=823446 packet_id_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823455 use_iv = ENABLED
Fri Apr 20 14:10:16 2018 us=823465 test_crypto = DISABLED
Fri Apr 20 14:10:16 2018 us=823474 tls_server = DISABLED
Fri Apr 20 14:10:16 2018 us=823483 tls_client = ENABLED
Fri Apr 20 14:10:16 2018 us=823498 key_method = 2
Fri Apr 20 14:10:16 2018 us=823507 ca_file = 'INLINE?'
Fri Apr 20 14:10:16 2018 us=823517 ca_path = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823526 dh_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823535 cert_file = 'INLINE?'
Fri Apr 20 14:10:16 2018 us=823545 extra_certs_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823554 priv_key_file = 'INLINE?'
Fri Apr 20 14:10:16 2018 us=823564 pkcs12_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823573 cipher_list = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823582 tls_cert_profile = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823592 tls_verify = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823601 tls_export_cert = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823610 verify_x509_type = 0
Fri Apr 20 14:10:16 2018 us=823620 verify_x509_name = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823629 crl_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823638 ns_cert_type = 0
Fri Apr 20 14:10:16 2018 us=823648 remote_cert_ku[i] = 65535
Fri Apr 20 14:10:16 2018 us=823657 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823667 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823676 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823685 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823695 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823704 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823713 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823723 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823732 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823741 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823750 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823760 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823769 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823778 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823787 remote_cert_ku[i] = 0
Fri Apr 20 14:10:16 2018 us=823797 remote_cert_eku = 'TLS Web Server Authentication'
Fri Apr 20 14:10:16 2018 us=823806 ssl_flags = 0
Fri Apr 20 14:10:16 2018 us=823816 tls_timeout = 2
Fri Apr 20 14:10:16 2018 us=823825 renegotiate_bytes = -1
Fri Apr 20 14:10:16 2018 us=823834 renegotiate_packets = 0
Fri Apr 20 14:10:16 2018 us=823844 renegotiate_seconds = 0
Fri Apr 20 14:10:16 2018 us=823853 handshake_window = 60
Fri Apr 20 14:10:16 2018 us=823862 transition_window = 3600
Fri Apr 20 14:10:16 2018 us=823872 single_session = DISABLED
Fri Apr 20 14:10:16 2018 us=823881 push_peer_info = DISABLED
Fri Apr 20 14:10:16 2018 us=823890 tls_exit = DISABLED
Fri Apr 20 14:10:16 2018 us=823900 tls_auth_file = 'INLINE?'
Fri Apr 20 14:10:16 2018 us=823909 tls_crypt_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=823918 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=823928 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=823937 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=823946 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=823955 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=823965 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=823974 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=823983 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=823992 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=824001 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=824011 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=824020 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=824030 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=824039 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=824048 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=824057 pkcs11_protected_authentication = DISABLED
Fri Apr 20 14:10:16 2018 us=824067 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824076 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824089 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824099 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824109 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824118 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824128 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824137 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824166 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824177 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824186 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824196 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824205 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824214 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824224 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824233 pkcs11_private_mode = 00000000
Fri Apr 20 14:10:16 2018 us=824242 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824252 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824261 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824270 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824291 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824301 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824311 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824320 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824329 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824339 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824348 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824357 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824366 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824375 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824385 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824394 pkcs11_cert_private = DISABLED
Fri Apr 20 14:10:16 2018 us=824403 pkcs11_pin_cache_period = -1
Fri Apr 20 14:10:16 2018 us=824413 pkcs11_id = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824422 pkcs11_id_management = DISABLED
Fri Apr 20 14:10:16 2018 us=824439 server_network = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824449 server_netmask = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824460 server_network_ipv6 = ::
Fri Apr 20 14:10:16 2018 us=824469 server_netbits_ipv6 = 0
Fri Apr 20 14:10:16 2018 us=824479 server_bridge_ip = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824489 server_bridge_netmask = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824503 server_bridge_pool_start = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824514 server_bridge_pool_end = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824523 ifconfig_pool_defined = DISABLED
Fri Apr 20 14:10:16 2018 us=824533 ifconfig_pool_start = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824543 ifconfig_pool_end = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824553 ifconfig_pool_netmask = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824563 ifconfig_pool_persist_filename = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824572 ifconfig_pool_persist_refresh_freq = 600
Fri Apr 20 14:10:16 2018 us=824582 ifconfig_ipv6_pool_defined = DISABLED
Fri Apr 20 14:10:16 2018 us=824591 ifconfig_ipv6_pool_base = ::
Fri Apr 20 14:10:16 2018 us=824601 ifconfig_ipv6_pool_netbits = 0
Fri Apr 20 14:10:16 2018 us=824611 n_bcast_buf = 256
Fri Apr 20 14:10:16 2018 us=824620 tcp_queue_limit = 64
Fri Apr 20 14:10:16 2018 us=824630 real_hash_size = 256
Fri Apr 20 14:10:16 2018 us=824639 virtual_hash_size = 256
Fri Apr 20 14:10:16 2018 us=824648 client_connect_script = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824658 learn_address_script = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824667 client_disconnect_script = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824676 client_config_dir = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824686 ccd_exclusive = DISABLED
Fri Apr 20 14:10:16 2018 us=824695 tmp_dir = '/tmp'
Fri Apr 20 14:10:16 2018 us=824705 push_ifconfig_defined = DISABLED
Fri Apr 20 14:10:16 2018 us=824719 push_ifconfig_local = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824729 push_ifconfig_remote_netmask = 0.0.0.0
Fri Apr 20 14:10:16 2018 us=824739 push_ifconfig_ipv6_defined = DISABLED
Fri Apr 20 14:10:16 2018 us=824749 push_ifconfig_ipv6_local = ::/0
Fri Apr 20 14:10:16 2018 us=824759 push_ifconfig_ipv6_remote = ::
Fri Apr 20 14:10:16 2018 us=824768 enable_c2c = DISABLED
Fri Apr 20 14:10:16 2018 us=824777 duplicate_cn = DISABLED
Fri Apr 20 14:10:16 2018 us=824787 cf_max = 0
Fri Apr 20 14:10:16 2018 us=824796 cf_per = 0
Fri Apr 20 14:10:16 2018 us=824806 max_clients = 1024
Fri Apr 20 14:10:16 2018 us=824815 max_routes_per_client = 256
Fri Apr 20 14:10:16 2018 us=824824 auth_user_pass_verify_script = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824834 auth_user_pass_verify_script_via_file = DISABLED
Fri Apr 20 14:10:16 2018 us=824843 auth_token_generate = DISABLED
Fri Apr 20 14:10:16 2018 us=824852 auth_token_lifetime = 0
Fri Apr 20 14:10:16 2018 us=824862 port_share_host = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824871 port_share_port = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824880 client = ENABLED
Fri Apr 20 14:10:16 2018 us=824890 pull = ENABLED
Fri Apr 20 14:10:16 2018 us=824899 auth_user_pass_file = '[UNDEF]'
Fri Apr 20 14:10:16 2018 us=824909 OpenVPN 2.4.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 1 2018
Fri Apr 20 14:10:16 2018 us=824923 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.10
Fri Apr 20 14:10:16 2018 us=826783 mlockall call succeeded
Fri Apr 20 14:10:16 2018 us=826816 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Fri Apr 20 14:10:16 2018 us=826826 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Fri Apr 20 14:10:16 2018 us=827349 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 20 14:10:16 2018 us=827416 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 20 14:10:16 2018 us=827457 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Fri Apr 20 14:10:17 2018 us=93842 Data Channel MTU parms [ L:1621 D:221 EF:121 EB:406 ET:0 EL:3 ]
Fri Apr 20 14:10:17 2018 us=93900 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Apr 20 14:10:17 2018 us=93911 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Apr 20 14:10:17 2018 us=94021 TCP/UDP: Preserving recently used remote address: [AF_INET]92.8.108.41:11948
Fri Apr 20 14:10:17 2018 us=94042 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr 20 14:10:17 2018 us=94053 UDP link local: (not bound)
Fri Apr 20 14:10:17 2018 us=94063 UDP link remote: [AF_INET]92.8.108.41:11948
Fri Apr 20 14:10:17 2018 us=94072 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Fri Apr 20 14:10:17 2018 us=97593 TLS: Initial packet from [AF_INET]92.8.108.41:11948, sid=73e5fe06 920bce43
Fri Apr 20 14:10:17 2018 us=107853 VERIFY OK: depth=1, CN=v304.ec.CA.default
Fri Apr 20 14:10:17 2018 us=109131 VERIFY KU OK
Fri Apr 20 14:10:17 2018 us=109150 Validating certificate extended key usage
Fri Apr 20 14:10:17 2018 us=109161 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Apr 20 14:10:17 2018 us=109169 VERIFY EKU OK
Fri Apr 20 14:10:17 2018 us=109178 VERIFY OK: depth=0, CN=v304.ec.defs108
Fri Apr 20 14:10:17 2018 us=158394 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 384 bit EC, curve: secp384r1
Fri Apr 20 14:10:17 2018 us=158444 [v304.ec.defs108] Peer Connection Initiated with [AF_INET]92.8.108.41:11948
Fri Apr 20 14:10:18 2018 us=421936 SENT CONTROL [v304.ec.defs108]: 'PUSH_REQUEST' (status=1)
Fri Apr 20 14:10:18 2018 us=424964 PUSH: Received control message: 'PUSH_REPLY,tun-ipv6,route 10.8.0.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig-ipv6 12fc:1918::10:8:0:226/112 fda6:b39a:4037::1,ifconfig 10.8.0.226 10.8.0.225,peer-id 0,cipher AES-256-GCM'
Fri Apr 20 14:10:18 2018 us=425032 OPTIONS IMPORT: timers and/or timeouts modified
Fri Apr 20 14:10:18 2018 us=425044 OPTIONS IMPORT: --ifconfig/up options modified
Fri Apr 20 14:10:18 2018 us=425053 OPTIONS IMPORT: route options modified
Fri Apr 20 14:10:18 2018 us=425061 OPTIONS IMPORT: peer-id set
Fri Apr 20 14:10:18 2018 us=425069 OPTIONS IMPORT: adjusting link_mtu to 1624
Fri Apr 20 14:10:18 2018 us=425077 OPTIONS IMPORT: data channel crypto options modified
Fri Apr 20 14:10:18 2018 us=425087 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Apr 20 14:10:18 2018 us=425103 Data Channel MTU parms [ L:1552 D:152 EF:52 EB:406 ET:0 EL:3 ]
Fri Apr 20 14:10:18 2018 us=425167 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Apr 20 14:10:18 2018 us=425179 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Apr 20 14:10:18 2018 us=425371 ROUTE_GATEWAY 10.10.201.1/255.255.255.0 IFACE=eth0 HWADDR=00:15:5d:c9:6e:01
Fri Apr 20 14:10:18 2018 us=426348 TUN/TAP device tun108 opened
Fri Apr 20 14:10:18 2018 us=426411 TUN/TAP TX queue length set to 100
Fri Apr 20 14:10:18 2018 us=426431 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Apr 20 14:10:18 2018 us=426450 /usr/bin/ip link set dev tun108 up mtu 1500
Fri Apr 20 14:10:18 2018 us=428385 /usr/bin/ip addr add dev tun108 local 10.8.0.226 peer 10.8.0.225
Fri Apr 20 14:10:18 2018 us=429806 /usr/bin/ip -6 addr add 12fc:1918::10:8:0:226/112 dev tun108
Fri Apr 20 14:10:18 2018 us=431123 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.225
Fri Apr 20 14:10:18 2018 us=432355 GID set to nobody
Fri Apr 20 14:10:18 2018 us=432420 UID set to nobody
Fri Apr 20 14:10:18 2018 us=432435 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Apr 20 14:10:18 2018 us=433311 Initialization Sequence Completed
OpenVPN: Out of Memory (Note: occurred at 14:12:18)

Change History (7)

comment:1 Changed 6 years ago by Selva Nair

This is not surprising as mlock with privilege dropping is very likely to cause OOM as the memlock limit is pretty low by default. So any future malloc will fail with EAGAIN or stack cannot grow etc. The limit doesn't matter as long as the process is running as root as it has CAP_IPC_LOCK privilege.

So unless openvpn is started from a session where the memlock limit is increased to a large enough value, do not drop privileges when using mlock. The required limit is dependent on client config, libraries linked in etc., but 100MB should good enough -- I see a virtual memory peak of 55MB for an instance running here and 27 MB for another. Its the soft limit for the session that matters --- so enough to use ulimit -l xxx when running from cmdline before spawning the process. If using systemd it may have its own settings.

For clients, the memory use would not change much even for long running instances, so we could build this into openvpn itself -- i.e., call setrlimit() to set a value more than the current virtual memory footprint (by, say, +10MB) before dropping privileges. For servers there is no good option -- just do not drop privileges if using mlock is important.

comment:2 Changed 4 years ago by tct

CC'ing due to #1238

@Selvanair Thanks for the input.

Last edited 4 years ago by tct (previous) (diff)

comment:3 Changed 4 years ago by Gert Döring

Cc:	Selva Nair added

Shall we do something about this, for 2.6? Or just treat this as "documentation ticket" and close?

comment:4 Changed 4 years ago by Selva Nair

We could add a comment against --mlock in the man page that privilege dropping may cause furture allocations fail if the lockable memory limit is low?

comment:5 Changed 4 years ago by Gert Döring

Yes, a man page addition sounds like a good idea.

By coincidence, I just discovered #293, which came to the same conclusion - "this is what is is, so document it". 7 years ago...

comment:6 Changed 4 years ago by Gert Döring

Component:	Generic / unclassified → Documentation
Resolution:	→ fixed
Status:	new → closed

commit 5b815eb449314a43e2b73325948edea8a4cfb215 (master)
commit be68b361a9c95218c671ee86d25a29019bab7239 (release/2.5)
Author: Selva Nair
Date: Wed Sep 9 18:15:29 2020 -0400

Add a remark on dropping privileges when --mlock is used

I think this is good enough to enable people to find the caveat and look for workarounds.

Closing this ticket!

comment:7 Changed 3 years ago by Gert Döring

Yeah, and just 6 months later, it hit someone else :-) - and we seem to be going slightly in circles here. See #1390. (Thanks, @tincantech, for pointing this out).

Note: See TracTickets for help on using tickets.

Download in other formats: