openvpn client returns 0 after failed login

[mikeely]

Centos 7, installed via EPEL repo. When login fails for reasons I've tested (deliberately breaking config, deliberately passing wrong creds) the openvpn process exits with retval=0. This makes monitoring difficult as one is forced to parse the command output rather than simply checking $?

Please change the client so that when openvpn fails to connect for any reason it returns nonzero.

Example using deliberately broken config (I removed the space between "auth-user-pass" and the path to the credentials file), using wrong creds looks similar:

_etc/openvpn/client_(root@test)_
# openvpn --config test.ovpn
Wed Dec 4 08:54:28 2019 Unrecognized option or missing or extra parameter(s) in test.ovpn:104: auth-user-pass/etc/openvpn/client/ovpn.passwd (2.4.8)
Wed Dec 4 08:54:28 2019 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Wed Dec 4 08:54:28 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Wed Dec 4 08:54:28 2019 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Wed Dec 4 08:54:28 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Dec 4 08:54:28 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 4 08:54:28 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 4 08:54:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]redacted:1194
Wed Dec 4 08:54:28 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Dec 4 08:54:28 2019 UDP link local: (not bound)
Wed Dec 4 08:54:28 2019 UDP link remote: [AF_INET]redacted:1194
Wed Dec 4 08:54:28 2019 TLS: Initial packet from [AF_INET]redacted:1194, sid=9ee386c1 503662fa
Wed Dec 4 08:54:28 2019 VERIFY OK: depth=1, CN=OpenVPN CA
Wed Dec 4 08:54:28 2019 VERIFY OK: nsCertType=SERVER
Wed Dec 4 08:54:28 2019 VERIFY OK: depth=0, CN=OpenVPN Server
Wed Dec 4 08:54:28 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Dec 4 08:54:28 2019 [OpenVPN Server] Peer Connection Initiated with [AF_INET]redacted:1194
Wed Dec 4 08:54:29 2019 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Wed Dec 4 08:54:29 2019 AUTH: Received control message: AUTH_FAILED
Wed Dec 4 08:54:29 2019 SIGTERM[soft,auth-failure] received, process exiting
_etc/openvpn/client_(root@test)_
# echo $?
0

# yum info openvpn
Installed Packages
Name : openvpn
Arch : x86_64
Version : 2.4.8
Release : 1.el7
Size : 1.2 M
Repo : installed
From repo : epel
Summary : A full-featured SSL VPN solution
URL : ​https://community.openvpn.net/
License : GPLv2
Description : OpenVPN is a robust and highly flexible tunneling application that uses all

: of the encryption, authentication, and certification features of the
: OpenSSL library to securely tunnel IP networks over a single UDP or TCP
: port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
: for compression.

Server info:
# yum info openvpn-as
Installed Packages
Name : openvpn-as
Arch : x86_64
Version : 2.7.4_777bcfe6
Release : CentOSrelease
Size : 107 M
Repo : installed
Summary : openvpn-as
License : Commercial
Description :

[Gert Döring]

Yeah, sounds like a reasonable thing.

It's not a bug, though (nothing in the documentation says "this is so"), so reclassifying as "feature wish".

Someone will have to code this... (on git master)