#1424 closed User question (notabug)

--client-disconnect executes after failed --client-connect

Reported by: tct Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


The --client-disconnect script is executed even after a failed --client-connect script execution.

Server log:

<FAIL> * EasyTLS-client-connect => vars loaded => CN:ss-c-arch => Kill client signal => == => conn_trac_disconnect FAIL => temp-files deleted

failed to read generic_ext_md_file
2021-08-21 20:33:40 us=867575 arch/ WARNING: Failed running command (--client-connect): external program exited with error status: 18
<EXOK> * EasyTLS-client-disconnect => vars loaded => CN:ss-c-arch => X509 serial matched => client_ext_md_file loaded => disconnection success => 88cca7a5b9df705560a0764a427478fe327194ce1d28dd0a6feaf5e797ff5531=650953F06CFC5E2B5B5C4B4820E50D936C90A595= => conn_trac_disconnect FAIL => temp-files deleted
2021-08-21 20:33:44 us=53200 arch/ PUSH: Received control message: 'PUSH_REQUEST'
2021-08-21 20:33:44 us=53309 arch/ Delayed exit in 5 seconds
2021-08-21 20:33:44 us=53392 arch/ SENT CONTROL [arch]: 'AUTH_FAILED' (status=1)
2021-08-21 20:33:49 us=614513 arch/ SIGTERM[soft,delayed-exit] received, client-instance exiting

Change History (4)

comment:1 Changed 18 months ago by tct

The manual states the following:

--client-disconnect cmd

Like --client-connect but called on client instance shutdown. Will not be called unless the --client-connect script and plugins (if defined) were previously called on this instance with successful (0) status returns.

The exception to this rule is if the --client-disconnect command or plugins are cascaded, and at least one client-connect function succeeded, then ALL of the client-disconnect functions for scripts and plugins will be called on client instance object deletion, even in cases where some of the related client-connect functions returned an error status.

Define: cascaded

My server uses:

  1. --tls-crypt-v2-verify (Succeeds). Should not be considered cascaded. Because this verification is for a TLS-Crypt-V2 key only and has no other access to the server environment.
  1. --tls-verify (Succeeds). Questionable cascaded status ?
  1. --auth-user-pass-verify (Succeeds). This is probably the cascading element which is causing the confusion. I will test without for comparison.

comment:2 Changed 18 months ago by tct

Update: Removing only --auth-user-pass-verify the result is the same.

The other two scripts above complete successfully, is it the --tls-verify stage causing the strange behaviour ?

comment:3 Changed 18 months ago by tct

Further testing:

  • If --tls-crypt-v2-verify succeeds
  • and --tls-verify is not configured
  • and --client-connect fails
  • then --client-disconnect still executes

Essentially, if any script during connection setup succeeds then --client-disconnect is executed.

comment:4 Changed 18 months ago by tct

Priority: majorminor
Resolution: notabug
Status: newclosed
Type: Bug / DefectUser question
Note: See TracTickets for help on using tickets.