#222 closed Bug / Defect (wontfix)
hang in auth-user-pass-verify script causes hang in openvpn
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | release 2.5 |
Component: | plug-ins / plug-in API | Version: | OpenVPN 2.1.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Hello, when the auth-user-pass-verify script hangs for any reason, it causes the whole openvpn instance to hang, meaning all client traffic stops being passed, and clients timeout disconnect.
Thanks for an otherwise excellent product.
Geoff
Change History (3)
comment:1 Changed 12 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 Changed 5 years ago by
Found this in a discussion on the openvpn-users list today, which actually refers back to this bug...
... so, this is a plugin, which calls an external script, and does so asynchronously.
comment:3 Changed 18 months ago by
Milestone: | → release 2.5 |
---|
So, to come back here, after too many years, and add some more documentation :-)
Starting with OpenVPN 2.5.0, not only plugins but also --auth-user-pass-verify
and --client-connect
scripts can be executed asynchronously - so no stalls in the main process while OpenVPN waits for the results.
In the OpenVPN manpage, look for "deferred" in the section about --auth-user-pass-verify
:
The script should examine the username and password, returning a success exit code (0) if the client's authentication request is to be accepted, a failure code (1) to reject the client, or a that the authentication is deferred (2). If the authentication is deferred, the script must fork/start a background or another non-blocking operation to continue the authentication in the background. When finshing the authentication, a 1 or 0 must be written to the file specified by the auth_control_file.
(auth_control_file is an environment variable pointing to a file name)
This is a known issue. OpenVPN is single threaded, which means it is not easy to solve this for the script hooks. However, this can be solved by using 'deferred authentication' which is possible via the plug-in API.
An example plug-in for deferred authentication can be found in the source tree, in sample/sample-plugins/defer/simple.c :
http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn.git;a=blob;f=sample/sample-plugins/defer/simple.c;h=65398657d10fd954e09e4ec2f113763c2d6e3407;hb=HEAD