Opened 11 years ago

Closed 11 years ago

Last modified 4 months ago

#222 closed Bug / Defect (wontfix)

hang in auth-user-pass-verify script causes hang in openvpn

Reported by: geoff.lovett@… Owned by:
Priority: major Milestone: release 2.5
Component: plug-ins / plug-in API Version: OpenVPN 2.1.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hello, when the auth-user-pass-verify script hangs for any reason, it causes the whole openvpn instance to hang, meaning all client traffic stops being passed, and clients timeout disconnect.

Thanks for an otherwise excellent product.
Geoff

Change History (3)

comment:1 Changed 11 years ago by David Sommerseth

Resolution: wontfix
Status: newclosed

This is a known issue. OpenVPN is single threaded, which means it is not easy to solve this for the script hooks. However, this can be solved by using 'deferred authentication' which is possible via the plug-in API.

An example plug-in for deferred authentication can be found in the source tree, in sample/sample-plugins/defer/simple.c :
http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn.git;a=blob;f=sample/sample-plugins/defer/simple.c;h=65398657d10fd954e09e4ec2f113763c2d6e3407;hb=HEAD

comment:2 Changed 4 years ago by Gert Döring

Found this in a discussion on the openvpn-users list today, which actually refers back to this bug...

https://engineering.freeagent.com/2017/05/22/external-authentication-scripts-in-openvpn-the-right-way/

... so, this is a plugin, which calls an external script, and does so asynchronously.

comment:3 Changed 4 months ago by Gert Döring

Milestone: release 2.5

So, to come back here, after too many years, and add some more documentation :-)

Starting with OpenVPN 2.5.0, not only plugins but also --auth-user-pass-verify and --client-connect scripts can be executed asynchronously - so no stalls in the main process while OpenVPN waits for the results.

In the OpenVPN manpage, look for "deferred" in the section about --auth-user-pass-verify:

              The script should examine the username and password, returning a
              success exit code (0) if the client's authentication request is
              to be accepted, a failure code (1) to reject the client, or a
              that the authentication is deferred (2). If the authentication
              is deferred, the script must fork/start a background or another
              non-blocking operation to continue the authentication in the
              background. When finshing the authentication, a 1 or 0 must be
              written to the file specified by the auth_control_file.

(auth_control_file is an environment variable pointing to a file name)

Note: See TracTickets for help on using tickets.