Opened 3 years ago

Last modified 15 months ago

#581 accepted Bug / Defect

down-root plugin does not work with --daemon: Connection refused

Reported by: blueyed Owned by: David Sommerseth
Priority: major Milestone:
Component: plug-ins / plug-in API Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

I've noticed that the down-root plugin fails to run when --daemon is used:

Jul 19 22:14:31 localhost openvpn[1074]: PLUGIN_CALL: POST …/openvpn/LOCAL/lib/openvpn/plugins/openvpn-plugin-down-root.so/PLUGIN_DOWN status=1
Jul 19 22:14:31 localhost openvpn[1074]: PLUGIN_CALL: plugin function PLUGIN_DOWN failed with status 1: …/openvpn/LOCAL/lib/openvpn/plugins/openvpn-plugin-down-root.so

When also using --log-append, there will be more information:

openvpn: DOWN-ROOT: Error sending script execution signal to background process: Connection refused

I've noticed this with the Ubuntu/Debian? packages, but also with Git master (4e1e3ba, plus a patch to re-allow the option to "plugin" (https://github.com/OpenVPN/openvpn/pull/27)).

I've installed it into LOCAL, and run it via:

sudo LOCAL/sbin/openvpn --cd /etc/openvpn --verb 10 --config /etc/openvpn/my.conf --daemon --log-append /tmp/updown.log

The config:

client
dev tun
proto tcp
remote XXXX
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ./foo.crt
cert ./foo.crt
key ./foo.key

ns-cert-type server
comp-lzo
verb 3
route-noexec
up "/etc/openvpn/foo.sh up"
plugin …/LOCAL/lib/openvpn/plugins/openvpn-plugin-down-root.so /etc/openvpn/foo.sh
script-security 2

Change History (5)

comment:1 Changed 3 years ago by blueyed

This is caused by systemd killing the process group by default.

KillMode=mixed should be used instead (or process).

Fixed in https://github.com/OpenVPN/openvpn/pull/28.

comment:3 Changed 15 months ago by David Sommerseth

I can confirm this issue is still present with OpenVPN 2.4.3, using openvpn-client@.service. Using KillMode=process resolved the issue, and I believe that is the best approach.

I will soon send a patch to the openvpn-devel mailing list.

comment:4 Changed 15 months ago by David Sommerseth

comment:5 Changed 15 months ago by David Sommerseth

Owner: set to David Sommerseth
Status: newaccepted

This issue have also been reported in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1281807

Note: See TracTickets for help on using tickets.