Opened 9 years ago
Closed 4 years ago
#581 closed Bug / Defect (fixed)
down-root plugin does not work with --daemon: Connection refused
| Reported by: | blueyed | Owned by: | David Sommerseth |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | plug-ins / plug-in API | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | tct |
Description
I've noticed that the down-root plugin fails to run when --daemon is used:
Jul 19 22:14:31 localhost openvpn[1074]: PLUGIN_CALL: POST …/openvpn/LOCAL/lib/openvpn/plugins/openvpn-plugin-down-root.so/PLUGIN_DOWN status=1
Jul 19 22:14:31 localhost openvpn[1074]: PLUGIN_CALL: plugin function PLUGIN_DOWN failed with status 1: …/openvpn/LOCAL/lib/openvpn/plugins/openvpn-plugin-down-root.so
When also using --log-append, there will be more information:
openvpn: DOWN-ROOT: Error sending script execution signal to background process: Connection refused
I've noticed this with the Ubuntu/Debian? packages, but also with Git master (4e1e3ba, plus a patch to re-allow the option to "plugin" (https://github.com/OpenVPN/openvpn/pull/27)).
I've installed it into LOCAL, and run it via:
sudo LOCAL/sbin/openvpn --cd /etc/openvpn --verb 10 --config /etc/openvpn/my.conf --daemon --log-append /tmp/updown.log
The config:
client dev tun proto tcp remote XXXX resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ./foo.crt cert ./foo.crt key ./foo.key ns-cert-type server comp-lzo verb 3 route-noexec up "/etc/openvpn/foo.sh up" plugin …/LOCAL/lib/openvpn/plugins/openvpn-plugin-down-root.so /etc/openvpn/foo.sh script-security 2
Change History (7)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
Reported for Debian at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792907.
comment:3 Changed 7 years ago by
I can confirm this issue is still present with OpenVPN 2.4.3, using openvpn-client@.service. Using KillMode=process resolved the issue, and I believe that is the best approach.
I will soon send a patch to the openvpn-devel mailing list.
comment:4 Changed 7 years ago by
Patch sent for review to the -devel mailing list:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html
comment:5 Changed 7 years ago by
| Owner: | set to David Sommerseth |
|---|---|
| Status: | new → accepted |
This issue have also been reported in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1281807
comment:6 Changed 4 years ago by
| Cc: | tct added |
|---|
comment:7 Changed 4 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
This is caused by systemd killing the process group by default.
KillMode=mixedshould be used instead (orprocess).Fixed in https://github.com/OpenVPN/openvpn/pull/28.