Opened 3 years ago

Last modified 9 months ago

#581 accepted Bug / Defect

down-root plugin does not work with --daemon: Connection refused

Reported by: blueyed Owned by: David Sommerseth
Priority: major Milestone:
Component: plug-ins / plug-in API Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


I've noticed that the down-root plugin fails to run when --daemon is used:

Jul 19 22:14:31 localhost openvpn[1074]: PLUGIN_CALL: POST …/openvpn/LOCAL/lib/openvpn/plugins/ status=1
Jul 19 22:14:31 localhost openvpn[1074]: PLUGIN_CALL: plugin function PLUGIN_DOWN failed with status 1: …/openvpn/LOCAL/lib/openvpn/plugins/

When also using --log-append, there will be more information:

openvpn: DOWN-ROOT: Error sending script execution signal to background process: Connection refused

I've noticed this with the Ubuntu/Debian? packages, but also with Git master (4e1e3ba, plus a patch to re-allow the option to "plugin" (

I've installed it into LOCAL, and run it via:

sudo LOCAL/sbin/openvpn --cd /etc/openvpn --verb 10 --config /etc/openvpn/my.conf --daemon --log-append /tmp/updown.log

The config:

dev tun
proto tcp
remote XXXX
resolv-retry infinite
user nobody
group nogroup
ca ./foo.crt
cert ./foo.crt
key ./foo.key

ns-cert-type server
verb 3
up "/etc/openvpn/ up"
plugin …/LOCAL/lib/openvpn/plugins/ /etc/openvpn/
script-security 2

Change History (5)

comment:1 Changed 3 years ago by blueyed

This is caused by systemd killing the process group by default.

KillMode=mixed should be used instead (or process).

Fixed in

comment:3 Changed 9 months ago by David Sommerseth

I can confirm this issue is still present with OpenVPN 2.4.3, using openvpn-client@.service. Using KillMode=process resolved the issue, and I believe that is the best approach.

I will soon send a patch to the openvpn-devel mailing list.

comment:4 Changed 9 months ago by David Sommerseth

comment:5 Changed 9 months ago by David Sommerseth

Owner: set to David Sommerseth
Status: newaccepted

This issue have also been reported in Fedora:

Note: See TracTickets for help on using tickets.