Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#683 closed Bug / Defect (fixed)

openvpn 2.3.11 does not start up

Reported by: cudiaco Owned by:
Priority: major Milestone: release 2.3.12
Component: Generic / unclassified Version: OpenVPN 2.3.11 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: server, startup, failing
Cc: alimakki@…, Steffan Karger


Recently tried upgrading my server to the 2.3.11 release:

./configure --with-crypto-library=polarssl
make install

which works fine:

openvpn --version
OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 17 2016
library versions: PolarSSL 1.3.16, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=polarssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins'

However when starting up OpenVPN it silently fails.

Tried to run it through gdb:

db --args /usr/sbin/openvpn --mode server --tls-server --multihome --port 8757 --proto udp --dev tun --up "/etc/openvp n/scripts/" --client-to-client --persist-key --persist-tun --ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt --cert /etc/openvpn/easy-rsa/2.0/keys/ t --key /etc/openvpn/easy-rsa/2.0/keys/server.key --dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem --tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0 --cipher
AES-128-CBC --auth SHA256 --comp-lzo --server --push "topology subnet" --push "dhcp-option DNS" --push push "dhcp-option DNS 8 .8.4.4" --max-clients 40 --user nobody --group nobody --keepalive 10 120 --status /etc/openvpn/log/faster-status.log --log /etc/openvpn/log/faster.log --verb
 4 --mute 20
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/openvpn...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/sbin/openvpn --mode server --tls-server --multihome --port 8757 --proto udp --dev tun --up /etc/openvpn/scripts/ --client-to-client --persist-key --persist-tun --ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt --cert /etc/openvpn/easy-rsa/2.0/keys/server.crt --key /etc/openvpn/easy-rsa/2.0/keys/server.key --dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem --tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0 --cipher AES-128-CBC --auth SHA256 --comp-lzo
 --server --push topology\ subnet --push dhcp-option\ DNS\ --push push dhcp-option\ DNS\ --max-clients 40 --user nobody
 --group nobody --keepalive 10 120 --status /etc/openvpn/log/faster-status.log --log /etc/openvpn/log/faster.log --verb 4 --mute 20
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
[Inferior 1 (process 4116) exited with code 01]
(gdb) quit

Rolling back to the 2.3.10 release (compiled with the same PolarSSL version) worked fine.

Attachments (2)

server-fast.conf (769 bytes) - added by cudiaco 2 years ago.
udp server config
server.conf (863 bytes) - added by cudiaco 2 years ago.
tcp server config

Download all attachments as: .zip

Change History (4)

Changed 2 years ago by cudiaco

Attachment: server-fast.conf added

udp server config

Changed 2 years ago by cudiaco

Attachment: server.conf added

tcp server config

comment:1 Changed 2 years ago by Gert Döring

Cc: Steffan Karger added
Milestone: release 2.3.11release 2.3.12
Resolution: fixed
Status: newclosed

2.3.11 with polarssl is broken unless "--tls-cipher <list of ciphers>" is used. We noticed after release that one of the hardening patches had a side effect in 2.3 because a check present in master wasn't there yet. Apologies.

Patch is already in tree:

commit 629baad8f89af261445a2ace03694601f8e476f9
Author: Steffan Karger <steffan@…>
Date: Fri May 13 08:54:52 2016 +0200

Fix polarssl / mbedtls builds

Commit 8a399cd3 hardened the OpenSSL default cipher list,
but also introduced a change in shared code that causes
polarssl / mbedtls builds to break when no --tls-cipher is

This fix is backported code from the master branch.

Signed-off-by: Steffan Karger <steffan@…>
Acked-by: Gert Doering <gert@…>
Message-Id: <1463122492-701-1-git-send-email-steffan@…>

... and will be released as part of 2.3.12 this week.

I'm closing this ticket (as the bugfix is already in tree).

comment:2 Changed 2 years ago by Gert Döring

Version: git master branch2.3.11
Note: See TracTickets for help on using tickets.