HTTPS connection crashes OpenVPN server

[jimc]

This is for openvpn-2.4.2 from OpenSuSE Tumbleweed (2.4.3 coming soon, I hope).

I have 2 server instances listening on ports 1194/udp and 443/tcp. The latter is to fake out hotel Wi-fi and national firewalls. This isn't a proxy setup; the server is just listening there. No problems on 1194/udp. But when a web crawler does HTTPS things on 443/tcp, the server crashes. On openvpn-2.3.8 it would just complain about a protocol error and kill the connection.

Suggestion: It would be really great if the server could recognize a HTTPS connection and take a fast path to oblivion, with maybe a 1-line error message.

(Attaching syslog debug output and the conf file.)

[jimc]

Syslog (debug) of OpenVPN starting up and crashing.

[jimc]

OpenVPN configuration file for port 443/tcp

[Gert Döring]

From the log I see the server complain about "--mtu-disc not supported on this OS", and then exiting due to a fatal error.

Removing this from the config should stop the "crash" from happening (it's not a crash but an orderly shutdown on a failure).

Not sure why the error is happening in the first place - there was a related bug found and fixed before 2.4_alpha1 (commit ed5d0fe5097a26206a6a7d4463622461a0987655), but this should be in your 2.4.2 version.

[Gert Döring]

A patch for this has been committed to the tree yesterday:

commit 682e7feac3bd57e6ce7e60504cb4da5c894d0e18 (master)
commit b3b7d073ce05fa6b11a28f9e70d66c4907274db5 (release/2.4)
Author: Antonio Quartulli
Date: Thu Sep 7 17:55:30 2017 +0800

tcp-server: ensure AF family is propagated to child context

which will fix this particular issue.

The patch will be in 2.4.4.

As a workaround until distributions pick up 2.4.4 (or the patch), just remove --mtu-disc, because it does not do anything useful for TCP connections anyway (the kernel cares for MTU on TCP connections).