#933 closed Bug / Defect (fixed)

HTTPS connection crashes OpenVPN server

Reported by: jimc Owned by:
Priority: major Milestone: release 2.4.4
Component: Networking Version: OpenVPN 2.4.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

This is for openvpn-2.4.2 from OpenSuSE Tumbleweed (2.4.3 coming soon, I hope).

I have 2 server instances listening on ports 1194/udp and 443/tcp. The latter is to fake out hotel Wi-fi and national firewalls. This isn't a proxy setup; the server is just listening there. No problems on 1194/udp. But when a web crawler does HTTPS things on 443/tcp, the server crashes. On openvpn-2.3.8 it would just complain about a protocol error and kill the connection.

Suggestion: It would be really great if the server could recognize a HTTPS connection and take a fast path to oblivion, with maybe a 1-line error message.

(Attaching syslog debug output and the conf file.)

Attachments (2)

ovpn.log (3.0 KB) - added by jimc 13 months ago.
Syslog (debug) of OpenVPN starting up and crashing.
server443.conf (4.9 KB) - added by jimc 13 months ago.
OpenVPN configuration file for port 443/tcp

Download all attachments as: .zip

Change History (4)

Changed 13 months ago by jimc

Attachment: ovpn.log added

Syslog (debug) of OpenVPN starting up and crashing.

Changed 13 months ago by jimc

Attachment: server443.conf added

OpenVPN configuration file for port 443/tcp

comment:1 Changed 13 months ago by Gert Döring

Version: 2.2.22.4.2

From the log I see the server complain about "--mtu-disc not supported on this OS", and then exiting due to a fatal error.

Removing this from the config should stop the "crash" from happening (it's not a crash but an orderly shutdown on a failure).

Not sure why the error is happening in the first place - there was a related bug found and fixed before 2.4_alpha1 (commit ed5d0fe5097a26206a6a7d4463622461a0987655), but this should be in your 2.4.2 version.

comment:2 Changed 13 months ago by Gert Döring

Milestone: release 2.4.4
Resolution: fixed
Status: newclosed

A patch for this has been committed to the tree yesterday:

commit 682e7feac3bd57e6ce7e60504cb4da5c894d0e18 (master)
commit b3b7d073ce05fa6b11a28f9e70d66c4907274db5 (release/2.4)
Author: Antonio Quartulli
Date: Thu Sep 7 17:55:30 2017 +0800

tcp-server: ensure AF family is propagated to child context

which will fix this particular issue.

The patch will be in 2.4.4.

As a workaround until distributions pick up 2.4.4 (or the patch), just remove --mtu-disc, because it does not do anything useful for TCP connections anyway (the kernel cares for MTU on TCP connections).

Note: See TracTickets for help on using tickets.