Opened 7 years ago
Closed 7 years ago
#933 closed Bug / Defect (fixed)
HTTPS connection crashes OpenVPN server
Reported by: | jimc | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | release 2.4.4 |
Component: | Networking | Version: | OpenVPN 2.4.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
This is for openvpn-2.4.2 from OpenSuSE Tumbleweed (2.4.3 coming soon, I hope).
I have 2 server instances listening on ports 1194/udp and 443/tcp. The latter is to fake out hotel Wi-fi and national firewalls. This isn't a proxy setup; the server is just listening there. No problems on 1194/udp. But when a web crawler does HTTPS things on 443/tcp, the server crashes. On openvpn-2.3.8 it would just complain about a protocol error and kill the connection.
Suggestion: It would be really great if the server could recognize a HTTPS connection and take a fast path to oblivion, with maybe a 1-line error message.
(Attaching syslog debug output and the conf file.)
Attachments (2)
Change History (4)
Changed 7 years ago by
Changed 7 years ago by
Attachment: | server443.conf added |
---|
OpenVPN configuration file for port 443/tcp
comment:1 Changed 7 years ago by
Version: | 2.2.2 → 2.4.2 |
---|
From the log I see the server complain about "--mtu-disc not supported on this OS", and then exiting due to a fatal error.
Removing this from the config should stop the "crash" from happening (it's not a crash but an orderly shutdown on a failure).
Not sure why the error is happening in the first place - there was a related bug found and fixed before 2.4_alpha1 (commit ed5d0fe5097a26206a6a7d4463622461a0987655), but this should be in your 2.4.2 version.
comment:2 Changed 7 years ago by
Milestone: | → release 2.4.4 |
---|---|
Resolution: | → fixed |
Status: | new → closed |
A patch for this has been committed to the tree yesterday:
commit 682e7feac3bd57e6ce7e60504cb4da5c894d0e18 (master)
commit b3b7d073ce05fa6b11a28f9e70d66c4907274db5 (release/2.4)
Author: Antonio Quartulli
Date: Thu Sep 7 17:55:30 2017 +0800
tcp-server: ensure AF family is propagated to child context
which will fix this particular issue.
The patch will be in 2.4.4.
As a workaround until distributions pick up 2.4.4 (or the patch), just remove --mtu-disc
, because it does not do anything useful for TCP connections anyway (the kernel cares for MTU on TCP connections).
Syslog (debug) of OpenVPN starting up and crashing.