During the investigation of a Debian bug report regarding file exhaustion when LDAP+TLS authentication is used, I found that the openvpn server terminates with SIGTERM when there is a valid connection that requires authentication but the password is incorrect.(regardless of whether the user account exists or not). The client and server are setup with TLS support, the server uses LDAP for authentication (also over TLS, but I don't think this matters) via PAM. It looks as though the crash is due to /sbin/ip not being able to delete the tun0 device (although I'm not sure why it wants to). On the server, I get this output: # openvpn --config /etc/openvpn/openvpn.conf --script-security 2 Wed Sep 2 14:16:49 2009 OpenVPN 2.1_rc15 i586-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 26 2009 Wed Sep 2 14:16:49 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Wed Sep 2 14:16:49 2009 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Wed Sep 2 14:16:50 2009 WARNING: file '/etc/openvpn/ServerKey.pem' is group or others accessible Wed Sep 2 14:16:50 2009 WARNING: file '/etc/openvpn/tls-auth.key' is group or others accessible Wed Sep 2 14:16:50 2009 Control Channel Authentication: using '/etc/openvpn/tls-auth.key' as a OpenVPN static key file Wed Sep 2 14:16:50 2009 LZO compression initialized Wed Sep 2 14:16:50 2009 TUN/TAP device tun0 opened Wed Sep 2 14:16:50 2009 /sbin/ip link set dev tun0 up mtu 1500 Wed Sep 2 14:16:50 2009 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Wed Sep 2 14:16:50 2009 GID set to nobody Wed Sep 2 14:16:50 2009 UID set to nobody Wed Sep 2 14:16:50 2009 UDPv4 link local (bound): [undef]:1194 Wed Sep 2 14:16:50 2009 UDPv4 link remote: [undef] AUTH-PAM: BACKGROUND: user 'george' failed to authenticate: User not known to the underlying authentication module Wed Sep 2 14:17:07 2009 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so Wed Sep 2 14:17:07 2009 TLS Auth Error: Auth Username/Password verification failed for peer Wed Sep 2 14:17:07 2009 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.8.0.1 10.8.0.2' Wed Sep 2 14:17:07 2009 [odxfc11.annvix.ca] Peer Connection Initiated with 192.168.251.130:1194 Wed Sep 2 14:17:08 2009 Initialization Sequence Completed Wed Sep 2 14:17:10 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Wed Sep 2 14:17:12 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Wed Sep 2 14:17:13 2009 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2 RTNETLINK answers: Operation not permitted Wed Sep 2 14:17:13 2009 Linux ip addr del failed: external program exited with error status: 2 Wed Sep 2 14:17:13 2009 SIGTERM[soft,delayed-exit] received, process exiting The server is Fedora 11 32bit, the client is Fedora 11 64bit. Both are running in vmware. The server is using LDAP for authentication via PAM. The server is using the following for it's config: dev tun ifconfig 10.8.0.1 10.8.0.2 #secret static.key tls-server comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key user nobody group nobody plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so "login login USERNAME password PASSWORD" dh /etc/openvpn/dh2048.pem tls-auth /etc/openvpn/tls-auth.key ca /etc/openvpn/cacert.pem cert /etc/openvpn/ServerCert.pem key /etc/openvpn/ServerKey.pem proto udp and the client is using: remote 192.168.251.129 dev tun ifconfig 10.8.0.2 10.8.0.1 #secret static.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key user nobody group nobody auth-user-pass tls-client pull ca /etc/openvpn/cacert.pem tls-auth /etc/openvpn/tls-auth.key proto udp client cert /etc/openvpn/ClientCert.pem key /etc/openvpn/ClientKey.pem This could be construed as a low impact security issue (DoS) except for all of the TLS stuff involved (which looks to be a pre-requisite for user/pass authentication). This means only a trusted user can DoS the openvpn server by providing bad credentials (either on purpose or by mistake). I don't think openvpn should be crashing if it can't remove the route (I'm actually not even sure why it's doing that... I would think it would close the connection and keep listening for future connections). I'm not very proficient with openvpn, so I'm not sure what the expect behaviour here is, but this sure feels wrong. Especially considering entries like this in /var/log/messages: Sep 2 12:00:35 odvfc11 kernel: openvpn[32162]: segfault at 0 ip 00c2aa4a sp bfb77ce0 error 4 in openvpn-auth-pam.so[c2a000+2000]
openvpn-2.1.1-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/openvpn-2.1.1-2.fc12
openvpn-2.1.1-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update openvpn'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0249
openvpn-2.1.1-2.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update openvpn'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0504
openvpn-2.1.1-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
openvpn-2.1.1-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.