Package: openvpn Version: 2.1~rc11-1 Severity: important
This bug is related to tunnels using UDP as a transport protocol and the "keepalive" option to auto-restart the tunnel on stale connections. If there is a short network outage between the tunnel endpoints and the "keepalive" option is used, the openvpn daemon will automatically restart the tunnel to reinitiate the connection. To do this it will close the network socket and reopen again. If the other side sends an UDP package that arrives between the closing and reopening of the socket, it will receive an ICMP message "port unreachable". In the daemon.log on both machines this will look something like this: Jun 30 17:06:30 zefiris ovpn-01agito[2929]: [UNDEF] Inactivity timeout (--ping-restart), restarting Jun 30 17:06:30 zefiris ovpn-01agito[2929]: SIGUSR1[soft,ping-restart] received, process restarting Jun 30 17:06:31 agito ovpn-01zefi[2176]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Jun 30 17:06:32 zefiris ovpn-01agito[2929]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). Jun 30 17:06:32 zefiris ovpn-01agito[2929]: Re-using SSL/TLS context Jun 30 17:06:32 zefiris ovpn-01agito[2929]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1451) Jun 30 17:06:32 zefiris ovpn-01agito[2929]: Preserving previous TUN/TAP instance: tun0 Jun 30 17:06:32 zefiris ovpn-01agito[2929]: UDPv4 link local (bound): XXX.XX.XX.XX:1601 Jun 30 17:06:32 zefiris ovpn-01agito[2929]: UDPv4 link remote: XX.XX.XXX.XXX:1601 The problem here is that the linux kernel will report this error that only happened once on every read after that as a "ECONNREFUSED" error (even though the "read" man page doesn't even mention this as a valid error to "read"). So if this error happens only once, the tunnel will break and the daemon.log will be spammed with this error message: Jun 30 17:33:35 agito ovpn-01zefi[2176]: read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused (code=111) Jun 30 17:33:35 agito ovpn-01zefi[2176]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Jun 30 17:34:03 agito last message repeated 5 times Jun 30 17:34:57 agito last message repeated 10 times Jun 30 17:36:19 agito last message repeated 11 times Jun 30 17:37:12 agito last message repeated 9 times Jun 30 17:38:10 agito last message repeated 7 times Jun 30 17:39:17 agito last message repeated 10 times [...] The Only way to get the tunnel back up is to restart the openvpn daemon. Instead of just reporting this error, openvpn should close the UDP socket and reopen it to get the tunnel back up. -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.27.4 (PREEMPT) Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii liblzo2-2 2.03-1 data compression library ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l ii libpkcs11-helper1 1.05-1 library that simplifies the intera ii libssl0.9.8 0.9.8g-15+lenny1 SSL shared libraries ii openssl-blacklist 0.4.2 list of blacklisted OpenSSL RSA ke ii openvpn-blacklist 0.3 list of blacklisted OpenVPN RSA sh Versions of packages openvpn recommends: ii net-tools 1.60-22 The NET-3 networking toolkit Versions of packages openvpn suggests: ii openssl 0.9.8g-15+lenny1 Secure Socket Layer (SSL) binary a pn resolvconf <none> (no description available) -- debconf information: * openvpn/vulnerable_prng: openvpn/change_init: false * openvpn/change_init2: true * openvpn/create_tun: true * openvpn/stop2upgrade: false openvpn/default_port: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
