FS#52414 - [openvpn] openvpn-plugin-down-root.so doesn't work

Attached to Project: Arch Linux
Opened by Bogdan Szczurek (thebodzio) - Saturday, 07 January 2017, 16:23 GMT
Last edited by Eli Schwartz (eschwartz) - Friday, 27 July 2018, 15:38 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



down-root plugin exits with an error whenever it is used by OpenVPN configured to run with dropped privileges. As a result any script that was to be executed by the mentioned plugin with elevated privileges is not executed at all, precluding any final clean-up from happening.

For more information look at https://github.com/OpenVPN/openvpn/pull/28. Although referenced pull request is reported as closed the problem still persist in Arch. What appears to solve the problem (I tested it myself) is setting “KillMode” to “process” in client service file.

For completeness I have to add that I made sure the script I want to run on connection down is accessible and executable by down-root plugin and it otherwise works as intended.

Additional info:
* package version(s): 2.4.0-2
* config and/or log files etc.

Jan 06 17:57:38 gizmo openvpn[10462]: openvpn: DOWN-ROOT: Error sending script execution signal to background process: Connection refused
Jan 06 17:57:38 gizmo openvpn[10462]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so/PLUGIN_DOWN status=1
Jan 06 17:57:38 gizmo openvpn[10462]: PLUGIN_CALL: plugin function PLUGIN_DOWN failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so
Jan 06 17:57:38 gizmo openvpn[10462]: ERROR: up/down plugin call failed

Steps to reproduce:

1. Set connection configuration file for client to drop privileges upon connection (“user nobody” and “group nobody”).
2. In the same config use down-root plugin to execute script when connection terminates, e.g. “plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so /etc/openvpn/client.down”.
3. Start client connection.
4. Close client connection.
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Friday, 27 July 2018, 15:38 GMT
Reason for closing:  Fixed
Additional comments about closing:  was fixed in upstream release 2.4.4, we're now on 2.4.6
Comment by Bogdan Szczurek (thebodzio) - Wednesday, 27 June 2018, 00:00 GMT
The upstream changed the “KillMode” to “process” almost a year ago. Since this change is also reflected in Arch OpenVPN package I think this bug should be closed as already fixed and no longer relevant.