All,
recently we started receiving an error on one of our concentrators, this box has about 750 +/- client connections and seams to be locking up and requiring a restart of the openvpn service about 10 times per day. we are using a custom "auth-user-pass-verify" script written in perl to auth the users against freeradius.
the errors we are receiving are listed below. The server is working and authenticating users just fine for a while then without warning it will blow up and throw the errors and need to be restarted.
Any help you can provide would be great.
Thanks,
Aaron
May 12 20:23:22 csg2 openvpn[2686]: 64.xxx.xxx.x:42136 WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
May 12 20:23:22 csg2 openvpn[2686]: 64.xxx.xxx.x:42136 TLS Auth Error: Auth Username/Password verification failed for peer
then
May 12 20:23:23 csg2 openvpn[2686]: TCP/UDP: Closing socket
May 12 20:23:23 csg2 openvpn[2686]: WARNING: Failed running command (--client-disconnect): external program fork failed
auth-user-pass-verify causing errors/crashes?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
ceraldi
- OpenVpn Newbie
- Posts: 2
- Joined: Mon May 16, 2011 1:49 pm
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: auth-user-pass-verify causing errors/crashes?
depends a bit on your server config....
is 'script-security 2' present in the server config?
can you try
just to test; is there enough memory available for the external fork? does the script run stand-alone (i.e. just start the script on the command-line)
is 'script-security 2' present in the server config?
can you try
Code: Select all
script-security 3 system-
ceraldi
- OpenVpn Newbie
- Posts: 2
- Joined: Mon May 16, 2011 1:49 pm
Re: auth-user-pass-verify causing errors/crashes?
janjust wrote:depends a bit on your server config....
is 'script-security 2' present in the server config?
can you tryjust to test; is there enough memory available for the external fork? does the script run stand-alone (i.e. just start the script on the command-line)Code: Select all
script-security 3 system
Here is the config from the server.
Code: Select all
daemon
verb 4
status /opt/openvpn/status/vtun1.status 30
dev-type tun
dev vtun1
mode server
tls-server
topology p2p
keepalive 10 60
lport 443
proto tcp-server
ca /opt/openvpn/easy-rsa/keys/ca.crt
cert /opt/openvpn/easy-rsa/keys/csg2.crt
key /opt/openvpn/easy-rsa/keys/csg2.key
crl-verify /opt/openvpn/easy-rsa/keys/crl.pem
dh /opt/openvpn/easy-rsa/keys/dh2048.pem
server 10.x.x.x 255.255.248.0
script-security 3
client-config-dir /opt/openvpn/ccd
ccd-exclusive
client-connect /opt/openvpn/client-connect.sh
client-disconnect /opt/openvpn/client-connect.sh
push route 10.x.x.x 255.255.254.0
push route 10.x.x.x 255.255.255.0
push route 10.x.x.x 255.255.255.0
txqueuelen 3000
tcp-queue-limit 1000
tcp-nodelay
reneg-sec 28800
comp-lzo no
auth-user-pass-verify /opt/openvpn/radauth.pl via-envHere is one of the clients:
Code: Select all
client 1
dev tun
proto tcp
comp-lzo no
remote csg2 443
auth-retry nointeract
nobind
persist-key
persist-tun
ca /etc/config/sslca.crt
cert /etc/config/MA.crt
key /etc/config/MA.key
ns-cert-type server
verb 3
dev-node /dev/net/tun
pull
auth-user-pass /etc/config/up-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: auth-user-pass-verify causing errors/crashes?
your server and client config do not look too weird 
did you try using
can you run the perl script on the command line?
what are the ulimit settings prior to starting openvpn?
did you try using
Code: Select all
script-security 3 systemwhat are the ulimit settings prior to starting openvpn?