OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Duplicate/leftover client processes (e.g. run-parts, update-resolv-conf)

https://forums.openvpn.net/viewtopic.php?t=27000

Page 1 of 1

Duplicate/leftover client processes (e.g. run-parts, update-resolv-conf)

Posted: Sat Sep 01, 2018 12:45 pm
by ivanbrennan
I set up an openvpn client on Ubuntu 18.04 by creating a work.conf file under /etc/openvpn/ and I start/stop it with:

Code: Select all

sudo systemctl {start|stop} openvpn@work.service
I've noticed a bunch of sleeping openvpn processes, some many days old:

Code: Select all

ps ax -o command | grep --count '[o]penvpn'
35

ps ax -o stat,start,command | grep '[S]TAT\|[o]penvpn'
STAT  STARTED COMMAND
S     Aug 21  /bin/bash /etc/openvpn/update-resolv-conf tun0 1500 1553 ... ... init
S     Aug 21  run-parts --arg=-a --arg=tun0.openvpn /etc/resolvconf/update.d
S     Aug 26  /bin/bash /etc/openvpn/update-resolv-conf tun0 1500 1553 ... ... init
S     Aug 26  run-parts --arg=-a --arg=tun0.openvpn /etc/resolvconf/update.d
... (truncated output) ...
I see similar processes in the service's cgroup:

Code: Select all

systemd-cgls -u openvpn@work.service | grep --count run-parts
34
systemd-cgls -u openvpn@work.service | grep --count update-resolv-conf
17
I've also noticed that there is an openvpn.service in addition to my service. I'm not totally clear on the interaction between the two, but I think my @work service is grouped under the other service.

I'd like to find out why I have all these lingering processes because I'm also experiencing very long service shutdown times when running systemctl stop on my service (the graceful shutdown times out and ends up sending a SIGKILL to stop the service). I also have a vpn client (for the same server) set up on a different Linux distro and haven't experienced any of these problems.

I can post my client config or any extra info that would be helpful.

Re: Duplicate/leftover client processes (e.g. run-parts, update-resolv-conf)

Posted: Sat Sep 01, 2018 1:40 pm
by TinCanTech
Your config fiile and log at --verb 4 will be of some use.

Please see:
HOWTO: Request Help ! {2}

Note: openvpn integration with systemd is still a work in progress, so expect some weirdness ..

Re: Duplicate/leftover client processes (e.g. run-parts, update-resolv-conf)

Posted: Sun Sep 09, 2018 4:06 pm
by ivanbrennan
Operating system::

Code: Select all

# uname -a
Linux big-thinkpad 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Server config file:

Code: Select all

port 1194
proto udp4
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
push "route x.x.x.x 255.0.0.0"
push "route x.x.x.x 255.255.0.0"
push "route x.x.x.x 255.255.0.0"
push "route x.x.x.x 255.255.0.0"
push "route x.x.x.x 255.255.0.0"
push "route x.x.x.x 255.255.0.0"
push "route x.x.x.x 255.255.0.0"
push "route x.x.x.x 255.255.0.0"
push "route x.x.x.x 255.255.0.0"
server x.x.x.x 255.255.255.0
push "dhcp-option DNS x.x.x.x"
push "dhcp-option DOMAIN-SEARCH X.X.net"
push "dhcp-option DOMAIN-SEARCH X.X.net"
duplicate-cn
keepalive 10 120
tls-auth keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify keys/crl.pem
Client config file:

Code: Select all

client
dev tun
proto udp4
nobind
persist-key
remote-cert-tls server
cipher AES-256-CBC
compress lzo
auth-nocache
tls-auth ta.key 1
ca   /etc/openvpn/work-ca.crt
cert /etc/openvpn/work-user.crt
key  /etc/openvpn/work-user.key
askpass /etc/openvpn/work-user.pass
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
verb 4
Client log:

Code: Select all

Sep 09 11:37:35 big-thinkpad systemd[1]: openvpn@work.service: Found left-over process 2116 (update-resolv-c) in control group while starting unit. Ignoring.
Sep 09 11:37:35 big-thinkpad systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Sep 09 11:37:35 big-thinkpad systemd[1]: openvpn@work.service: Found left-over process 2119 (run-parts) in control group while starting unit. Ignoring.
Sep 09 11:37:35 big-thinkpad systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Sep 09 11:37:35 big-thinkpad systemd[1]: openvpn@work.service: Found left-over process 2125 (run-parts) in control group while starting unit. Ignoring.
Sep 09 11:37:35 big-thinkpad systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Sep 09 11:37:35 big-thinkpad systemd[1]: openvpn@work.service: Found left-over process 2147 (avahi-daemon-ch) in control group while starting unit. Ignoring.
Sep 09 11:37:35 big-thinkpad systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Sep 09 11:37:35 big-thinkpad systemd[1]: openvpn@work.service: Found left-over process 2173 (host) in control group while starting unit. Ignoring.
Sep 09 11:37:35 big-thinkpad systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Sep 09 11:37:35 big-thinkpad systemd[1]: Starting OpenVPN connection to work...
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Current Parameter Settings:
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   config = '/etc/openvpn/work.conf'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   mode = 0
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   persist_config = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   persist_mode = 1
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   show_ciphers = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   show_digests = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   show_engines = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   genkey = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   key_pass_file = '/etc/openvpn/work-user.pass'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   show_tls_ciphers = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   connect_retry_max = 0
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Connection profiles [0]:
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   proto = udp4
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   local = '[UNDEF]'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   local_port = '[UNDEF]'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   remote = 'XXXXXXXXXXXXXXX'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   remote_port = '1194'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   remote_float = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   bind_defined = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   bind_local = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   bind_ipv6_only = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   connect_retry_seconds = 5
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   connect_timeout = 120
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   socks_proxy_server = '[UNDEF]'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   socks_proxy_port = '[UNDEF]'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   tun_mtu = 1500
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   tun_mtu_defined = ENABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   link_mtu = 1500
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   link_mtu_defined = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   tun_mtu_extra = 0
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   tun_mtu_extra_defined = DISABLED
Sep 09 11:37:35 big-thinkpad systemd[1]: Started OpenVPN connection to work.
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   mtu_discover_type = -1
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   fragment = 0
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   mssfix = 1450
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   explicit_exit_notification = 0
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Connection profiles END
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   remote_random = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   ipchange = '[UNDEF]'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   dev = 'tun'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   dev_type = '[UNDEF]'
...skipping...
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   auth_user_pass_verify_script_via_file = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   auth_token_generate = DISABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   auth_token_lifetime = 0
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   port_share_host = '[UNDEF]'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   port_share_port = '[UNDEF]'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   client = ENABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   pull = ENABLED
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]:   auth_user_pass_file = '[UNDEF]'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: LZO compression initializing
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: UDPv4 link local: (not bound)
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: UDPv4 link remote: [AF_INET]x.x.x.x:1194
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=144d18ea bb3edd8e
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: VERIFY OK: depth=1, C=US, ST=NY, L=NewYork, O=Work, OU=Systems, CN=Work CA, name=VPN, emailAddress=systems@work.com
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: VERIFY KU OK
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Validating certificate extended key usage
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: VERIFY EKU OK
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: VERIFY OK: depth=0, C=US, ST=NY, L=NewYork, O=Work, OU=Systems, CN=server, name=VPN, emailAddress=systems@work.com
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sep 09 11:37:35 big-thinkpad ovpn-work[7287]: [server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: PUSH: Received control message: 'PUSH_REPLY,route x.x.x.x x.x.x.x,route x.x.x.x x.x.x.x,route x.x.x.x x.x.x.x,route x.x.x.x x.x.x.x,route x.x.x.x x.x.x.x,route
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: OPTIONS IMPORT: timers and/or timeouts modified
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: OPTIONS IMPORT: --ifconfig/up options modified
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: OPTIONS IMPORT: route options modified
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: OPTIONS IMPORT: peer-id set
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: OPTIONS IMPORT: adjusting link_mtu to 1625
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: OPTIONS IMPORT: data channel crypto options modified
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: ROUTE_GATEWAY x.x.x.x/x.x.x.x IFACE=wlp3s0 HWADDR=bc:a8:a6:c0:4b:9e
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: TUN/TAP device tun0 opened
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: TUN/TAP TX queue length set to 100
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: /sbin/ip link set dev tun0 up mtu 1500
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: /sbin/ip addr add dev tun0 local x.x.x.x peer x.x.x.x
Sep 09 11:37:36 big-thinkpad ovpn-work[7287]: /etc/openvpn/update-resolv-conf tun0 1500 1553 x.x.x.x x.x.x.x init
Sep 09 11:37:36 big-thinkpad openvpn[7287]: dhcp-option DNS x.x.x.x
Sep 09 11:37:36 big-thinkpad openvpn[7287]: dhcp-option DOMAIN-SEARCH X.X.net
Sep 09 11:37:36 big-thinkpad openvpn[7287]: dhcp-option DOMAIN-SEARCH X.X.net

Re: Duplicate/leftover client processes (e.g. run-parts, update-resolv-conf)

Posted: Sun Sep 09, 2018 5:54 pm
by TinCanTech
Please switch to using openvpn-client@work.service for clients (likewise servers)

I do not know if this will help you .. but it is best to find out.

Those other openvpn@.service files are basically not supported any longer.
And openvpn.service is only for backward compatibility and you do not want to use that.

Partially documented here :
https://community.openvpn.net/openvpn/wiki/systemd/
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/