OpenVPN process dies before rinning the down script on Win

[LJoe]

Hello guys,
I'm using OpenVPN 2.3.4 on Win 7 x64 and I have up and down scripts specified in the config file. Everything works fine if I disconnect manually via the GUI. However, when I log off or reboot the system, OpenVPN process dies without running the down script. I confirmed this by inspecting the log file. I tried running OpenVPN service, but result was exactly the same: script runs OK if I stop the service myself, and doesn't run during a reboot/shutdown. Is this an expected behavior, or I'm doing something wrong?

[LJoe]

Here is my config file:

Code: Select all

client
dev tap
proto udp
resolv-retry infinite
nobind
persist-key
ns-cert-type server
comp-lzo
verb 3
remote-random
remote vpn-se1.privatevpn.com 21000
remote vpn-se1.privatevpn.com 21001
remote vpn-se1.privatevpn.com 21002
remote vpn-se1.privatevpn.com 21003
remote vpn-se1.privatevpn.com 21004
remote vpn-se1.privatevpn.com 21005
remote vpn-se1.privatevpn.com 21006
remote vpn-se1.privatevpn.com 21007
remote vpn-se.privatevpn.com 21000
remote vpn-se.privatevpn.com 21001
remote vpn-se.privatevpn.com 21002
remote vpn-se.privatevpn.com 21003
route-delay
reneg-sec 0
--auth-user-pass auth.txt
script-security 2 system
up if_up.bat
down if_down.bat
<ca>
-----BEGIN CERTIFICATE-----
skip
-----END CERTIFICATE-----
</ca>

Here is a logoff/reboot log file:

Code: Select all

OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  5 2014
library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05
Enter Management Password:
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25356
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25356
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Socket Buffers: R=[8192->8192] S=[8192->8192]
MANAGEMENT: >STATE:1405104403,RESOLVE,,,
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]YYY.YYY.YYY.YYY:21006
MANAGEMENT: >STATE:1405104403,WAIT,,,
MANAGEMENT: >STATE:1405104403,AUTH,,,
TLS: Initial packet from [AF_INET]YYY.YYY.YYY.YYY:21006, sid=cbcfacd7 c7128b9b
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
VERIFY OK: depth=1, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, OU=PrivateVPN, CN=PrivateVPN, name=changeme, emailAddress=support@privatvpn.se
VERIFY OK: nsCertType=SERVER
VERIFY OK: depth=0, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, OU=PrivateVPN, CN=PrivateVPN, name=changeme, emailAddress=support@privatvpn.se
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
[PrivateVPN] Peer Connection Initiated with [AF_INET]YYY.YYY.YYY.YYY:21006
MANAGEMENT: >STATE:1405104405,GET_CONFIG,,,
SENT CONTROL [PrivateVPN]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route-gateway CCC.CCC.CCC.CCC,redirect-gateway def1,dhcp-option DNS 8.8.8.8,ping 10,ping-restart 60,ifconfig XXX.XXX.XXX.XXX 255.255.255.224'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
MANAGEMENT: >STATE:1405104406,ASSIGN_IP,,XXX.XXX.XXX.XXX,
open_tun, tt->ipv6=0
TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{5CB61A8D-F74F-48B0-A90F-2315867BDC7A}.tap
TAP-Windows Driver Version 9.9 
Notified TAP-Windows driver to set a DHCP IP/netmask of XXX.XXX.XXX.XXX/255.255.255.224 on interface {5CB61A8D-F74F-48B0-A90F-2315867BDC7A} [DHCP-serv: NNN.NNN.NNN.NNN, lease-time: 31536000]
Successful ARP Flush on interface [41] {5CB61A8D-F74F-48B0-A90F-2315867BDC7A}
if_up.bat Local Area Connection 4 1500 1574 XXX.XXX.XXX.XXX 255.255.255.224 init
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
C:\Windows\system32\route.exe ADD YYY.YYY.YYY.YYY MASK 255.255.255.255 VVV.VVV.VVV.VVV
ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=36]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 CCC.CCC.CCC.CCC
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 CCC.CCC.CCC.CCC
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
Initialization Sequence Completed
MANAGEMENT: >STATE:1405104406,CONNECTED,SUCCESS,XXX.XXX.XXX.XXX,YYY.YYY.YYY.YYY

As you can see, OpenVPN just dies without even trying to close the connection.

And here is a manual disconnect log for comparison:

Code: Select all

OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  5 2014
library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05
Enter Management Password:
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25356
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25356
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Socket Buffers: R=[8192->8192] S=[8192->8192]
MANAGEMENT: >STATE:1405104450,RESOLVE,,,
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]ZZZ.ZZZ.ZZZ.ZZZ:21002
MANAGEMENT: >STATE:1405104450,WAIT,,,
MANAGEMENT: >STATE:1405104450,AUTH,,,
TLS: Initial packet from [AF_INET]ZZZ.ZZZ.ZZZ.ZZZ:21002, sid=d7758f32 0814e2cf
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
VERIFY OK: depth=1, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, OU=PrivateVPN, CN=PrivateVPN, name=changeme, emailAddress=support@privatvpn.se
VERIFY OK: nsCertType=SERVER
VERIFY OK: depth=0, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, OU=PrivateVPN, CN=PrivateVPN, name=changeme, emailAddress=support@privatvpn.se
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
[PrivateVPN] Peer Connection Initiated with [AF_INET]ZZZ.ZZZ.ZZZ.ZZZ:21002
MANAGEMENT: >STATE:1405104452,GET_CONFIG,,,
SENT CONTROL [PrivateVPN]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route-gateway XXX.XXX.XXX.XXX,redirect-gateway def1,dhcp-option DNS 8.8.8.8,ping 10,ping-restart 60,ifconfig YYY.YYY.YYY.YYY 255.255.255.224'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
MANAGEMENT: >STATE:1405104453,ASSIGN_IP,,YYY.YYY.YYY.YYY,
open_tun, tt->ipv6=0
TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{5CB61A8D-F74F-48B0-A90F-2315867BDC7A}.tap
TAP-Windows Driver Version 9.9 
Notified TAP-Windows driver to set a DHCP IP/netmask of YYY.YYY.YYY.YYY/255.255.255.224 on interface {5CB61A8D-F74F-48B0-A90F-2315867BDC7A} [DHCP-serv: NNN.NNN.NNN.NNN, lease-time: 31536000]
Successful ARP Flush on interface [41] {5CB61A8D-F74F-48B0-A90F-2315867BDC7A}
if_up.bat Local Area Connection 4 1500 1574 YYY.YYY.YYY.YYY 255.255.255.224 init
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
C:\Windows\system32\route.exe ADD ZZZ.ZZZ.ZZZ.ZZZ MASK 255.255.255.255 VVV.VVV.VVV.VVV
ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=36]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 XXX.XXX.XXX.XXX
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 XXX.XXX.XXX.XXX
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
Initialization Sequence Completed
MANAGEMENT: >STATE:1405104453,CONNECTED,SUCCESS,YYY.YYY.YYY.YYY,ZZZ.ZZZ.ZZZ.ZZZ
C:\Windows\system32\route.exe DELETE ZZZ.ZZZ.ZZZ.ZZZ MASK 255.255.255.255 CCC.CCC.CCC.CCC
Route deletion via IPAPI succeeded [adaptive]
C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 XXX.XXX.XXX.XXX
Route deletion via IPAPI succeeded [adaptive]
C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 XXX.XXX.XXX.XXX
Route deletion via IPAPI succeeded [adaptive]
Closing TUN/TAP interface
if_down.bat Local Area Connection 4 1500 1574 YYY.YYY.YYY.YYY 255.255.255.224 init
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
SIGTERM[hard,] received, process exiting
MANAGEMENT: >STATE:1405104460,EXITING,SIGTERM,,

The connection is terminated normally and the down script is run as expected.