Comments (8)
jkroepke
commented on May 26, 2024
The management-hold option in OpenVPN together with systemd introduces the issue here.
In general, if the connection to the management interface terminate, openvpn-auth-oauth2 terminates, too.
openvpn-auth-oauth2 does not support reconnecting. This is necessary, because if OpenVPN service is restarted, client id start from zero again. Since some refresh token are bound to client id, reconnect could result wrong authentications, if client IDs are re-used again.
If management-hold is configured, then systemd blocks the start until the state is resolved.
Since OpenVPN is a dependency of openvpn-auth-oauth2. systemd will start the openvpn-auth-oauth2 service, after the management lock is released. But the management lock will never released. Thats a deadlock.
from openvpn-auth-oauth2.
andreas-p
commented on May 26, 2024
On SIGHUP, openvpn isn't restarted, so systemd doesn't see the necessity to restart openvpn-auth-oauth2. Somehow, openvpn-auth needs to restart itself... I guess forgetting all cached tokens would be sufficient, but a complete re-init would be on the safe side.
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
But SIGHUP is documented as "hart restart", I would expect that the management connection will be terminated. Normally. openvpn-auth-oauth2 should also terminate here and restarted by systemd.
Ref: https://openvpn.net/community-resources/controlling-a-running-openvpn-process/
from openvpn-auth-oauth2.
andreas-p
commented on May 26, 2024
Well that hard restart doesn't change the PID, no chance for systemd to detect.
I guess openvpn-auth-oauth2 needs to regard a "hold, waiting for release" as indication for resetting.
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
That fine. But openvpn-auth-oauth2 should die anyways and the unit setting
should trigger if openvpn-auth-oauth2 dies.
What are the logs of openvpn-auth-oauth2?
from openvpn-auth-oauth2.
andreas-p
commented on May 26, 2024
openvpn-auth-oauth2 doesn't die.
Zero syslog entry when SIGHUPing openvpn.
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
I looked into the issue and issue a kill -HUP does not terminate the management connection. It surprises me, that SIGHUP is documented as hart restart while the connection to the managed client will be alive. I could reproduce the issue and looking forward to implement a fix.
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
Side note:
It's not intensional that management clients are not dropped at SIGHUP, see also OpenVPN/openvpn#499 (comment)
from openvpn-auth-oauth2.
Related Issues (20)
- Implement OR-Based Group Validation HOT 2
- Layout changed HOT 1
- validate.common-name fails with "openvpn client is empty" HOT 2
- Please support/move to plugin HOT 1
- [Google] Refresh token HOT 4
- Status of Keycloak Support? HOT 1
- v1.16.0-rc.2: openvpn-auth-oauth2.service: Failed with result 'core-dump'. HOT 6
- v1.16.0-rc.2: provider `google` not recognised in client.yaml HOT 3
- Google oAuth not working HOT 1
- IOS OpenVPN Connect will disconnect after lock screen for about 20 seconds and can not auto re-connect after unlock HOT 35
- validate.common-name is is case-sensitive
- A possible chan deadlock with `commandResponseCh` HOT 9
- Refactor Google Teams sync HOT 3
- No information returned from Google oAuth HOT 6
- [HELP WANTED] Implement username override in OpenVPN [clang coding]
- When trying to use groups in plugin, having PANIC HOT 14
- openvpn gui still asks for username/password even with auth-user-pass-optional HOT 5
- Reverse proxy with apache HOT 3
- OpenVPN Service NOT start HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn-auth-oauth2.