openvpn configuration with token (pkcs11 provider) blocks the boot

I agree the boot should not be blocked, an option to cancel the start of that VPN should be provided.

I'll have a look to see if I find an easy fix, I may need your help to test it though, since I don't own such a token ;)

About the autostart feature, note that you can configure which configurations should be autostarted at boot through the /etc/default/openvpn file.

I found the autostart config in the end - it's just not possible to deactivate it while updating Ubuntu :)

No problem to test any fixes, just leave me a note here or by email.

According to http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt the NEED-OK line is a notification that is supposed to be acked using the management interface (issue a "needok token-insertion-request ok" command to the management port)... That makes it quite unsuitable at boot-up time.

See also discussions from other users not happy with this on :
http://sourceforge.net/mailarchive/message.php?msg_id=48BF842A.1040901%40aixigo.de

Jonathan : does booting with the token already inserted (before the notification pops up) work ? Does a workaround where we would filter out configurations that use pkcs#11 so that they are not autostarted make sense ? Would looking for "pkcs11-id" in the configuration be enough to detect them ?

Hi Thierry,

Booting with the token already inserted does not work. It is a USB token, so maybe some part of the USB system is not yet up at that point of the boot.

I'm not sure about the workaround. I can see it leading to confusion: "why do some configurations autostart and not others?". However, it would definitely avoid the problem at hand, of course. Ideally, such configurations should be autostarted when a user is logged in, and can use a management interface.

Let me know if you go with a workaround based on "pkcs11-id", and I will test it.

A few clarifications : in hardy openvpn also autostarts all /etc/openvpn/*.conf VPNs at boot (if /etc/default/openvpn has AUTOSTART=all, which is the default) so there is no change in that area.

However, one difference between the hardy and the intrepid version is that we merged the fix for the following Debian bug :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454371

This causes OpenVPN to stop the boot process to ask for passwords (see also bug 280428). It may also cause the PKCS#11-related hang, but I miss some hardware to reproduce.

Jonathan: since we may consider it a good thing to revert that change, I'm interested in knowing if that would fix this bug or not. Could you please test if your PKCS#11 configuration, with AUTOSTART=all, block the boot with the following change in /etc/init.d/openvpn :

---------------------------------------------------------------
--- /etc/init.d/openvpn.old
+++ /etc/init.d/openvpn
@@ -66,7 +66,7 @@
     else
       $DAEMON $OPTARGS --writepid /var/run/openvpn.$NAME.pid \
        $DAEMONARG $STATUSARG --cd $CONFIG_DIR \
- --config $CONFIG_DIR/$NAME.conf $script_security || STATUS=1
+ --config $CONFIG_DIR/$NAME.conf $script_security < /dev/null || STATUS=1
     fi
 }
 stop_vpn () {
---------------------------------------------------------------
(add "< /dev/null" after "$script_security " on line 69)

Thanks in advance for your testing.

I just tested with the above patch to /etc/init.d/openvpn. This solves the problem, the boot is not interrupted.

OpenVPN fails to launch this config and logs the following error message to syslog:
Oct 15 21:35:30 jon-imac ovpn-myconfigname[5225]: ERROR: could not read token-insertion-request ok-confirmation from stdin

Thanks for your quick response and analysis of this bug, Thierry.

Thanks for your testing :) So this has been fixed by reverting to hardy behavior.
Fix shipped in 2.1~rc11-1ubuntu2