Assertion failed at socket.c:629

This is probably an issue with the debian ipv6 support patch (jjo-ipv6-support.patch).
Might be the same as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574164

Could you attach your openvpn configuration ? In particular, I'm interested in seeing if you use "mode p2p".

Not using p2p mode.
Here is my server config file
--------------------------------------------
script-security 3
inetd nowait
proto tcp-server
tls-server
dev tap
up "/etc/openvpn/per-user-up.sh"
down "/etc/openvpn/per-user-down.sh"

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem

keepalive 10 120

tls-auth /etc/openvpn/ta.key 0 # This file is secret

cipher AES-128-CBC # AES

comp-lzo

user nobody
group nogroup

verb 4

There is no specific "mode" set (and "server" is not specified), so it uses p2p mode by default. I'll have a deeper look into this.

Here are my related config files. Hopefully these will help as well.

per-user-up.sh
------------------------
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="bridge0"

#NOTE $1 contains the tap interface name

brctl addif $br $1
ifconfig $1 mtu $2 promisc up

--------------------------
per-user-down.sh
--------------------------
#!/bin/bash

#################################
# Tear down Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="bridge0"

# NOTE #1 contains the tap devce name

brctl delif $br $1
ifconfig $1 down
openvpn --rmtun --dev $1

-----------------------------
/etc/xinet.d/openvpn
----------------------------
service echo
{
 disable = no
 type = UNLISTED
 port = 1194
 socket_type = stream
 protocol = tcp
 user = root
 wait = no
 server = /usr/sbin/openvpn
 server_args = --config /etc/openvpn/tcp-tap.conf.backup
}
-----------------------------
The funny name for the server_args value is to prevent the SYSVINIT scripts from trying to start a server that should only be started by xinet.d.

I have a bridge created in my /etc/networking/interfaces file called bridge0

The IPv6 patch has a case where it would hit that ASSERT if ! (host && addr) -- while the upstream code would just pass without triggering any error. I'll prepare a package for you to test in a few, maybe it's just that corner case.

Ok I would be happy to test. Not sure if its an issue but that system is now running Maverick and no longer runs Lucid. So any test won't be apples to apples.

I suppose you reproduce the issue in maverick, so I'll build packages for Maverick.
Package will build @ https://launchpad.net/~ttx/+archive/ppa

Arh, this needs a bit more work -- more tomorrow :)

No worries. I cobbled together a Lucid system to test this so no need to worry about Maverick anymore.
I just wanted to thank you for the prompt attention you have shown this bug.

Are you a Canonical employee? If so is there anyway I can provide feedback to let your employer know how pleased I am with the service you have provided? I like to make sure hard work is rewarded whenever I can.

Cheers

Test packages have been uploaded to my PPA (for Lucid and Maverick) at [1]... They will build in the next hours. If those fix it, then it's an easy fix and I can push it to lucid and maverick. If not, then I'm a bit more clueless as to what happens here...

Yes, I'm a Canonical employee, but I'm helping you as an Ubuntu Server core developer... My pleasure to help, and your thanks are enough as a reward :)

[1] https://launchpad.net/~ttx/+archive/ppa

I can't test them today due to work conflicts. With any luck I will get them tested on Friday.

Cheers

I tested the AMD64 build on Lucid today. It fixes the socket assertion failure but still features a regression relative to upstream.

With the build from you PPA and the config file I provided I get the following in syslog:
TLS: Initial packet from [AF_INET]192.5.38.152:49308, sid=713f6ed1 b48b32c4
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]192.5.38.152:49308
Fatal TLS error (check_tls_errors_co), restarting
OpenVPN started by inetd/xinetd cannot restart... Exiting.

-----------------------------------------------------------------
To fix it I had to comment out the "tls-auth" lines in my client and server configuration files.
For example I commented this out in my server configuration file:
# tls-auth /etc/openvpn/ta.key 0 # This file is secret

After doing that it works like upstream, except I am not getting the PSK protection of the TLS negotiation. So its still not working right but at least it no longer produces the socket assertion message.

Hmm, so the problem still lies in the ipv6 support patch from debian, but is not fixed by fixing the host && addr code flow. Probably your use case (usage through xinetd) hits code that triggered the assertion (host or addr is null) but will also trigger further failure...

I think that's the same issue as the debian bug mentioned above, and is probably an incompatibility between using inetd to spawn openvpn and the ipv6 patch from Debian.

In openvpn 2.0, "Server Mode" can be used to serve multiple clients from a single port (with scalability in mind, so all client connections are routed through a single tun or tap interface). Have you considered switching your inetd-based setup to that model ?

Cant't do it. I need multiple clients through one port and each needs their own tap device. We use broadcast/multi-cast and stuff like wireshark. So the scalable tun approach is not for us. Basically everyone needs their own unique MAC address.

UPDATE: I did some more testing on this. I found out that the TLS HMAC errors were the fault of an update to Viscosity (Mac OSX OpenVPN client). The program was incorrectly passing '0' for the direction of the "ta.key" file on the clients.

So the good news is that the package in your PPA fixes this issue completely. The TLS HMAC issue was unrelated.

Ah! That's good news indeed. I'll push the fix in SRU once the Maverick release heat calms down.

This bug was fixed in the package openvpn - 2.1.3-1ubuntu2

---------------
openvpn (2.1.3-1ubuntu2) natty; urgency=low

  * Fix jjo-ipv6-support.patch to avoid assertion failure at socket.c:629 in
    corner cases where ! host && addr (LP: #627973)
 -- Thierry Carrez (ttx) <email address hidden> Wed, 20 Oct 2010 16:22:25 +0200