diff -u openvpn-2.1~rc7/init.c openvpn-2.1~rc7/init.c
--- openvpn-2.1~rc7/init.c
+++ openvpn-2.1~rc7/init.c
@@ -1331,11 +1331,18 @@
   ASSERT (options->shared_secret_file);
 
   /* CVE-2008-0166 (Debian weak key checks) */
-  openvpn_snprintf(command_line, sizeof (command_line), "/usr/sbin/openvpn-vulnkey -q %s", options->shared_secret_file);
-  msg (M_INFO, "%s", command_line);
-  if (openvpn_system (command_line, c->c2.es, S_FATAL) != 0)
+  /* Only check if we can actually read the key file. Unless the file does not
+   * exist in the first place, this should never happen (since static keys do
+   * not work with multi-client mode), but we test it anyway to be on the safe
+   * side and avoid wrong -vulnkey alerts. */
+  if (access (options->shared_secret_file, R_OK) == 0)
     {
-      msg (M_FATAL, "ERROR: '%s' is a known vulnerable key. See 'man openvpn-vulnkey' for details.", options->shared_secret_file);
+      openvpn_snprintf(command_line, sizeof (command_line), "/usr/sbin/openvpn-vulnkey -q %s", options->shared_secret_file);
+      msg (M_INFO, "%s", command_line);
+      if (openvpn_system (command_line, c->c2.es, S_FATAL) != 0)
+        {
+          msg (M_FATAL, "ERROR: '%s' is a known vulnerable key. See 'man openvpn-vulnkey' for details.", options->shared_secret_file);
+        }
     }
 
   init_crypto_pre (c, flags);
@@ -1505,7 +1512,10 @@
   ASSERT (!options->test_crypto);
 
   /* CVE-2008-0166 (Debian weak key checks) */
-  if (options->priv_key_file)
+  /* Only check if we can actually read the key file. This will fail if we
+   * already chroot()ed/set[ug]id()'ed. An ENOENT at program start is already
+   * handled further down, so we can ignore it here. */
+  if (options->priv_key_file && access (options->priv_key_file, R_OK) == 0)
     {
       openvpn_snprintf(command_line, sizeof (command_line), "/usr/sbin/openssl-vulnkey -q %s", options->priv_key_file);
       msg (M_INFO, "%s", command_line);
diff -u openvpn-2.1~rc7/debian/changelog openvpn-2.1~rc7/debian/changelog
--- openvpn-2.1~rc7/debian/changelog
+++ openvpn-2.1~rc7/debian/changelog
@@ -1,3 +1,17 @@
+openvpn (2.1~rc7-1ubuntu3.2) hardy-security; urgency=low
+
+  * init.c: Do not attempt to verify the key file with openvpn-vulnkey if it
+    is not accessible (any more). This happens when using the 'user', 'group',
+    or 'chroot' options in multi-client mode, and the SSL key file thus
+    becomes unreadable from the second time on. If the key file is not
+    accessible at the very start, this is already handled anyway, so we can
+    safely ignore this condition. (LP: #230208)
+    Note that this is not an issue when using pre-shared keys
+    (do_init_crypto_static(), since multi-client mode only works with TLS.
+    However, we also check it here just to be on the safe side.
+
+ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 14 May 2008 12:57:19 +0200
+
 openvpn (2.1~rc7-1ubuntu3.1) hardy-security; urgency=low
 
   * SECURITY UPDATE: don't allow use of known vulnerable weak SSL/TLS and