Ubuntu

[SRU] OpenVPN client connect hangs on PUSH_REQUEST

Reported by Waldo2k2 on 2010-05-13
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenVPN
Fix Released
Unknown
openvpn (Debian)
Fix Released
Unknown
openvpn (Ubuntu)
Medium
Thierry Carrez
Lucid
Undecided
Unassigned

Bug Description

Binary package hint: openvpn

A client connecting to an OpenVPN server running Lucid hangs on PUSH_REQUEST. Same server config works on Karmic.

My server config does not contain any 'push' directives. If I add the tcp-nodelay macro to my server config, the 'push "socket-flags TCP_NODELAY"' that it sends the client prevents it from hanging and the connection completes. The tcp-nodelay option fails on the Windows clients I tested it with, but merely passing the PUSH fixes the connection hang.

I haven't tested any other push directives to see if they have the same effect.

Current package version: 2.1.0-1ubuntu1 (lucid)
Working package version: 2.1~rc19-1ubuntu2 (karmic)

OpenVPN server config used:
-------------------------------------
mode server
port 1194
proto udp
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
replay-persist replay-persist-file
tls-server
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ping 15
ping-restart 300 # 5 minutes, good for dynamic dns
resolv-retry 300 # 5 minutes, good for dynamic dns
persist-tun
persist-key
comp-lzo
user nobody
group nogroup
status openvpn-status.log
verb 3
#tcp-nodelay #uncomment to fix in lucid

Waldo2k2 (peterson-drew) wrote :

OpenVPN Client config used:
------------------------------------
client
dev tap
remote somedomain.org
nobind
replay-persist replay-persist-file
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
ping 15
ping-restart 300
resolv-retry 300
persist-tun
persist-key
comp-lzo
verb 3

Chuck Short (zulcss) wrote :

If possible can you attach your server config fix as well?

Thanks
chuck

Changed in openvpn (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Waldo2k2 (peterson-drew) wrote :

Yes, sorry. I should have been more clear.

All I did to the server config (which is the config in bug description) was add tcp-nodelay. I didn't alter anything in the client config, I just listed it in case you wanted it for testing.

Let me know if I can get you anything else, I have a disk image saved from when the problem was occurring.

Thierry Carrez (ttx) wrote :

In 2.1~rc20, upstream rewrote most of the PUSH_REPLY handling ("Optimized PUSH_REQUEST handshake sequence to shave several seconds off of a typical client connection initiation"), maybe now there is a corner case where no reply would be sent (at all) if no push option is specified, making client hang unless a dummy push is configured on the server.

Could you attach the client and server logs in both cases (success/failure) ?

Waldo2k2 (peterson-drew) wrote :
Waldo2k2 (peterson-drew) wrote :
Waldo2k2 (peterson-drew) wrote :

Should have mentioned those were the failure logs, success logs coming next.

Waldo2k2 (peterson-drew) wrote :
Waldo2k2 (peterson-drew) wrote :
Thierry Carrez (ttx) wrote :

Thanks ! That confirms my hypothesis in comment 4.
The easy workaround is to push something dummy. This should probably be communicated upstream through https://lists.sourceforge.net/lists/listinfo/openvpn-devel, if you have the time to do so.

Changed in openvpn (Ubuntu):
status: Incomplete → Triaged
Changed in openvpn:
status: Unknown → New
Waldo2k2 (peterson-drew) wrote :

Confirmed upstream, moved here: https://community.openvpn.net/openvpn/ticket/13

Changed in openvpn:
status: New → Confirmed
Changed in openvpn:
status: Confirmed → Fix Released
Thierry Carrez (ttx) wrote :
Thierry Carrez (ttx) on 2010-06-28
Changed in openvpn (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
importance: Low → Medium
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.1.0-2ubuntu2

---------------
openvpn (2.1.0-2ubuntu2) maverick; urgency=low

  * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
    on PUSH_REQUEST when server does not push any option (LP: #579737)
 -- Thierry Carrez <email address hidden> Mon, 28 Jun 2010 10:45:23 +0200

Changed in openvpn (Ubuntu):
status: In Progress → Fix Released
tags: added: patch
Changed in openvpn (Debian):
status: Unknown → New
Changed in openvpn (Debian):
status: New → Fix Released
Chuck Short (zulcss) on 2010-07-16
summary: - OpenVPN client connect hangs on PUSH_REQUEST
+ [SRU] OpenVPN client connect hangs on PUSH_REQUEST
Chuck Short (zulcss) wrote :

Statement of Impact: OpenVPN in lucid was shipped with a bug that can cause an openvpn client to hang when sending a PUSH_REQUEST. This has been addressed upstream and fixed in maverick. I have backported the patch to lucid. I have backported this patch to lucid.

How to reproduce:

1. Use the client and server config found at: https://community.openvpn.net/openvpn/ticket/13
2. You shouldnt get a hang.

I dont see a regression with this patch included in lucid.

Chuck Short (zulcss) wrote :
John Dong (jdong) wrote :

ACK from SRU team.

Accepted into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openvpn (Ubuntu Lucid):
status: New → Fix Committed
tags: added: verification-needed
Waldo2k2 (peterson-drew) wrote :

The version in lucid-proposed fixes this bug.
Everything seems stable so far, if I find any problems with the proposed version where is the best place to report them?

Thierry Carrez (ttx) wrote :

The best place is here.
With your verification done, it should stay ~ 1 week in -proposed before moving to -updates.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.1.0-1ubuntu1.1

---------------
openvpn (2.1.0-1ubuntu1.1) lucid-proposed; urgency=low

  * debian/patches/client_hang_when_server_dont_push.patch: Fix client hanging
    on PUSH_REQUEST when server does not push any option (LP: #579737)
 -- Chuck Short <email address hidden> Fri, 16 Jul 2010 13:46:18 -0400

Changed in openvpn (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.