[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] persist-key



Greetings,

I had a setup error which caused SIGHUP to be sent to the openvpn process when logs were rolled over; since I'm using syslog for logging of course it doesn't need it (syslogd does) but the SIGHUP caused the VPN to not come back up, which is unexpected. I've since fixed the problem (newsyslog will SIGHUP syslogd instead of openvpn) so I won't have the problem anymore, but I'm curious about the intended effect of persist-key.

I am using:

 user vpn
 group vpn
 persist-key

they key of course is readable by root only. The log shows regularly scheduled key expiry and tls renegotiation which works fine as openvpn keeps the key loaded.

However, after a SIGHUP:

May 12 03:00:00 wolv openvpn[716]: SIGHUP[hard,] received, process restarting
May 12 03:00:00 wolv openvpn[716]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 13 2006
May 12 03:00:00 wolv openvpn[716]: Restart pause, 2 second(s)
May 12 03:00:02 wolv openvpn[716]: Note: cannot open /var/tmp/openvpn-status.log for WRITE
May 12 03:00:02 wolv openvpn[716]: Note: cannot open /var/tmp/openvpn-iplist.txt for READ/WRITE
May 12 03:00:02 wolv openvpn[716]: Diffie-Hellman initialized with 1024 bit key
May 12 03:00:02 wolv openvpn[716]: Cannot load private key file wolv.key: error:0200100D:system library:fopen:Permission denied: error:20074002:BIO routines:FILE_CTRL:system lib: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
May 12 03:00:02 wolv openvpn[716]: Error: private key password verification failed
May 12 03:00:02 wolv openvpn[716]: Exiting


Is this working as intended? I can't imagine that signal handler being useful at all after root priviledges have been dropped, perhaps a "softer" form of reset which respects persist-key/persist-tun in this case is better?


Regards, David

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users