Topic: SME 9 x86_64, OpenVPN fails since the last update

[Arnaud]

Hi,

the server OpenVPN-routed of my SME9 x86-64 64 bits fails since the update from yesterday:

Code: [Select]

openvpn.x86_64                          2.4.1-3.el6                  smecontribs
php-fedora-autoloader.noarch            1.0.0-0.1.rc1.el6            smecontribs
On the client I get the message:

Code: [Select]

read UDP [ECONREFUSED]: Connection refused (code=111)
And the journal of the SME is contains a mountain of:

Code: [Select]

PLUGIN_INIT: could not load plugin shared object /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so: /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so: cannot open shared object file: No such file or directory: No such file or directory (errno=2)
Exiting due to fatal error
I had a check into the file system:
- I don't have any folder "/usr/lib/openvpn"
- but I have a folder with the missing file "/usr/lib64/openvpn/plugins/openvpn-auth-pam.so"

=> I will try to make a temporary symbolic link

What do you think?
Bye
Arnaud

[CharlieBrady]

What do you think?

I think you should report the problem via the Bug Tracker. There's a link at the top of this forum.

[Stefano]

something is wrong on your side.. is your server a fresh install? do you have any custom template?

I guess you're using smeserver-openvpn-bridge

on a fresh install (x86_64), in /etc/openvpn/bridge/openvpn.conf I read

Code: [Select]

# Plugin for user-auth
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

that comes from /etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/40userAuth

which is your smeserver-openvpn-bridge release?
mine is smeserver-openvpn-bridge-2.1-7

[guest22]

'update since yesterday'

Did you catch the new updates from CentOS 6.9 perhaps?

[Stefano]

I don't think so, centos6.9 updates are available since today

in any case, we need feedback from Arnaud

[Jean-Philippe Pialasse]

works for me as Stefano

# rpm -qa |grep openvp
smeserver-openvpn-bridge-2.1-7.el6.sme.noarch
openvpn-2.4.1-3.el6.x86_64

the update was from smecontribs as per first post, and was propagated there from epel.

I suggest also the presence of a template-custom.

[Arnaud]

Hi,
thanks for the replies.

I think you should report the problem via the Bug Tracker.

If the problem comes from the update and not from my config, I'll do it. I just want to be sure before, in order to avoid to create a bug-report because of an error sitting between chair and keyboard...

something is wrong on your side.. is your server a fresh install? do you have any custom template?

The server isn't a fresh install but was absolutely up to date since the update of last Tuesday.
As it is a "working" machine, I have of course some custom templates, but I don't think (I had a look into my setups) to have any dealing in direction of openvpn

I guess you're using smeserver-openvpn-bridge

Yes, I have smeserver-openvpn-bridge installed, but disabled at this time.
I have smeserver-openvpn-routed installed too and enabled. This is what makes trouble since the update of the rpm "openvpn". The messages of error into the journal are coming from this service.

on a fresh install (x86_64), in /etc/openvpn/bridge/openvpn.conf I read

Code: [Select]

# Plugin for user-auth
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login


By me too.
I had a look into /etc/openvpn/routed and here there is:

Code: [Select]

plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login

that comes from /etc/e-smith/templates/etc/openvpn/bridge/openvpn.conf/40userAuth

I will have a look!
I didn't update my backup server => on it I have the state before Tuesday => I will have a look an it too!

which is your smeserver-openvpn-bridge release?
mine is smeserver-openvpn-bridge-2.1-7

by me too.

The release of smeserver-openvpn-routed is smeserver-openvpn-routed-0.1.5-1 (repo FWS)

'update since yesterday'
Did you catch the new updates from CentOS 6.9 perhaps?

No, I have made no supplementary update since Tuesday.
I know that some new updates are available since today but I won't run them before this issue isn't solved (I don't want to add some potential problems...)

Thanks for the help.
Bye
Arnaud

[Stefano]

well.. it seems that smeserver-openvpn-routed has a bug

please check your custom templates and open a bug, thank you

[Arnaud]

On the not updated server:
- /etc/openvpn/routed:

Code: [Select]

plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login
- etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth:

Code: [Select]

{
    my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass';
    if ($userAuth eq 'CrtWithPass'){
        my $plugin_dir = (-d "/usr/lib64/openvpn/plugin/lib") ?
                  '/usr/lib64/openvpn/plugin/lib':'/usr/lib/openvpn/plugin/lib';
        $OUT .= "plugin ".$plugin_dir."/openvpn-auth-pam.so login\n";
    }
    $OUT .= '';
}
On the updated server:
- /etc/openvpn/routed:
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login

- etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/40auth:

Code: [Select]

{
    my $userAuth = ${'openvpn-routed'}{Authentication} || 'CrtWithPass';
    if ($userAuth eq 'CrtWithPass'){
        my $plugin_dir = (-d "/usr/lib64/openvpn/plugin/lib") ?
                  '/usr/lib64/openvpn/plugin/lib':'/usr/lib/openvpn/plugin/lib';
        $OUT .= "plugin ".$plugin_dir."/openvpn-auth-pam.so login\n";
    }
    $OUT .= '';
}
=> the template is the same but the directories of the "openvpn-auth-pam.so" has changed:
On the not updated server:

Code: [Select]

ls /usr/lib64/openvpn
plugin  plugins

ls -l /usr/lib64/openvpn/plugin/lib/
total 0
lrwxrwxrwx 1 root root 53 31 mars  15:54 openvpn-auth-pam.so -> /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
lrwxrwxrwx 1 root root 54 31 mars  15:54 openvpn-down-root.so -> /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
On the updated server:

Code: [Select]

ls /usr/lib64/openvpn
plugins
=> IMHO as the "plugin" directory disappeared  during the update of "openvpn", the template should be modifies by changing the "plugin" into "plugins" by the test "my $plugin_dir = (-d "/usr/lib64/openvpn/plugin/lib") ?"

[Stefano]

since you're the bridged contrib too, check the 40auth fragment in its templates dir..
it'd show you some code that deal with i386 and x86_64 arch

[Arnaud]

good idea!
But it's too late for today -> tomorrow.....

[Arnaud]

Hi,
good news: using the right folders and the right file name makes openvpn-routed run again

Modification of the template:
 

Code: [Select]

my $plugin_dir = (-d "/usr/lib64/openvpn/plugins") ?
                  '/usr/lib64/openvpn/plugins':'/usr/lib/openvpn/plugin/lib';
$OUT .= "plugin ".$plugin_dir."/openvpn-plugin-auth-pam.so login\n";
=> I'll open a bug.

Thanks a lot for your support, it made me find quite rapidly the problem and a possible solution.

Bye
Arnaud

PS: smeserver-openvpn-routed comes from the repo of fws and not smecontribs!
Should I contact Daniel directly?

[Jean-Philippe Pialasse]

Open a bug here, even if it is on fws repo, it has a bug track here : https://bugs.contribs.org/enter_bug.cgi?product=SME%20Contribs


Please post the bug link here after.

[Arnaud]

see the big link: https://bugs.contribs.org/show_bug.cgi?id=10220

[Essary]

Is anyone else still getting this connection error bug with open vpn or is it just me?