Slackware Current and Stable OpenVPN packages have been upgraded to version 2.4.6.
This has brought issues not because of OpenVPN itself, but /etc/rc.d/rc.openvpn has changed and I had to adapt.
After the upgrade, I noticed that the OpenVPN process was closing somehow, and I would be "disconnected" from the internet. "Disconnected" because I have IPTables rules in place that only allow access to the internet through the VPN.
I triple checked the VPN .conf files and nothing worked. Next thing was to check if anything appeared in /var/log/, and indeed /var/log/syslog gave some clues:
Apr 28 00:01:29 compass openvpn[17181]: Error opening 'Auth' auth file: /etc/openvpn/credentials.txt: Permission denied (errno=13)
Apr 28 00:01:29 compass openvpn[17181]: ERROR: Linux route delete command failed: external program exited with error status: 2
Apr 28 00:01:29 compass last message repeated 3 times
Apr 28 00:01:29 compass openvpn[17181]: Linux ip addr del failed: external program exited with error status: 2
Apr 28 07:24:14 compass openvpn[15891]: WARNING: file '/etc/openvpn/credentials.txt' is group or others accessible
Apr 28 07:24:14 compass openvpn[15892]: WARNING: you are using user/group/chroot/setcon without persist-tun – this may cause restarts to fail
Apr 28 07:24:14 compass openvpn[15892]: WARNING: you are using user/group/chroot/setcon without persist-key – this may cause restarts to fail
Apr 28 07:24:15 compass openvpn[15892]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1570'
Apr 28 07:24:15 compass openvpn[15892]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-128-CBC'
Apr 28 07:24:15 compass openvpn[15892]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
Apr 28 07:24:15 compass openvpn[15892]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Apr 28 07:32:50 compass openvpn[15892]: event_wait : Interrupted system call (code=4)
Apr 28 07:32:50 compass openvpn[15892]: ERROR: Linux route delete command failed: external program exited with error status: 2
Apr 28 07:32:50 compass last message repeated 3 times
Apr 28 07:32:50 compass openvpn[15892]: Linux ip addr del failed: external program exited with error status: 2
Apr 28 07:34:13 compass openvpn[16641]: WARNING: file '/etc/openvpn/credentials.txt' is group or others accessible
Apr 28 07:34:14 compass openvpn[16642]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1570'
Apr 28 07:34:14 compass openvpn[16642]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-128-CBC'
Apr 28 07:34:14 compass openvpn[16642]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
Apr 28 07:34:14 compass openvpn[16642]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
So basically I had to do two things:
1. Make /etc/openvpn/credentials.txt root:nobody instead of root:root, because /etc/rc.d/rc.openvpn (check it out) now runs as user:group nobody:nobody.
2. Add persist-tun and persist-key to my OpenVPN config files.
You'll notice above that credentials.txt has the "Permission denied" message, and then "group or others accessible". That's because I changed the user:group and syslog caught up on that.
It's a good a idea to keep the old rc.openvpn around if you upgrade OpenVPN, so you can check what changed between versions.
With OpenVPN 2.4.* you can now use cipher negotiation (GCM was added), so you have more options to choose from if your VPN provider supports them.
The warnings link-mtu, cipher and so on are nothing to worry about from what I researched.
The "Linux route" and "ip addr" messages are because OpenVPN is trying to create a route that already exists (from what I've read), so they would probably go away if I restarted my network.
I'll make a separate thread soon with my /etc/rc.d/rc.firewall configuration.
If you're in a hurry or want something else, check /usr/doc/openvpn-2.4.6/sample-config-files/ where you can find plenty of examples.