fac / auth-script-openvpn Goto Github PK

OpenVPN plugin to auth connections using non-blocking external script

License: Apache License 2.0

Makefile 7.56% C 92.44%

auth-script-openvpn's Introduction

OpenVPN Auth Script Plugin

Runs an external script to decide whether to authenticate a user or not. Useful for checking 2FA on VPN auth attempts as it doesn't block the main openvpn process, unlike passing the script to --auth-user-pass-verify flag.

The idea of the plugin is to do as little as possible, and let the external binary do all the heavy lifting itself.

Installation

Compile the shared library with make plugin and copy openvpn-plugin-auth-script.so into your lib/openvpn/plugins/ folder.

Copy your external script onto the machine in a sane place, making sure it's executable by the user openvpn is running as.

Configure the plugin in your openvpn config, passing the path to the external script as the second argument:

plugin /path/to/openvpn-plugin-auth-script.so /path/to/external/script.sh

The plugin will also pass any strings provided after the script name as arguments to the script execution:

plugin /path/to/openvpn-plugin-auth-script.so /path/to/external/script.sh arg1 arg2 argN

External Script requirements

The script used to handle authentication has a very specific set of skills it needs, and if you don't provide those it will hunt you down in silence.

It needs to:

Be executable by the user openvpn runs as
Read username and password from the ENV to check them
Read auth_control_file from the ENV and write a single character to that path to signify auth success/failure
- To allow authentication, write 1 to the file
- To block authentication, write 0 to the file
Exit with status code 0
Not depend on PATH variable (eg, don't use /usr/bin/env in shebang)

Example env the script is called in:

PWD=/
SHLVL=0
auth_control_file=/tmp/openvpn_acf_9090e6750844ee26d7f23efbad0e95c2.tmp
config=/opt/local/etc/openvpn/testvpn.conf
daemon=1
daemon_log_redirect=0
daemon_pid=10502
daemon_start_time=1488892554
dev=tun0
dev_type=tun
ifconfig_local=192.168.2.1
ifconfig_remote=192.168.2.2
link_mtu=1572
local_port_1=1194
password=b
proto_1=tcp-server
redirect_gateway=0
remote_port_1=1194
route_gateway_1=192.168.2.2
route_netmask_1=255.255.255.0
route_network_1=192.168.2.0
route_vpn_gateway=192.168.2.2
script_context=init
tun_mtu=1500
untrusted_ip=192.168.3.4
untrusted_port=54357
username=a
verb=9

Static Challenge

If you're using static-challenge, you might wonder where the response value is in the env hash. See the OpenVPN management-notes docs for more info, but it's passed as part of the password.

The format in the env password value is SCRV1:<BASE64_PASSWORD>:<BASE64_RESPONSE>

License

See LICENSE.

auth-script-openvpn's People

Contributors

Stargazers

Watchers

auth-script-openvpn's Issues

Support for CentOS 6?

Compiling is failing for me on CentOS 6. older gcc?

[mw@test auth-script-openvpn-master]# make
cc -O -Wall -Wextra -Wformat-security -fstack-protector-strong -D_FORTIFY_SOURCE=2 -std=c99 -D_POSIX_C_SOURCE=200809L -fPIC -shared -o auth_script.so auth_script.c
cc1: error: unrecognized command line option "-fstack-protector-strong"
make: *** [plugin] Error 1.

[mw@test auth-script-openvpn-master]# rpm -q openvpn gcc glibc
openvpn-2.4.4-1.el6.i686
gcc-4.4.7-18.el6.i686
glibc-2.12-1.209.el6_9.2.i686

Thanks, Mark

child exists with status 2

Hi,

no matter what I do, where I place the script I'm always getting "exit status 2".

System: Oracle Linux 8.1 (Selinux disabled)
OpenVPN: 2.4.8

10.10.10.10:59549 PLUGIN_CALL: PRE type=PLUGIN_AUTH_USER_PASS_VERIFY
10.10.10.10:59549 ARGV[0] = '/lib64/openvpn/plugins/openvpn-plugin-auth-script.so'
10.10.10.10:59549 ENVP[0] = 'auth_control_file=/tmp/openvpn_acf_44f1c1f2166e154e656d559c30225d72.tmp'
10.10.10.10:59549 ENVP[1] = 'untrusted_port=59549'
10.10.10.10:59549 ENVP[2] = 'untrusted_ip=10.10.10.10'
10.10.10.10:59549 ENVP[4] = 'username=mysecretuser'
10.10.10.10:59549 ENVP[5] = 'IV_GUI_VER=OpenVPN_GUI_11'
10.10.10.10:59549 ENVP[6] = 'IV_TCPNL=1'
10.10.10.10:59549 ENVP[7] = 'IV_COMP_STUBv2=1'
10.10.10.10:59549 ENVP[8] = 'IV_COMP_STUB=1'
10.10.10.10:59549 ENVP[9] = 'IV_LZO=1'
10.10.10.10:59549 ENVP[10] = 'IV_LZ4v2=1'
10.10.10.10:59549 ENVP[11] = 'IV_LZ4=1'
10.10.10.10:59549 ENVP[12] = 'IV_NCP=2'
10.10.10.10:59549 ENVP[13] = 'IV_PROTO=2'
10.10.10.10:59549 ENVP[14] = 'IV_PLAT=win'
10.10.10.10:59549 ENVP[15] = 'IV_VER=2.4.8'
10.10.10.10:59549 ENVP[16] = 'remote_port_1=443'
10.10.10.10:59549 ENVP[17] = 'local_port_1=443'
10.10.10.10:59549 ENVP[18] = 'proto_1=tcp-server'
10.10.10.10:59549 ENVP[19] = 'daemon_pid=5588'
10.10.10.10:59549 ENVP[20] = 'daemon_start_time=1584123802'
10.10.10.10:59549 ENVP[21] = 'daemon_log_redirect=1'
10.10.10.10:59549 ENVP[22] = 'daemon=0'
10.10.10.10:59549 ENVP[23] = 'verb=7'
10.10.10.10:59549 ENVP[24] = 'config=server.conf'
10.10.10.10:59549 ENVP[25] = 'script_context=init'
10.10.10.10:59549 ENVP[26] = 'tun_mtu=1500'
10.10.10.10:59549 ENVP[27] = 'link_mtu=1655'
10.10.10.10:59549 ENVP[28] = 'dev=tap0'
10.10.10.10:59549 ENVP[29] = 'dev_type=tap'
10.10.10.10:59549 ENVP[30] = 'redirect_gateway=0'
PLUGIN auth-script: FUNC: openvpn_plugin_func_v3
PLUGIN auth-script: Handling auth with deferred script
PLUGIN auth-script: Deferred handler using script_path=/tmp/ovpn-auth-script
PLUGIN auth-script: child pid is 5607
10.10.10.10:59549 PKCS#11: Terminating openssl
10.10.10.10:59549 PKCS#11: Removing providers
10.10.10.10:59549 PKCS#11: Releasing sessions
10.10.10.10:59549 PKCS#11: Terminating slotevent
10.10.10.10:59549 PKCS#11: Marking as uninitialized
PLUGIN auth-script: child pid 5607 exited with status 2
10.10.10.10:59549 PLUGIN_CALL: POST /lib64/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2

I've tried it with a simpla bash script (placed in /tmp or /usr/local/bin):

#!/bin/bash

echo "Running: " > /tmp/openvpn-sciprt-auth-test.viper

exit 0

And also with a simple perl:

#!/bin/perl

use strict;
use warnings;

my $filename = '/tmp/report.txt';
open(my $fh, '>', $filename) or die "Could not open file '$filename' $!";
print $fh "My first report generated by perl\n";
close $fh;

Both script runs ok, if I run them manually. It does not matter either if openvpn runs under root or special user. Path is always correct (verified with copy-paste).

What can be the matter?

Suggession

Probably its common sense but update the readme with an instruction to remove the:

auth-user-pass-verify /path/to/external/previous-auth-script.sh

line after putting in:

plugin /path/to/openvpn-plugin-auth-script.so /path/to/external/script.sh

Otherwise OpenVPN will run both of them.

Auth hangs if script fails to exec

Configure the plugin to call a script that doesn't exist
execve call will fail and log it's failure to exec
Currently openvpn will keep the auth pending until the timeout for deferred authentication is triggered, at which point the auth will fail.

We know the authentication can't succeed once the exec fails, it would be nice if the plugin error handler for execve wrote an auth failure to the auth_control_file so we failed quicker.

support OpenVPN 2.4/compiler issues?

Hi,

I'm trying to compile the plugin on CentOS 7 which currently has OpenVPN 2.4.2. I installed the openvpn-devel package which includes /usr/include/openvpn-plugin.h before attempting make.

$ rpm -q openvpn gcc glibc
openvpn-2.4.2-2.el7.x86_64
gcc-4.8.5-11.el7.x86_64
glibc-2.17-157.el7_3.1.x86_64

Building:

$ make 
gcc -std=c99 -Wall -Wextra -Wformat-security -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIC -shared -I. -c auth_script.c
In file included from /usr/include/errno.h:28:0,
                 from auth_script.c:18:
/usr/include/features.h:330:4: warning: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Wcpp]
 #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
    ^
In file included from auth_script.c:19:0:
/usr/include/openvpn-plugin.h:271:53: error: unknown type name ‘size_t’
 typedef void (*plugin_secure_memzero_t)(void *data, size_t len);
                                                     ^
/usr/include/openvpn-plugin.h:294:5: error: unknown type name ‘plugin_secure_memzero_t’
     plugin_secure_memzero_t plugin_secure_memzero;
     ^
auth_script.c: In function ‘handle_sigchld’:
auth_script.c:39:3: warning: implicit declaration of function ‘waitpid’ [-Wimplicit-function-declaration]
   while(waitpid((pid_t)(-1), 0, WNOHANG) > 0) {}
   ^
auth_script.c:39:18: error: ‘pid_t’ undeclared (first use in this function)
   while(waitpid((pid_t)(-1), 0, WNOHANG) > 0) {}
                  ^
auth_script.c:39:18: note: each undeclared identifier is reported only once for each function it appears in
auth_script.c:39:33: error: ‘WNOHANG’ undeclared (first use in this function)
   while(waitpid((pid_t)(-1), 0, WNOHANG) > 0) {}
                                 ^
auth_script.c: In function ‘deferred_handler’:
auth_script.c:50:20: error: storage size of ‘sa’ isn’t known
   struct sigaction sa;
                    ^
auth_script.c:51:3: warning: implicit declaration of function ‘strdup’ [-Wimplicit-function-declaration]
   char *script_path = strdup(context->script_path);
   ^
auth_script.c:51:23: warning: initialization makes pointer from integer without a cast [enabled by default]
   char *script_path = strdup(context->script_path);
                       ^
auth_script.c:57:3: warning: implicit declaration of function ‘sigemptyset’ [-Wimplicit-function-declaration]
   sigemptyset(&sa.sa_mask);
   ^
auth_script.c:58:17: error: ‘SA_RESTART’ undeclared (first use in this function)
   sa.sa_flags = SA_RESTART | SA_NOCLDSTOP;
                 ^
auth_script.c:58:30: error: ‘SA_NOCLDSTOP’ undeclared (first use in this function)
   sa.sa_flags = SA_RESTART | SA_NOCLDSTOP;
                              ^
auth_script.c:60:3: warning: implicit declaration of function ‘sigaction’ [-Wimplicit-function-declaration]
   if (sigaction(SIGCHLD, &sa, 0) == -1) {
   ^
auth_script.c:50:20: warning: unused variable ‘sa’ [-Wunused-variable]
   struct sigaction sa;
                    ^
auth_script.c: In function ‘openvpn_plugin_open_v3’:
auth_script.c:175:26: warning: assignment makes pointer from integer without a cast [enabled by default]
     context->script_path = strdup(arguments->argv[1]);
                          ^
make: *** [plugin] Error 1

The "included" OpenVPN defer test plugin compiles without issues:

$ cp -r /usr/share/doc/openvpn-2.4.2/sample/sample-plugins/defer ~/
$ cd defer/
$ sh ./build simple
$ ls -l simple*
-rw-r--r--. 1 centos centos  9982 May 23 09:25 simple.c
-rw-r--r--. 1 centos centos   178 May 23 09:25 simple.def
-rw-rw-r--. 1 centos centos 26664 May 23 09:25 simple.o
-rwxrwxr-x. 1 centos centos 25400 May 23 09:25 simple.so

Small delay on authentication.

There is small delay of a few seconds when users get authenticated with this .so. Here is an example:

Fri Jun  7 14:51:22 2019 us=127255 MULTI: multi_create_instance called
Fri Jun  7 14:51:22 2019 us=127302 Re-using SSL/TLS context
Fri Jun  7 14:51:22 2019 us=127356 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Fri Jun  7 14:51:22 2019 us=127369 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Fri Jun  7 14:51:22 2019 us=127403 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Fri Jun  7 14:51:22 2019 us=127409 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Fri Jun  7 14:51:22 2019 us=127450 TCP connection established with [AF_INET]192.168.121.1:47448
Fri Jun  7 14:51:22 2019 us=127456 TCPv4_SERVER link local: (not bound)
Fri Jun  7 14:51:22 2019 us=127463 TCPv4_SERVER link remote: [AF_INET]192.168.121.1:47448
Fri Jun  7 14:51:23 2019 us=127998 192.168.121.1:47448 TLS: Initial packet from [AF_INET]192.168.121.1:47448, sid=64d63019 fa9c6f15
Fri Jun  7 14:51:23 2019 us=154159 192.168.121.1:47448 peer info: IV_VER=2.4.7
Fri Jun  7 14:51:23 2019 us=154195 192.168.121.1:47448 peer info: IV_PLAT=linux
Fri Jun  7 14:51:23 2019 us=154208 192.168.121.1:47448 peer info: IV_PROTO=2
Fri Jun  7 14:51:23 2019 us=154220 192.168.121.1:47448 peer info: IV_NCP=2
Fri Jun  7 14:51:23 2019 us=154230 192.168.121.1:47448 peer info: IV_LZ4=1
Fri Jun  7 14:51:23 2019 us=154241 192.168.121.1:47448 peer info: IV_LZ4v2=1
Fri Jun  7 14:51:23 2019 us=154251 192.168.121.1:47448 peer info: IV_LZO=1
Fri Jun  7 14:51:23 2019 us=154261 192.168.121.1:47448 peer info: IV_COMP_STUB=1
Fri Jun  7 14:51:23 2019 us=154272 192.168.121.1:47448 peer info: IV_COMP_STUBv2=1
Fri Jun  7 14:51:23 2019 us=154283 192.168.121.1:47448 peer info: IV_TCPNL=1
Fri Jun  7 14:51:23 2019 us=155778 192.168.121.1:47448 PLUGIN_CALL: POST /root/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Fri Jun  7 14:51:23 2019 us=155880 192.168.121.1:47448 TLS: Username/Password authentication deferred for username 'FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3' [CN SET]
Fri Jun  7 14:51:23 2019 us=156630 192.168.121.1:47448 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
Fri Jun  7 14:51:23 2019 us=156721 192.168.121.1:47448 [FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3] Peer Connection Initiated with [AF_INET]192.168.121.1:47448
Fri Jun  7 14:51:24 2019 us=283465 192.168.121.1:47448 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun  7 14:51:24 2019 us=283627 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 MULTI_sva: pool returned IPv4=10.202.0.10, IPv6=(Not enabled)
okFri Jun  7 14:51:24 2019 us=311863 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 OPTIONS IMPORT: reading client specific options from: /dev/shm//openvpn_cc_3ebc5a271b15743f1ae661976e3ed9a2.tmp
Fri Jun  7 14:51:24 2019 us=312057 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 MULTI: Learn: 10.202.0.10 -> FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448
Fri Jun  7 14:51:24 2019 us=312101 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 MULTI: primary virtual IP for FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448: 10.202.0.10

Fri Jun  7 14:51:29 2019 us=444439 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun  7 14:51:29 2019 us=444563 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 SENT CONTROL [FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 9.9.9.9,route 10.202.0.1,topology net30,ifconfig 10.202.0.10 10.202.0.9,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Jun  7 14:51:29 2019 us=444628 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Jun  7 14:51:29 2019 us=444711 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:406 ET:0 EL:3 ]
Fri Jun  7 14:51:29 2019 us=445077 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jun  7 14:51:29 2019 us=445140 FadZR0cO1YnqMeXOXH7k1KbghDmbO6ttBISLuCgh3MHQZ87WE3mYXROZx9jk3/192.168.121.1:47448 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

This behavior was strange since the bash script returned successful result at Fri Jun 7 14:51:23 UTC 2019, but access was granted at 14:51:29

EFAULT when running php script

Php with proper shebang fails with EFAULT.

Once I add another .sh wrapper and run php from it - it works.

Any ideas?

push "auth-token" - not working

My script gets called on every renegotiation, but no matter if I write to auth_control_file or allow / fail with exit code - session would still expire.

I don't think it handles tokens properly.

Incompatible with OpenVPN 2.4.4

This may just be an issue with the makescript, or issues with something in code.
openvpn-devel and gcc packages were available on this system before running make.

Environment:
OpenVpn 2.4.4
Centos 7

gcc -std=c99 -Wall -Wextra -Wformat-security -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIC -shared -I. -c auth_script.c
In file included from /usr/include/errno.h:28:0,
                 from auth_script.c:18:
/usr/include/features.h:330:4: warning: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Wcpp]
 #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
    ^
auth_script.c: In function ‘handle_sigchld’:
auth_script.c:39:3: warning: implicit declaration of function ‘waitpid’ [-Wimplicit-function-declaration]
   while(waitpid((pid_t)(-1), 0, WNOHANG) > 0) {}
   ^
auth_script.c:39:18: error: ‘pid_t’ undeclared (first use in this function)
   while(waitpid((pid_t)(-1), 0, WNOHANG) > 0) {}
                  ^
auth_script.c:39:18: note: each undeclared identifier is reported only once for each function it appears in
auth_script.c:39:33: error: ‘WNOHANG’ undeclared (first use in this function)
   while(waitpid((pid_t)(-1), 0, WNOHANG) > 0) {}
                                 ^
auth_script.c: In function ‘deferred_handler’:
auth_script.c:50:20: error: storage size of ‘sa’ isn’t known
   struct sigaction sa;
                    ^
auth_script.c:51:3: warning: implicit declaration of function ‘strdup’ [-Wimplicit-function-declaration]
   char *script_path = strdup(context->script_path);
   ^
auth_script.c:51:23: warning: initialization makes pointer from integer without a cast [enabled by default]
   char *script_path = strdup(context->script_path);
                       ^
auth_script.c:57:3: warning: implicit declaration of function ‘sigemptyset’ [-Wimplicit-function-declaration]
   sigemptyset(&sa.sa_mask);
   ^
auth_script.c:58:17: error: ‘SA_RESTART’ undeclared (first use in this function)
   sa.sa_flags = SA_RESTART | SA_NOCLDSTOP;
                 ^
auth_script.c:58:30: error: ‘SA_NOCLDSTOP’ undeclared (first use in this function)
   sa.sa_flags = SA_RESTART | SA_NOCLDSTOP;
                              ^
auth_script.c:60:3: warning: implicit declaration of function ‘sigaction’ [-Wimplicit-function-declaration]
   if (sigaction(SIGCHLD, &sa, 0) == -1) {
   ^
auth_script.c:50:20: warning: unused variable ‘sa’ [-Wunused-variable]
   struct sigaction sa;
                    ^
auth_script.c: In function ‘openvpn_plugin_open_v3’:
auth_script.c:175:26: warning: assignment makes pointer from integer without a cast [enabled by default]
     context->script_path = strdup(arguments->argv[1]);
                          ^
make: *** [plugin] Error 1

Issue building on Ubuntu 19.04

Hey

Thanks so much for creating and releasing this!

I had an issue building it on Ubuntu 19.04 with OpenVPN so I thought I would share them here in case anyone else had the same troubles

When I called make plugin, I was getting an error that openvpn-plugin.h could not be found.
On some further investigation, I found that by changing line 21 from:

#include <openvpn-plugin.h>
to:
#include <openvpn/openvpn-plugin.h>

It was able to build and work perfectly.

My linux knowledge is fairly limited so I don't know what a proper fix for this would be :)

Dynamic challenge/response protocol

Just getting started with this and it's great... thank you.

While I'm happy that my VPN will be more secure... I'm expecting that MFA every time I open and close my laptop will be a hassle. I'd like to add some logic in the auth script to accept the password and not prompt for MFA if there have been recent auth success for a given time period. But if my client is configured for "static-challenge" then it will prompt every time.

Can the plugin support the dynamic challenge/response protocol?

Zombie processes after calling auth script

We have a weird issue whereby every time a new client joins the VPN and the auth script is called, a zombie process is created that never goes away and eventually, the zombie processes eat up all the resources on the server.

The zombie processes look this this:

$ ps -aux | grep defunct
root      1789  0.0  0.0      0     0 ?        Zs   14:46   0:00 [ruby] <defunct>
root      1859  0.0  0.0      0     0 ?        Zs   15:46   0:00 [ruby] <defunct>
root      1939  0.8  0.0      0     0 ?        Zs   16:25   0:00 [ruby] <defunct>
root      1944  1.7  0.0      0     0 ?        Zs   16:25   0:00 [ruby] <defunct>

And their parent process ID's are the main OpenVPN process.

The Ruby script we are using to do the authentication is very similar to the example script in this project.

Anyone have any ideas how to get rid of these zombies?

Running Ubuntu 18.04 and OpenVPN 2.4.7 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 5 2019