diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6b0654d6..738a9749 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -206,7 +206,7 @@ Coverity:
   - tar xfz /tmp/coverity_tool.tgz
   - git submodule update --init
   - autoreconf -fvi
-  - CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests --with-werror
+  - CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests
   - cov-analysis-linux64-*/bin/cov-build --dir cov-int make -j$JOBS
   - tar cfz cov-int.tar.gz cov-int
   - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
@@ -231,7 +231,7 @@ Fedora:
   - chmod -R o-w tests/data/raddb
   - git submodule update --init
   - autoreconf -fvi
-  - CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests --with-werror --enable-code-coverage --enable-kerberos-tests --enable-oidc-auth
+  - CFLAGS="-g -O0" ./configure --disable-maintainer-mode --without-docker-tests --enable-code-coverage --enable-kerberos-tests --enable-oidc-auth
   - make -j$JOBS
   - make check -j$JOBS COVERAGE=1
   - make files-update
@@ -324,9 +324,10 @@ ubsan/Fedora:
   - chmod -R o-w tests/data/raddb
   - git submodule update --init
   - autoreconf -fvi
-  - CFLAGS="-fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" ./configure --without-docker-tests
+  - export UBCFLAGS="-Wall -Wextra -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2 -Werror"
+  - CFLAGS="$UBCFLAGS" ./configure --without-docker-tests
   - make -j$JOBS
-  - make check -j$JOBS
+  - make check -j$JOBS CFLAGS="$UBCFLAGS -Wno-unused-function -Wno-unused-parameter"
   tags:
   - shared
   - linux
diff --git a/configure.ac b/configure.ac
index 46785539..c622c580 100644
--- a/configure.ac
+++ b/configure.ac
@@ -323,8 +323,16 @@ fi
 
 gl_INIT
 
+AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h crypt.h], [], [], [])
+
+if test "$ac_cv_header_crypt_h" = yes;then
+	crypt_header="crypt.h"
+else
+	crypt_header="unistd.h"
+fi
+
 AC_LIB_HAVE_LINKFLAGS(crypt,, [#define _XOPEN_SOURCE
-#include <unistd.h>], [crypt(0,0);])
+#include <${crypt_header}>], [crypt(0,0);])
 
 AC_ARG_WITH(utmp,
   AS_HELP_STRING([--without-utmp], [do not use libutil for utmp support]),
@@ -358,8 +366,6 @@ AC_CHECK_MEMBER([struct sockaddr.sa_len],
 #include <sys/socket.h>
 ])
 
-AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h crypt.h], [], [], [])
-
 AC_CHECK_FUNCS([setproctitle vasprintf clock_gettime isatty pselect ppoll getpeereid sigaltstack])
 AC_CHECK_FUNCS([strlcpy posix_memalign malloc_trim strsep])
 
diff --git a/src/main-ban.c b/src/main-ban.c
index e257f077..dcbb86fa 100644
--- a/src/main-ban.c
+++ b/src/main-ban.c
@@ -255,6 +255,8 @@ unsigned check_if_banned(main_server_st *s, struct sockaddr_storage *addr, sockl
 	if (db == NULL || GETCONFIG(s)->max_ban_score == 0)
 		return 0;
 
+	(void)(txt);
+
 	in_size = SA_IN_SIZE(addr_size);
 	if (in_size != 4 && in_size != 16) {
 	    	mslog(s, NULL, LOG_ERR, "unknown address type for %s", human_addr2((struct sockaddr*)addr, addr_size, txt, sizeof(txt), 0));
diff --git a/src/str.c b/src/str.c
index 91d955bf..7f3a00e0 100644
--- a/src/str.c
+++ b/src/str.c
@@ -174,7 +174,8 @@ int str_replace_str(str_st *str, const str_rep_tab *tab)
 	unsigned length;
 	char *final;
 	unsigned final_len;
-	int ret, pos;
+	int ret;
+	size_t pos;
 
 	p = str->data;
 	pos = 0;
diff --git a/src/tlslib.c b/src/tlslib.c
index 6b2429b1..b8f2d0d6 100644
--- a/src/tlslib.c
+++ b/src/tlslib.c
@@ -430,6 +430,8 @@ static void tls_audit_log_func(gnutls_session_t session, const char *str)
 {
 	worker_st * ws;
 
+	(void)(ws);
+
 	if (session == NULL)
 		syslog(LOG_AUTH, "warning: %s", str);
 	else {
@@ -568,6 +570,8 @@ static void certificate_check(main_server_st *s, const char *vhostname, gnutls_p
 	const char *cert_name = "unnamed";
 	time_t t;
 
+	(void)cert_name;
+
 	ret = gnutls_x509_crt_init(&crt);
 	GNUTLS_FATAL_ERR(ret);
 
diff --git a/src/vpn.h b/src/vpn.h
index 8fd2c126..8da0eb6b 100644
--- a/src/vpn.h
+++ b/src/vpn.h
@@ -268,7 +268,7 @@ struct cfg_st {
 	unsigned rekey_method; /* REKEY_METHOD_ */
 
 	time_t min_reauth_time;	/* after a failed auth, how soon one can reauthenticate -> in seconds */
-	int max_ban_score;	/* the score allowed before a user is banned (see vpn.h) */
+	unsigned max_ban_score;	/* the score allowed before a user is banned (see vpn.h) */
 	int ban_reset_time;
 
 	unsigned ban_points_wrong_password;
diff --git a/src/worker-privs.c b/src/worker-privs.c
index b4997cbd..835a7fc5 100644
--- a/src/worker-privs.c
+++ b/src/worker-privs.c
@@ -40,6 +40,9 @@
 # endif
 #endif
 
+/* On certain cases gnulib defines gettimeofday as macro; avoid that */
+#undef gettimeofday
+
 int disable_system_calls(struct worker_st *ws)
 {
 	int ret;
diff --git a/src/worker-proxyproto.c b/src/worker-proxyproto.c
index 2ff74dce..53d62a8d 100644
--- a/src/worker-proxyproto.c
+++ b/src/worker-proxyproto.c
@@ -70,7 +70,7 @@ typedef struct pp2_tlv_ssl {
 	uint32_t verify;
 } _ATTR_PACKED pp2_tlv_ssl;
 
-static void parse_ssl_tlvs(struct worker_st *ws, uint8_t *data, int data_size)
+static void parse_ssl_tlvs(struct worker_st *ws, uint8_t *data, size_t data_size)
 {
 	pp2_tlv tlv;
 
@@ -272,7 +272,7 @@ static int parse_proxy_proto_header_v1(struct worker_st *ws, char *line)
 int parse_proxy_proto_header(struct worker_st *ws, int fd)
 {
 	proxy_hdr_v2 hdr;
-	int data_size;
+	size_t data_size;
 	uint8_t cmd, family, proto;
 	uint8_t ver;
 	uint8_t *p;
diff --git a/tests/generate_oidc_test_data.c b/tests/generate_oidc_test_data.c
index 9d2513cc..6637a000 100644
--- a/tests/generate_oidc_test_data.c
+++ b/tests/generate_oidc_test_data.c
@@ -266,7 +266,8 @@ int main(int argc, char **argv)
 	if (!getcwd(working_directory, sizeof(working_directory))) {
 		return 1;
 	}
-	strncat(working_directory, "/data", sizeof(working_directory));
+	strncat(working_directory, "/data", sizeof(working_directory)-1);
+	working_directory[sizeof(working_directory)-1] = 0;
 
 	cjose_jwk_t *key = create_key("My Fake Key");
 
diff --git a/tests/ipv6-prefix.c b/tests/ipv6-prefix.c
index e7c99c6c..5cc77cf2 100644
--- a/tests/ipv6-prefix.c
+++ b/tests/ipv6-prefix.c
@@ -23,18 +23,17 @@
 #include "../src/ip-util.h"
 #include "../src/ip-util.c"
 
-static char* my_ipv6_prefix_to_mask(const char *str, unsigned prefix)
+static char* my_ipv6_prefix_to_mask(char str[MAX_IP_STR], unsigned prefix)
 {
 	struct in6_addr in;
-	static char out[64];
 
 	if (ipv6_prefix_to_mask(&in, prefix) == 0)
 		return NULL;
 
-	if (inet_ntop(AF_INET6, &in, out, sizeof(out)) == NULL)
+	if (inet_ntop(AF_INET6, &in, str, MAX_IP_STR) == NULL)
 		return NULL;
 
-	return out;
+	return str;
 }
 
 int main()