Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenVPN server performance degrades after auth failures #446

Open
NerijusRazvodovskis opened this issue Nov 10, 2023 · 10 comments
Open

OpenVPN server performance degrades after auth failures #446

NerijusRazvodovskis opened this issue Nov 10, 2023 · 10 comments

Comments

@NerijusRazvodovskis
Copy link

NerijusRazvodovskis commented Nov 10, 2023

Describe the bug
Authentication failures (using radius) degrades OpenVPN server performance, it's being unusable at that moment.

To Reproduce

  1. Create an OpenVPN server
  2. First client should connect with right password.
  3. Second client should try to connect with wrong password.
  4. First client will be not able to use the VPN due to auth failures.

Expected behavior
The server performance shouldn't degrade in such cases.

Version information (please complete the following information):

  • OS: Ubuntu 20.04
  • OpenVPN version: 2.4.7
@cron2
Copy link
Contributor

cron2 commented Nov 10, 2023

This is a well-known issue. Auth-Plugins and any sort of script that are called from openvpn will block the main process until finished. Plugins or Scripts that are expected to take longer than "very few milliseconds" need to use async/deferred mode, which will return control to OpenVPN right away and deliver the expected results later.

Since you have no information how you are contacting the Radius server (OpenVPN has no Radius support built in, but there are multiple different ways to do that) it's impossible to give more specific advice.

Also, your OpenVPN version is quite old. 2.4.7 was released February 2019. Current version is 2.5.9 or 2.6.6.

@NerijusRazvodovskis
Copy link
Author

Thank you for the answer, anyways, if it is a well-known issue, upgrading OpeVPN won't help in this case.

Right i will try to search for a plugin which works in async/deferred mode. Thank you for the hints! Appreciate that!

@cron2
Copy link
Contributor

cron2 commented Nov 13, 2023

If you tell us which plugin you use, we might be able to help...

@NerijusRazvodovskis
Copy link
Author

I'm using https://github.com/ValdikSS/openvpn-radiusplugin

Upgraded my OpenVPN server to v2.6.7, but seems like this plugin stopped to work from v2.5.0, digging deeper into it

@cron2
Copy link
Contributor

cron2 commented Nov 17, 2023

We haven't changed anything on the plugin side between 2.5.x and 2.6.x, so it should work just fine. What do the logs say? @ValdikSS any ideas?

@ValdikSS
Copy link
Contributor

@ValdikSS any ideas?

Sorry, I'm no longer maintain or use the plugin. Here's why: ValdikSS/openvpn-radiusplugin#24

If we're talking about OpenVPN from the repository and not self-compiled, take a look at systemd service file: it may have forking limit, and this is exactly what radiusplugin does. Try to remove the limit and see if it helps.
But that's just from the top of my head, not based on anything.

@NerijusRazvodovskis
Copy link
Author

NerijusRazvodovskis commented Nov 17, 2023

Well, actually it throws only:

PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/radiusplugin.so
TLS Auth Error: Auth Username/Password verification failed for peer

If i downgrade it to v2.4.7 - it starts to work 🤷🏻

Perhaps because i dont provide any script to openvpn server config for auth-user-pass-verify? I'm just using plugin inside server configuration.

plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
ifconfig-pool-persist ipp.txt
verify-client-cert none
cipher AES-256-CBC
auth SHA512

@cron2
Copy link
Contributor

cron2 commented Nov 17, 2023

Without a log from the radius plugin it's hard for us to see what is happening - it says "failed", but that could be due to internal API changes (2.4 to 2.5 is a significant change, so it's possible the plugin needs to be updated - sorry I misunderstood the statement "stopped to work from v2.5.0" as meaning "it worked in v2.5.0").

@NerijusRazvodovskis
Copy link
Author

No problem at all, i'm sorry English is not my native language. Okay will try to research for another plugin at the moment.

@NerijusRazvodovskis
Copy link
Author

NerijusRazvodovskis commented Nov 17, 2023

Plugin was failing due to NerijusRazvodovskis/openvpn-radiusplugin@6a0dc18, it wasn't pushed into the master in @ValdikSS repo.

Anyways the mentioned issue still exists. :( Should i specify anything at server conf for auth-user-pass-verify or client-connect?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants