Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN - New Connection Rate Limit

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 4 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bert64
      last edited by

      It is possible to rate new connections to OpenVPN while not affecting the speed of already established connections?

      Currently the authentication process for OpenVPN takes a few seconds, and when clients connect one at a time this is no problem. But if the server reboots then all the clients try to connect simultaneously once it comes back online, and the combined load causes authentication to take too long so the clients time out, then they reconnect and try again further compounding the problem.

      Is there any way to rate limit connections, so that the openvpn server is not overloaded by lots connecting at once?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        There does not appear to be any way to limit that as far as I can tell. The clients will naturally attempt to reconnect in 60s so I'm not sure what a rate limit would solver that their own reconnection won't solve the same way. Either way the client would be turned away and have to wait 60s+ to reconnect.

        You could maybe use firewall rule state limits if OpenVPN was using TCP, but TCP is awful for a VPN transport.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bert64
          last edited by

          The reconnection 60 seconds later is what causes the problem..
          Because the authentication process takes some time (large certs, relatively slow cpu), authentication of a single client takes around 15 seconds… When 10 clients try to connect at once, authentication takes 150 seconds but the clients time out after 60 and start over, so no client ever gets authenticated and they're all constantly trying to connect tying up the cpu doing authentication.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Smaller certs? Faster CPU?

            10 client connections should be nothing for anything close to modern.

            Are you sure there's not some other delay somewhere?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • PippinP
              Pippin
              last edited by

              This is probably OpenVPN`s problem.
              There was a discussion about this on the OpenVPN mailing list some time ago.
              Maybe take a look there in the lists archive?

              Groet

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.