• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

LDAP latency, caused openVPN timeouts

Scheduled Pinned Locked Moved OpenVPN
4 Posts 3 Posters 768 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Diogen
    last edited by Oct 5, 2018, 8:32 AM

    Hi All,

    I will try to explain my problem:
    I have pfSense with openVPN and LDAP authentication, this combination working very well, until the number of users go above 50.
    When the number of users are above 50, any latency on the LDAP server caused timeouts.
    Each request from the pfSense/openVPN to the LDAP server caused timeouts for all users, although that they are already authenticated and the authentication process was started for only one user.
    I have made some tests and the results are:

    1. LDAP Server with latency 10 ms. - no problems or only packet latency.
    2. LDAP Server with latency 100 ms. - caused packet loss for all users (for the time of completely authentication process for a given user).
    3. Primary LDAP Server not reachable / Secondary reachable - caused downtime for all openVPN users for 10-15 seconds, then the second configured LDAP server is requested and all users are online again.

    pfSense Version 2.4.3-RELEASE-p1 (tested only on this version)

    My question is, can I set up or change this behavior, that every latency of the LDAP Servers will not break the connection of all openVPN users?

    Thanks

    1 Reply Last reply Reply Quote 0
    • P
      Pippin
      last edited by Oct 5, 2018, 2:21 PM

      Not 100% sure but i think you can extent the wait time in OpenVPN's radius plugin. The plugin normally has an extention of .cnf
      This is just an example from a NAS, radiusplugin.cnf:

      NAS-Identifier=OpenVpn
      Service-Type=5
      Framed-Protocol=1
      NAS-Port-Type=5
      NAS-IP-Address=127.0.0.1
      OpenVPNConfig=/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user
      subnet=255.255.255.0
      overwriteccfiles=false
      server
      {
      	acctport=31068
      	authport=31067
      	name=127.0.0.1
      	retry=1
      	wait=5
      	sharedsecret=xxxxxxxxxxx
      }
      

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Oct 8, 2018, 6:26 AM

        Upgrade. See bullet point #2 here:

        https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html?highlight=new#openvpn

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          Pippin
          last edited by Oct 8, 2018, 5:38 PM

          Yes indeed that would be it.
          Nice to see it got implemented:
          https://forum.netgate.com/topic/120569/oddity-with-viscosity-openvpn

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received