Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP latency, caused openVPN timeouts

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 757 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Diogen
      last edited by

      Hi All,

      I will try to explain my problem:
      I have pfSense with openVPN and LDAP authentication, this combination working very well, until the number of users go above 50.
      When the number of users are above 50, any latency on the LDAP server caused timeouts.
      Each request from the pfSense/openVPN to the LDAP server caused timeouts for all users, although that they are already authenticated and the authentication process was started for only one user.
      I have made some tests and the results are:

      1. LDAP Server with latency 10 ms. - no problems or only packet latency.
      2. LDAP Server with latency 100 ms. - caused packet loss for all users (for the time of completely authentication process for a given user).
      3. Primary LDAP Server not reachable / Secondary reachable - caused downtime for all openVPN users for 10-15 seconds, then the second configured LDAP server is requested and all users are online again.

      pfSense Version 2.4.3-RELEASE-p1 (tested only on this version)

      My question is, can I set up or change this behavior, that every latency of the LDAP Servers will not break the connection of all openVPN users?

      Thanks

      1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin
        last edited by

        Not 100% sure but i think you can extent the wait time in OpenVPN's radius plugin. The plugin normally has an extention of .cnf
        This is just an example from a NAS, radiusplugin.cnf:

        NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user
subnet=255.255.255.0
overwriteccfiles=false
server
{
	acctport=31068
	authport=31067
	name=127.0.0.1
	retry=1
	wait=5
	sharedsecret=xxxxxxxxxxx
}

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Upgrade. See bullet point #2 here:

          https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html?highlight=new#openvpn

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • PippinP
            Pippin
            last edited by

            Yes indeed that would be it.
            Nice to see it got implemented:
            https://forum.netgate.com/topic/120569/oddity-with-viscosity-openvpn

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.