Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN - New Connection Rate Limit

    OpenVPN
    4
    5
    1411
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bert64 last edited by

      It is possible to rate new connections to OpenVPN while not affecting the speed of already established connections?

      Currently the authentication process for OpenVPN takes a few seconds, and when clients connect one at a time this is no problem. But if the server reboots then all the clients try to connect simultaneously once it comes back online, and the combined load causes authentication to take too long so the clients time out, then they reconnect and try again further compounding the problem.

      Is there any way to rate limit connections, so that the openvpn server is not overloaded by lots connecting at once?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        There does not appear to be any way to limit that as far as I can tell. The clients will naturally attempt to reconnect in 60s so I'm not sure what a rate limit would solver that their own reconnection won't solve the same way. Either way the client would be turned away and have to wait 60s+ to reconnect.

        You could maybe use firewall rule state limits if OpenVPN was using TCP, but TCP is awful for a VPN transport.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bert64 last edited by

          The reconnection 60 seconds later is what causes the problem..
          Because the authentication process takes some time (large certs, relatively slow cpu), authentication of a single client takes around 15 seconds… When 10 clients try to connect at once, authentication takes 150 seconds but the clients time out after 60 and start over, so no client ever gets authenticated and they're all constantly trying to connect tying up the cpu doing authentication.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Smaller certs? Faster CPU?

            10 client connections should be nothing for anything close to modern.

            Are you sure there's not some other delay somewhere?

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • Pippin
              Pippin last edited by

              This is probably OpenVPN`s problem.
              There was a discussion about this on the OpenVPN mailing list some time ago.
              Maybe take a look there in the lists archive?

              Groet

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              1 Reply Last reply Reply Quote 0
              • First post
                Last post