OpenVPN - New Connection Rate Limit
-
It is possible to rate new connections to OpenVPN while not affecting the speed of already established connections?
Currently the authentication process for OpenVPN takes a few seconds, and when clients connect one at a time this is no problem. But if the server reboots then all the clients try to connect simultaneously once it comes back online, and the combined load causes authentication to take too long so the clients time out, then they reconnect and try again further compounding the problem.
Is there any way to rate limit connections, so that the openvpn server is not overloaded by lots connecting at once?
-
There does not appear to be any way to limit that as far as I can tell. The clients will naturally attempt to reconnect in 60s so I'm not sure what a rate limit would solver that their own reconnection won't solve the same way. Either way the client would be turned away and have to wait 60s+ to reconnect.
You could maybe use firewall rule state limits if OpenVPN was using TCP, but TCP is awful for a VPN transport.
-
The reconnection 60 seconds later is what causes the problem..
Because the authentication process takes some time (large certs, relatively slow cpu), authentication of a single client takes around 15 seconds… When 10 clients try to connect at once, authentication takes 150 seconds but the clients time out after 60 and start over, so no client ever gets authenticated and they're all constantly trying to connect tying up the cpu doing authentication.
-
Smaller certs? Faster CPU?
10 client connections should be nothing for anything close to modern.
Are you sure there's not some other delay somewhere?
-
This is probably OpenVPN`s problem.
There was a discussion about this on the OpenVPN mailing list some time ago.
Maybe take a look there in the lists archive?Groet
