LDAP latency, caused openVPN timeouts



  • Hi All,

    I will try to explain my problem:
    I have pfSense with openVPN and LDAP authentication, this combination working very well, until the number of users go above 50.
    When the number of users are above 50, any latency on the LDAP server caused timeouts.
    Each request from the pfSense/openVPN to the LDAP server caused timeouts for all users, although that they are already authenticated and the authentication process was started for only one user.
    I have made some tests and the results are:

    1. LDAP Server with latency 10 ms. - no problems or only packet latency.
    2. LDAP Server with latency 100 ms. - caused packet loss for all users (for the time of completely authentication process for a given user).
    3. Primary LDAP Server not reachable / Secondary reachable - caused downtime for all openVPN users for 10-15 seconds, then the second configured LDAP server is requested and all users are online again.

    pfSense Version 2.4.3-RELEASE-p1 (tested only on this version)

    My question is, can I set up or change this behavior, that every latency of the LDAP Servers will not break the connection of all openVPN users?

    Thanks



  • Not 100% sure but i think you can extent the wait time in OpenVPN's radius plugin. The plugin normally has an extention of .cnf
    This is just an example from a NAS, radiusplugin.cnf:

    NAS-Identifier=OpenVpn
    Service-Type=5
    Framed-Protocol=1
    NAS-Port-Type=5
    NAS-IP-Address=127.0.0.1
    OpenVPNConfig=/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user
    subnet=255.255.255.0
    overwriteccfiles=false
    server
    {
    	acctport=31068
    	authport=31067
    	name=127.0.0.1
    	retry=1
    	wait=5
    	sharedsecret=xxxxxxxxxxx
    }
    

  • Netgate



  • Yes indeed that would be it.
    Nice to see it got implemented:
    https://forum.netgate.com/topic/120569/oddity-with-viscosity-openvpn