Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with PKI with LDAP auth-user-pass / Packet loss At User Login

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.1k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      Marco-83
      last edited by

      Hi Community,

      we have some unexpected problems with our VPN Server in our NETGATE XG1537 HA Cluster. Last week we installed the latest 21.02.2-RELEASE, since this update, some of our VPN users have packet loss in the tunnel. In the morning the loss is near 7% in the afternoon near 2% and at night 0%.
      After a day of troubleshooting, we found out, that every time when a user authenticates in OpenVPN, all connected clients have one ping timeout -> packet loss
      After some google work I found a thread in OpenSense Forum with exact the same issue
      https://forum.opnsense.org/index.php?topic=17083.0 (sorry for postig link to opensense ๐Ÿ˜‰)

      Has anyone the same issue or a workaround?

      Thank you for your answers in advance

      PippinP 1 Reply Last reply Reply Quote 0
      • PippinP Offline
        Pippin @Marco-83
        last edited by Pippin

        Yes, possible/likely cause could be that the authentication process of clients blocks traffic for connected users, a known "feature" :).

        Possible solution is async/deffered auth, not sure pfS has implemented that, if not it is worth a feature request on redmine I would think:
        Plugins

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        K 1 Reply Last reply Reply Quote 0
        • K Offline
          knothing @Pippin
          last edited by knothing

          I think I have the same problem after upgrading pfsense from 2.4.5 to 2.5.1. TLS handshake hogs the entire firewall. Connection process of each vpn client causes ping drops and delays to all already connected clients.
          It can be observed if you run continuous ping and "tail -f" openvpn server log. Each time the TLS is negotiating, the ping flow stops. The vpn connection process is slower too.

          And the server is not that slow:

          Intel(R) Xeon(R) CPU X5470 @ 3.33GHz
          8 CPUs: 2 package(s) x 4 core(s)
          AES-NI CPU Crypto: No
          

          Sanitized openvpn server config:

          dev ovpns4
          verb 4
          dev-type tun
          dev-node /dev/tun4
          writepid /var/run/openvpn_server4.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto tcp4-server
          cipher AES-256-CBC
          auth SHA1
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local a.b.c.d
          tls-server
          server 192.168.0.0 255.255.254.0
          client-config-dir /var/etc/openvpn-csc/server4
          tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.domain.tld' 2"
          lport 1194
          management /var/etc/openvpn/server4.sock unix
          push "dhcp-option DOMAIN domain.tld"
          push "dhcp-option DNS 10.1.1.1"
          push "dhcp-option DNS 10.1.1.2"
          push "block-outside-dns"
          push "register-dns"
          push "redirect-gateway def1"
          client-to-client
          ca /var/etc/openvpn/server4.ca
          cert /var/etc/openvpn/server4.cert
          key /var/etc/openvpn/server4.key
          dh /etc/dh-parameters.2048
          tls-auth /var/etc/openvpn/server4.tls-auth 0
          ncp-ciphers AES-256-CBC:AES-256-GCM
          persist-remote-ip
          float
          topology subnet
          reneg-sec 0
          tls-version-min 1.2
          status-version 2
          socket-flags TCP_NODELAY
          push 'socket-flags TCP_NODELAY'
          tcp-queue-limit 256
          

          I solved the problem by downgrading to 2.4.5, which is not great, but works flawlessly.

          1 Reply Last reply Reply Quote 0
          • K Offline
            knothing
            last edited by knothing

            Some more info on the subject at openvpn's forums here

            1 Reply Last reply Reply Quote 0
            • M Offline
              Marco-83
              last edited by

              Hey,

              thank you, for your answers. Okay downgrade is an Option to fix this temporary, I think this is the only way. There is another issue with ipsec after downgrade, for a short time this is okay for me.

              Does anyone know if there is an open issue in redmine already?

              In OpenVPN forum someone has solved the issue, but i don't know, if it is an good idea to fix this manually by replacing openvpn modules in the netgate?

              or is there a temporary workaround till the next stable release/fix

              1 Reply Last reply Reply Quote 0
              • K Offline
                knothing
                last edited by

                I don't have 2.5 install any more but I found an option which supposedly helps.
                Adding this to the additional openvpn options on the server:

                setenv deferred_auth_pam 1
                
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.