OpenVPN with PKI with LDAP auth-user-pass / Packet loss At User Login
-
Hi Community,
we have some unexpected problems with our VPN Server in our NETGATE XG1537 HA Cluster. Last week we installed the latest 21.02.2-RELEASE, since this update, some of our VPN users have packet loss in the tunnel. In the morning the loss is near 7% in the afternoon near 2% and at night 0%.
After a day of troubleshooting, we found out, that every time when a user authenticates in OpenVPN, all connected clients have one ping timeout -> packet loss
After some google work I found a thread in OpenSense Forum with exact the same issue
https://forum.opnsense.org/index.php?topic=17083.0 (sorry for postig link to opensense )Has anyone the same issue or a workaround?
Thank you for your answers in advance
-
Yes, possible/likely cause could be that the authentication process of clients blocks traffic for connected users, a known "feature" :).
Possible solution is async/deffered auth, not sure pfS has implemented that, if not it is worth a feature request on redmine I would think:
Plugins -
I think I have the same problem after upgrading pfsense from 2.4.5 to 2.5.1. TLS handshake hogs the entire firewall. Connection process of each vpn client causes ping drops and delays to all already connected clients.
It can be observed if you run continuous ping and "tail -f" openvpn server log. Each time the TLS is negotiating, the ping flow stops. The vpn connection process is slower too.And the server is not that slow:
Intel(R) Xeon(R) CPU X5470 @ 3.33GHz 8 CPUs: 2 package(s) x 4 core(s) AES-NI CPU Crypto: No
Sanitized openvpn server config:
dev ovpns4 verb 4 dev-type tun dev-node /dev/tun4 writepid /var/run/openvpn_server4.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp4-server cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local a.b.c.d tls-server server 192.168.0.0 255.255.254.0 client-config-dir /var/etc/openvpn-csc/server4 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.domain.tld' 2" lport 1194 management /var/etc/openvpn/server4.sock unix push "dhcp-option DOMAIN domain.tld" push "dhcp-option DNS 10.1.1.1" push "dhcp-option DNS 10.1.1.2" push "block-outside-dns" push "register-dns" push "redirect-gateway def1" client-to-client ca /var/etc/openvpn/server4.ca cert /var/etc/openvpn/server4.cert key /var/etc/openvpn/server4.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server4.tls-auth 0 ncp-ciphers AES-256-CBC:AES-256-GCM persist-remote-ip float topology subnet reneg-sec 0 tls-version-min 1.2 status-version 2 socket-flags TCP_NODELAY push 'socket-flags TCP_NODELAY' tcp-queue-limit 256
I solved the problem by downgrading to 2.4.5, which is not great, but works flawlessly.
-
Some more info on the subject at openvpn's forums here
-
Hey,
thank you, for your answers. Okay downgrade is an Option to fix this temporary, I think this is the only way. There is another issue with ipsec after downgrade, for a short time this is okay for me.
Does anyone know if there is an open issue in redmine already?
In OpenVPN forum someone has solved the issue, but i don't know, if it is an good idea to fix this manually by replacing openvpn modules in the netgate?
or is there a temporary workaround till the next stable release/fix
-
I don't have 2.5 install any more but I found an option which supposedly helps.
Adding this to the additional openvpn options on the server:setenv deferred_auth_pam 1