Project

General

Profile

Actions
Copy link

Bug #7905

closed

OpenVPN Authentication Against Backend Stalls All Server Traffic

Added by Chris Linstruth about 7 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
OpenVPN
Target version:
2.4.4
Start date:
10/01/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4
Affected Architecture:
All

Description

When authenticating an OpenVPN Remote Access server against an authentication backend such as RADIUS, all traffic on the server is halted while that authentication is processed. If this takes time, such as RADIUS to a MFA service such as Duo, this delay can be significant even under normal circumstances.

Test procedure:

Created and tested a RADIUS Authentication backend with a 30-second authentication timeout

Created an SSL/TLS + User Auth OpenVPN Server backed by the RADIUS server

Created two different user certificates and corresponding RADIUS accounts

Successfully logged in using the first account and started a ping

Changed the RADIUS server IP address so the request would "hang" for the configured 30 seconds

Attempted to log in to the second account

While that was timing out I changed the RADIUS server back to the proper IP address to see if Viscosity (the first client) recovered automatically. It did time out and reconnect successfully.

  1. 5 seconds apart
    $ ping -i 5 172.25.228.1
    PING 172.25.228.1 (172.25.228.1): 56 data bytes
    64 bytes from 172.25.228.1: icmp_seq=0 ttl=63 time=4.658 ms
    64 bytes from 172.25.228.1: icmp_seq=1 ttl=63 time=5.461 ms
    64 bytes from 172.25.228.1: icmp_seq=2 ttl=63 time=4.718 ms
    64 bytes from 172.25.228.1: icmp_seq=3 ttl=63 time=4.881 ms
    64 bytes from 172.25.228.1: icmp_seq=4 ttl=63 time=2.311 ms
    64 bytes from 172.25.228.1: icmp_seq=5 ttl=63 time=4.756 ms
    64 bytes from 172.25.228.1: icmp_seq=6 ttl=63 time=4.851 ms
    64 bytes from 172.25.228.1: icmp_seq=7 ttl=63 time=5.014 ms
    64 bytes from 172.25.228.1: icmp_seq=8 ttl=63 time=4.892 ms
    64 bytes from 172.25.228.1: icmp_seq=9 ttl=63 time=2.622 ms
    Request timeout for icmp_seq 10
    Request timeout for icmp_seq 11
    Request timeout for icmp_seq 12
    Request timeout for icmp_seq 13
    Request timeout for icmp_seq 14
    Request timeout for icmp_seq 15
    Request timeout for icmp_seq 16
    Request timeout for icmp_seq 17
    Request timeout for icmp_seq 18
    Request timeout for icmp_seq 19
    Request timeout for icmp_seq 20
    Request timeout for icmp_seq 21
    64 bytes from 172.25.228.1: icmp_seq=22 ttl=63 time=2.731 ms
    64 bytes from 172.25.228.1: icmp_seq=23 ttl=63 time=4.933 ms
    64 bytes from 172.25.228.1: icmp_seq=24 ttl=63 time=5.390 ms
    64 bytes from 172.25.228.1: icmp_seq=25 ttl=63 time=5.429 ms
    64 bytes from 172.25.228.1: icmp_seq=26 ttl=63 time=5.014 ms
    64 bytes from 172.25.228.1: icmp_seq=27 ttl=63 time=5.074 ms

Same behavior on 2.3.4_1 and most-recent 2.4.0-RC. I did not test 2.4.1 since it uses the same OpenVPN package as 2.4.0.

Files

Download all files
server2.conf (1.33 KB) server2.conf Server config file - partially redacted Phil DeMonaco, 02/23/2018 04:05 PM
openvpn-auth-script-test.log (38.1 KB) openvpn-auth-script-test.log Full server process log - partially redacted (UTC) Phil DeMonaco, 02/23/2018 04:05 PM
openvpn-auth-script-test-client.log (1.39 KB) openvpn-auth-script-test-client.log Full client process log - partially redacted (EST) Phil DeMonaco, 02/23/2018 04:08 PM
client.ovpn (242 Bytes) client.ovpn Client config file - partially redacted Phil DeMonaco, 02/23/2018 04:09 PM
Actions
Copy link

Also available in: Atom PDF