Hello Samuel,

Do you use radius plugin from http://www.nongnu.org/radiusplugin/ ? I
think the way OpenVPN delegates authentication to a plugin
(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook) is asynchronous, as well
as plugin implementation, i. e. OpenVPN does not wait for a response.
Instead it periodically checks a tmp file to where plugin is supposed
to write authentication result (1 or 0).

However, plugin may also hook on OPENVPN_PLUGIN_CLIENT_CONNECT_V2,
which is called after authentication has been done. OpenVPN calls that
hook synchronously, which may cause traffic to stall. There is a patch
that makes OpenVPN behave asynchronously, however it is not (yet)
merger to the master branch.

http://sourceforge.net/p/openvpn/mailman/message/33244190/

We used to have a packet loss issue due to synchronous nature of
client-connect and that patch has solved it.

-Lev

2015-07-31 2:37 GMT+03:00 Samuel Thibault <samuel.thiba...@ens-lyon.org>:
> Hello,
>
> We've been having issues on our VPN server due to the way authentication
> is done in openvpn.  Basically, when a user would connect to the VPN
> server, no trafic would pass for a couple of seconds, thus making
> the VPN way less effective...  This was an unfortunate combination
> of several issues described below.  Our current setup is openvpn in
> multiple client mode, with the openvpn-auth-radius plugin to get
> authentication from a couple of radius servers on two other machines
> next to our VPN server.
>
> Here is what happens:
>
> - AIUI, when openvpn receives an authentication request, it gives hand
> to the authentication plugin, and thus while the authentication plugin
> is working on it, no trafic can be handled by openvpn.  That is, I
> believe, an important issue, and will turn that into a bug report.  The
> issue is that authentication might take time for whatever reason (see
> below for an example).
>
> - The radius authentication plugin interrogates our two radius servers,
> gets a response, and gives back hand to openvpn.
>
> - The issue we were having is that the first of the two radius servers
> is being replaced, and is thus currently turned off.  Since the radius
> plugin tries the first server first and waits for a couple of seconds
> before trying the second one, the authentication currently always takes
> a couple of seconds. Unfortunately, that thus makes openvpn not process
> traffic for that couple of seconds...  Of course I have now disabled the
> first radius server to avoid the issue, but a radius server downtime
> (e.g. reboot or whatever) should *not* make trafic stall, so it's not
> acceptable.
>
> One could argue that the radius plugin should perhaps try both servers
> at the same time and take the first answer it gets.  That however drops
> the idea of load balancing, and in case both radius servers are down,
> the openvpn trafic will get interrupted everytime somebody tries to
> connect (and retry shortly after again and again since it'll fail),
> that's really not acceptable either.
>
> Samuel
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



-- 
-Lev

Reply via email to