Hello, Lev Stipakov, le Fri 31 Jul 2015 11:19:15 +0300, a écrit : > Do you use radius plugin from http://www.nongnu.org/radiusplugin/ ? I > think the way OpenVPN delegates authentication to a plugin > (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook) is asynchronous, as well > as plugin implementation, i. e. OpenVPN does not wait for a response. > Instead it periodically checks a tmp file to where plugin is supposed > to write authentication result (1 or 0).
Since I was still getting trafic misses even with acf properly working, I dug a bit further, and the issue I'm still having is with accounting. Here is the log I'm having, for instance on a : Tue Aug 11 00:54:10 2015 RADIUS-PLUGIN: BACKGROUND ACCT: New User. Tue Aug 11 00:54:10 2015 RADIUS-PLUGIN: BACKGROUND ACCT: New user acct: username: b...@bar.com, interval: 0, calling station: ::ffff:92.146.150.249, commonname: b...@bar.com, framed ip: 80.67.179.7, framed ipv6: 2001:0910:0802:0000:0000:0000:0000:1307. [during these two seconds, openvpn doesn't trafic any more] Tue Aug 11 00:54:12 2015 RADIUS-PLUGIN: BACKGROUND-ACCT: Get ACCOUNTING_RESPONSE-Packet. Tue Aug 11 00:54:12 2015 RADIUS-PLUGIN: BACKGROUND ACCT: Start packet was send. Tue Aug 11 00:54:12 2015 RADIUS-PLUGIN: BACKGROUND ACCT: User was added to accounting scheduler. Tue Aug 11 00:54:12 2015 RADIUS-PLUGIN: BACKGROUND-ACCT: No routes for user. Tue Aug 11 00:54:12 2015 RADIUS-PLUGIN: BACKGROUND-ACCT: Create IPv6 route string ip -6 route add 2001:910:1307::/48 dev tun2 proto static 2> /dev/null dev tun2. Tue Aug 11 00:54:12 2015 RADIUS-PLUGIN: BACKGROUND-ACCT: Add route to system routing table. [and now trafic passes again] Looking at the source code in openvpn_plugin_open_v2, I see: context->acctsocketbackgr.send ( ADD_USER ); ... context->acctsocketbackgr.send ( newuser->getVsaBuf(), newuser->getVsaBufLen() ); //get the response const int status = context->acctsocketbackgr.recvInt(); This is again synchronous code, and this time I don't see any option to make it asynchronous... I can see that when accounting fails, an exception is thrown, to return an error to openvpn and thus prevent the connection. I guess this is an important part that shouldn't be dropped, but I don't see a way to make it asynchronous without modifying the openvpn core. In our case we don't actually make use of radius accounting... Samuel
