I've been amusing myself over the weekend with breaking OpenVPN servers
by hitting them hard with a constant flurry of incoming client connections
and disconnects, connection time randomly between 0.1s and 15s, about
1/4 with --explicit-exit-notify, 1/4 with bad password, and 50% with
"good password and just disappearing".

The setup needs --username-as-common-name on the server side (since
all "clients" share the same cert), and a --auth-user-pass-verify
script to do the "good/bad" password.  Other than that, any server
setup (udp, tcp, tls-auth/crypt/...) could be excercised.

To get started, edit "gremlin.conf" to point to the server of your
choice (needs to be a valid openvpn client config, and *should*
contain route-noexec, because all clients would install the same
routes otherwise).  Then call "doas ./run-one.sh" to see if things
work - if yes, call "doas ./run-all.sh" to make it run ~30-50 run-one's
in parallel, until ctrl-c is pressed (or something crashes).

This might eventually end up being more polished in the "openvpn-testing"
repo, but for now I'm sharing so people can help break 2.6_beta2
with it :-)

*NOTE* - to have meaningful results, run the server with verb 3..6 - so
that *if* it crashes, there is something in the log to tell us why.

*WARNING* - do not run this against a production setup.  It will, at
least, flood your logs with crap, and might cause a crash.

"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de
--ca $myca
--cert $mycert
--key $mykey
--remote-cert-tls server 
--verb 3 
--dev tun 
remote mytestserver 41212 tcp4
remote mytestserver 41212 tcp6

Attachment: run-one.sh
Description: Bourne shell script

Attachment: run-all.sh
Description: Bourne shell script

Attachment: signature.asc
Description: PGP signature

Openvpn-devel mailing list

Reply via email to