Hi, I've been amusing myself over the weekend with breaking OpenVPN servers by hitting them hard with a constant flurry of incoming client connections and disconnects, connection time randomly between 0.1s and 15s, about 1/4 with --explicit-exit-notify, 1/4 with bad password, and 50% with "good password and just disappearing".
The setup needs --username-as-common-name on the server side (since
all "clients" share the same cert), and a --auth-user-pass-verify
script to do the "good/bad" password. Other than that, any server
setup (udp, tcp, tls-auth/crypt/...) could be excercised.
To get started, edit "gremlin.conf" to point to the server of your
choice (needs to be a valid openvpn client config, and *should*
contain route-noexec, because all clients would install the same
routes otherwise). Then call "doas ./run-one.sh" to see if things
work - if yes, call "doas ./run-all.sh" to make it run ~30-50 run-one's
in parallel, until ctrl-c is pressed (or something crashes).
This might eventually end up being more polished in the "openvpn-testing"
repo, but for now I'm sharing so people can help break 2.6_beta2
with it :-)
*NOTE* - to have meaningful results, run the server with verb 3..6 - so
that *if* it crashes, there is something in the log to tell us why.
*WARNING* - do not run this against a production setup. It will, at
least, flood your logs with crap, and might cause a crash.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
--client --ca $myca --cert $mycert --key $mykey --remote-cert-tls server --nobind --verb 3 --dev tun remote-random remote mytestserver 41212 tcp4 remote mytestserver 41212 tcp6 route-noexec
run-one.sh
Description: Bourne shell script
run-all.sh
Description: Bourne shell script
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
