Re: [Openvpn-users] AWS VPN Client Endpoint Slow
Hi, On Wed, Dec 14, 2022 at 04:34:49PM +, David Boyle wrote: > Something I have considered is that the certs I???ve used are using quite > strong hashing for the keys, could this be causing me issues? I???m reluctant > to create new certs but am considering this as the next thing to try as part > of a process of elimination approach. Certs are never used for data packets, only for the TLS handshake, so this is not relevant. (Can't say what the actual issue is, but it's *not* the certs). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] AWS VPN Client Endpoint Slow
Hi All, I’m hoping someone else has already solved this issue, or at least know what could be wrong. I’ve recently created a VPN client endpoint in AWS, and am connecting to it using OpenVPN Connect v3 on MacOS. The connection is nice and stable, and for doing things like server admin, looking at dashboards and the like which require little bandwidth its great The trouble I’m having is that the connection rate doesn’t seem to want to get above 200-300kb/s. Things like file uploads via ssh / scp just don’t want to play ball. I’ve tried this from a few different machines on numerous networks, ie. Gigabit business line, home fibre broadband, 4g network – the performance is the currently about the same regardless of the available bandwidth which is bizarre. As a test, if I try to crudely force some traffic through the tunnel eg. ssh user@aws-service-name 'dd if=/dev/zero bs=1GB count=3 2>/dev/null' | dd of=/dev/null status=progress I see a spike in the connection stats graph in OpenVPN Connect, and the process bails after a couple of seconds at best. The tunnel stays up. Eg of the output: bash: line 1: 388 Killed dd if=/dev/zero bs=1GB count=3 2> /dev/null 6080+0 records in 6080+0 records out I have tried recreating the VPN client in AWS to use UDP rather than TCP, same thing. Something I have considered is that the certs I’ve used are using quite strong hashing for the keys, could this be causing me issues? I’m reluctant to create new certs but am considering this as the next thing to try as part of a process of elimination approach. My client settings look like this: client dev tun proto udp remote vpn.cvpn-endpoint-blah.prod.clientvpn.eu-west-2.amazonaws.com 1194 remote-random-hostname resolv-retry infinite nobind remote-cert-tls server cipher AES-256-GCM verb 3 -BEGIN CERTIFICATE- … -END CERTIFICATE- -BEGIN CERTIFICATE- … -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- … -END RSA PRIVATE KEY- reneg-sec 0 Any help / suggestions would be greatly appreciated. Thanks ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Need working way to authenticate in RADIUS.
Hi, On Wed, Dec 14, 2022 at 01:58:11PM +0100, Bogdan Rudas wrote: > We mind RADIUS for MFA and password checks. Having RADIUS just checking > password+OTP via external MFA works, however any time spent in RADIUS > communication for one client session means the traffic to other clients is > stuck, that is why I was asking 'what plugin is good'. I wonder if the PAM > plugin is really asynchronous by default. plugin-auth-pam can run sync or async. Part of my test suite is "run this with a non-responding radius server (15s timeout)" so I can attest "yes, this is very well tested in async/deferred mode". > Besides OTP, there are MFA mobile > applications that require users to press a button on their smartphone for > confirmation. In such cases RADIUS will reply when a user pressed the > button and thus the entire OpenVPN instance will be stuck for an even > longer time. I understand. I've been there, which is why I added async/deferred handling to plugin-auth-pam :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Need working way to authenticate in RADIUS.
Hello Gert! We mind RADIUS for MFA and password checks. Having RADIUS just checking password+OTP via external MFA works, however any time spent in RADIUS communication for one client session means the traffic to other clients is stuck, that is why I was asking 'what plugin is good'. I wonder if the PAM plugin is really asynchronous by default. Besides OTP, there are MFA mobile applications that require users to press a button on their smartphone for confirmation. In such cases RADIUS will reply when a user pressed the button and thus the entire OpenVPN instance will be stuck for an even longer time. At the moment we are evaluating 'some plugin' with 'that patches' and 'certain build options' to handle RADIUS communication in asynchronous way and will share positive outcomes if any. Thank you. -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users