OpenVPN server performance degrades after auth failures

[NerijusRazvodovskis]

Describe the bug Authentication failures (using radius) degrades OpenVPN server performance, it's being unusable at that moment.

To Reproduce

1. Create an OpenVPN server
2. First client should connect with right password.
3. Second client should try to connect with wrong password.
4. First client will be not able to use the VPN due to auth failures.

Expected behavior The server performance shouldn't degrade in such cases.

Version information (please complete the following information):

• OS: Ubuntu 20.04
• OpenVPN version: 2.4.7

[cron2]

This is a well-known issue. Auth-Plugins and any sort of script that are called from openvpn will block the main process until finished. Plugins or Scripts that are expected to take longer than "very few milliseconds" need to use async/deferred mode, which will return control to OpenVPN right away and deliver the expected results later.

Since you have no information how you are contacting the Radius server (OpenVPN has no Radius support built in, but there are multiple different ways to do that) it's impossible to give more specific advice.

Also, your OpenVPN version is quite old. 2.4.7 was released February 2019. Current version is 2.5.9 or 2.6.6.

[NerijusRazvodovskis]

Thank you for the answer, anyways, if it is a well-known issue, upgrading OpeVPN won't help in this case.

Right i will try to search for a plugin which works in async/deferred mode. Thank you for the hints! Appreciate that!

[cron2]

If you tell us which plugin you use, we might be able to help...

[NerijusRazvodovskis]

I'm using https://github.com/ValdikSS/openvpn-radiusplugin

Upgraded my OpenVPN server to v2.6.7, but seems like this plugin stopped to work from v2.5.0, digging deeper into it

[cron2]

We haven't changed anything on the plugin side between 2.5.x and 2.6.x, so it should work just fine. What do the logs say? @ValdikSS any ideas?

[ValdikSS]

@ValdikSS any ideas?

Sorry, I'm no longer maintain or use the plugin. Here's why: https://github.com/ValdikSS/openvpn-radiusplugin/issues/24

If we're talking about OpenVPN from the repository and not self-compiled, take a look at systemd service file: it may have forking limit, and this is exactly what radiusplugin does. Try to remove the limit and see if it helps. But that's just from the top of my head, not based on anything.

[NerijusRazvodovskis]

Well, actually it throws only:

PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/radiusplugin.so
TLS Auth Error: Auth Username/Password verification failed for peer

If i downgrade it to v2.4.7 - it starts to work 🤷🏻

Perhaps because i dont provide any script to openvpn server config for auth-user-pass-verify? I'm just using plugin inside server configuration.

plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
ifconfig-pool-persist ipp.txt
verify-client-cert none
cipher AES-256-CBC
auth SHA512

[cron2]

Without a log from the radius plugin it's hard for us to see what is happening - it says "failed", but that could be due to internal API changes (2.4 to 2.5 is a significant change, so it's possible the plugin needs to be updated - sorry I misunderstood the statement "stopped to work from v2.5.0" as meaning "it worked in v2.5.0").

[NerijusRazvodovskis]

No problem at all, i'm sorry English is not my native language. Okay will try to research for another plugin at the moment.

[NerijusRazvodovskis]

Plugin was failing due to https://github.com/NerijusRazvodovskis/openvpn-radiusplugin/commit/6a0dc182b6d51ee2140d91723e6e4c0115879935, it wasn't pushed into the master in @ValdikSS repo.

Anyways the mentioned issue still exists. :( Should i specify anything at server conf for auth-user-pass-verify or client-connect?