Open nemesifier opened 8 months ago
Yeah tls-timeout 0
can work if you have incredibly fast setup and there is always the next packet but generally a tls-timeout of 0 does not really make sense. You basically recreated the 500 mail radius problem OpenVPN does not really do hand-holding, so if you want stupid, give the user something stupid. We might still want to ignore 0 or error out.
OpenVPN does insane amounts of hand-holding on option sanity... :-) - so indeed, it would make sense to require n >= 1
here...
Describe the bug Inadvertently setting the tls-timeout option to zero generates traffic spikes and anomalous behavior which can stress the underlying network infrastructure.
To Reproduce
This is the config I was using (replaced some sensitive info with asterisks):
Expected behavior
I am not sure why I had set tls-timeout to zero, maybe it was a mistake, it doesn't seem to make sense. I would expect OpenVPN to let me know if this is a mistake and fail.
However, the daemon starts but cannot initialize the VPN session successfully. In the meanwhile the IT team on the remote site reported anomalous traffic that is causing issues to their firewall and even denying the traffic causes issues. This is probably an issue with their firewall that we are going to report to the firewall vendor, but it's nonetheless something that I wanted to let you know.
If I set tls-timeout to >= 1 the VPN session instantiates successfully and no anomalous traffic is observed.
My impression is that setting this value to zero should not be allowed.
Version information (please complete the following information):