[Solved] OpenVPN soft reset under heavy load

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Locked
Leonidas
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 30, 2017 6:00 pm

[Solved] OpenVPN soft reset under heavy load

Post by Leonidas » Mon Jan 30, 2017 6:47 pm

Params:
Server: OpenVPN x86_64 2.3.14-1.el7 from epel repository
Server: CentOS Linux release 7.3.1611, 1 CPU @ 2.6 Ghz, 2048 RAM
Client1: OpenVPN 2.3.14 with GUI under Windows XP
Client2: OpenVPN 2.4.0 with GUI under Windows 7

What happens:
Regular network usage for surfing, youtube watching, ping -t'ing and so on works flawless. On both TCP and UDP protocols only occasional packet losses (poor server) and no disconnects. When I try to stress test bandwidth, OpenVPN client drops the connection and requests authentication. It happens on any stress test - uTorrent, FlashGet or IPERF between two openvpn clients in less than a minute of testing.

What have I tried:
  • Switched betweed UDP and TCP protocols
  • Tried setting ping-restart 0
  • Different keepalive values
  • Different tls-timeout values
  • comp-lzo on and off
  • increasing verbosity to 5
  • looking into wireshark
SERVER
port 1194
proto udp
dev tun
topology subnet
server 10.11.0.0 255.255.255.0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn01.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
crl-verify /etc/openvpn/keys/crl.pem
tls-server
tls-auth /etc/openvpn/keys/ta.key 0
tls-timeout 0
cipher BF-CBC
client-config-dir /etc/openvpn/ccd
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
ifconfig-pool-persist ipp.txt
persist-key
persist-tun
ping 10
ping-restart 0
reneg-sec 0
max-clients 100
push "persist-key"
push "ping 10"
push "ping-restart 0"
push "persist-tun"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
status /var/log/openvpn/openvpn-status.log 1
status-version 3
log-append /var/log/openvpn/openvpn-server.log
verb 4
CLIENT
client
proto udp
dev tun
remote 11.22.33.44 1194
tls-client
ca "key/ca.crt"
cert "key/developer1.crt"
key "key/client.key"
tls-auth "key/ta.key" 1
tls-client
cipher BF-CBC
resolv-retry infinite
reneg-sec 0
verb 4
auth-user-pass
auth-nocache
ip-win32 netsh
route-method exe
route-delay 5
Authentication with FreeRADIUS works fine. The issue appears only when I create around 10 Mbit/s of bandwidth.
Here're the logs: Could it be the issue of server performance? However, server isn't loaded more than on 20% of CPU (by htop data).
Any help would be extremely appreciated. Or even the direction of possible issue source or advice how to narrow the field to search in.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN soft reset under heavy load

Post by TinCanTech » Mon Jan 30, 2017 7:03 pm

WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
TLS: soft reset sec=-150 bytes=75320841/67108864 pkts=84686/0
8-)
Top
Leonidas
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 30, 2017 6:00 pm

Re: OpenVPN soft reset under heavy load

Post by Leonidas » Mon Jan 30, 2017 10:33 pm

The solution is to use cipher AES-256-CBC on both server and client.

I should read logs more careful. Thank you very much. I love how one quotation and a smile becomes the perfect solution =)
I was confused because first I didn't use cipher directive in config and it was set by default value. And the default was BF-CBC also.
Top
Locked

Return to “Server Administration”