Traffic routing issues with Windows based servers

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
thomasw
OpenVpn Newbie
Posts: 3
Joined: Thu May 14, 2015 12:02 am

Traffic routing issues with Windows based servers

Post by thomasw » Sun Mar 29, 2020 6:47 am

I have found a issue with seemingly all my OpenVPN server setups which are all based on Windows 10/2008/2012/2016/2019 servers and we mostly use the "IPEnableRouter" registry key, though sometimes use RRAS to do the routing, both with same effect.

We we finding that with some VPNs when certain client PCs connected we've get occasional packet loss for ALL clients - often we'd miss 4+ pings in a row then get a couple of very high latency pings.
It turns out we can replicate it very easily if from a client PC we ping or in any way try and contact an IP address in the remote site that is not responding. e.g. someone was trying to access a old server that we've turned off. Or if someone tried to print over the VPN to a network printer that was turned off. or we simply replicate it very easily and immediately by pinging an IP address that doesn't respond.
While we can packet capture and try and stop PCs from attempting to contact IPs that don't respond there are lots of reasons it can happen and will keep happenning no matter what we do.

To be clear - we typically setup a IP range for OpenVPN to give out such as 192.168.227.x and the main network is say 10.0.0.x
But whenever we ping from any client PC any 10.0.0.x address that doesn't respond we lose all traffic flow, even pings to the openvpn server adaptor 192.168.222.1 drop out. All other traffic is fine and if we make sure no clients try and access IPs that don't respond then ti is reliable.

I figure it must be somehow the fault of the inbuilt Windows routing or RRAS but it has been around for a long time and used a lot for other PPTP etc VPNs inbuilt and yet I cannot find anyone reporting the same issue.
So could it somehow be related to the TAP adaptor too?
I don't know what to do to try and fix it or narrow down further. Any suggestions would be much appreciated!

I'd also like to hear from anyone else using OpenVPN on a Windows server with routing enabled to see if they can replicate the issue too. I have 100+ of these setup and I've tested a number of them based on Windows 10, Window 2012, etc and they all seem to do it so far.


Thanks

jonathonb
OpenVpn Newbie
Posts: 2
Joined: Tue Jul 20, 2021 6:08 pm

Re: Traffic routing issues with Windows based servers

Post by jonathonb » Tue Jul 20, 2021 6:13 pm

I'm having the same issue with ZeroTier, which is based on the OpenVPN NDIS driver. Have you had any luck fixing it? Here's an overview of my specific situation:

We have a Windows Routing and Remote Access Service (RRAS) server, which is configured to route traffic between it's ZeroTier network adapter and an internal network. There are managed routes and static routes setup, so ZeroTier nodes can talk with devices on the internal network, using the RRAS server to route between the two. Everything thing works great, EXCEPT when the following scenario occurs:

If a ZeroTier node attempts to connect to an internal IP that ARP can not resolve (because it doesn't exist for whatever reason), the ZeroTier interface on the RRAS server becomes momentarily unresponsive. Each packet introduces 1900 - 2500 ms of latency on the RRAS server's ZeroTier NIC. If this scenario occurs repeatedly, the latency builds up to the point that the RRAS server's ZeroTier NIC becomes unable to pass any traffic. Since the RRAS server's ZeroTier NIC IP is also the next hop for ZeroTier devices to access the internal network, the internal network becomes unreachable.

Observed behavior: When a ZeroTier device initiates a connection to an internal IP that ARP can not resolve, the RRAS server's ZeroTier NIC becomes unresponsive for ~2 seconds.

Desired behavior: When a ZeroTier device initiates a connection to an internal IP that ARP can not resolve, the RRAS server's ZeroTier NIC continues to pass traffic.

I don't believe the router on the RRAS server is the problem for two reasons. First, the issue only presents itself in one direction. Attempting to connect to a non-existent IP on the ZeroTier network from the internal network causes no issues. Second, the RRAS server's ZeroTier NIC IP becomes un-ping-able when network problems arise. If the problem resides in the RRAS router, then the ZeroTier NIC would continue to respond to pings.

Thanks!

jonathonb
OpenVpn Newbie
Posts: 2
Joined: Tue Jul 20, 2021 6:08 pm

Re: Traffic routing issues with Windows based servers

Post by jonathonb » Mon Jul 26, 2021 6:28 pm

I went down the rabbit hole on this one, and published my findings over on the ZeroTier GitHub page. It includes a couple work-arounds (Section 4) that may help people.

https://github.com/zerotier/ZeroTierOne/issues/1428

Cheers

User avatar
TinCanTech
Forum Team
Posts: 9656
Joined: Fri Jun 03, 2016 1:17 pm

Re: Traffic routing issues with Windows based servers

Post by TinCanTech » Mon Jul 26, 2021 8:58 pm

Thanks for your very thorough follow up analysis 8-)

I'm still trying to understand it all !

Post Reply