Delay in the vpn traffic when old user tries to create new vpn

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
rcasaponsa
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 06, 2021 9:33 am

Delay in the vpn traffic when old user tries to create new vpn

Post by rcasaponsa » Mon Sep 06, 2021 9:43 am

Hy,

some days ago some clients start to complain that connection frozes every 5 second for a moment (we use openvpn for a "real time application" and we need a fluent connection). We are using OpenVPN 2.3.10

We tries some ping and found that evey (5-10) stables pings there was one with a higher value (normal ones where about 45ms and the higher about 650ms). This happened in all clients connected without any traffic inside the vpn.

After some research we found a correlation between the tries from old removed users to start a vpn and the higher pings. Every time a removed user tried to login, all the connections to the clients had a little hold or downtime or...

To authenticate the users we use the options:
options

auth-user-pass-optional
auth-user-pass-verify /some/path/script.py via-env


This script (/some/path/script.py) validates if the user can open a new vpn or not

We tried to remove this two options from our vpn (we have certificates validation) and the problem disapears.

Now the old clients fails to create a vpn but for another reason (we use a file for extra configuration that we remove when the clients is removed and when this file is missing the vpn connection fails).

Can this be happening? The process of validate new connections can be affecting the traffic of the vpns?

There is any way to solve it? We "need" an extra external check to validate the user and create a new vpn with this options or any others.

Thanks for all the help,

Roger

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Delay in the vpn traffic when old user tries to create new vpn

Post by TinCanTech » Mon Sep 06, 2021 12:44 pm

rcasaponsa wrote:
Mon Sep 06, 2021 9:43 am
Can this be happening? The process of validate new connections can be affecting the traffic of the vpns?
Correct.
rcasaponsa wrote:
Mon Sep 06, 2021 9:43 am
There is any way to solve it?
rcasaponsa wrote:
Mon Sep 06, 2021 9:43 am
We are using OpenVPN 2.3.10
Not with that old version.

rcasaponsa
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 06, 2021 9:33 am

Re: Delay in the vpn traffic when old user tries to create new vpn

Post by rcasaponsa » Tue Sep 07, 2021 6:47 am

Hy,

thanks for the reply :)

I have downloaded, compiled and install the last openvpn (2.5.3) and the behaviour is the same. The connection have a delay in the traffic of the vpn when an unauthorized user tries to connect (using the auth-user-pass-verify option).

There is any option or configuration I can change to avoid that behaviour?

Thanks for all the help,

Roger

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Delay in the vpn traffic when old user tries to create new vpn

Post by TinCanTech » Tue Sep 07, 2021 11:57 am

You need to use --deferred-auth, which is only available in v2.6

rcasaponsa
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 06, 2021 9:33 am

Re: Delay in the vpn traffic when old user tries to create new vpn

Post by rcasaponsa » Thu Sep 09, 2021 10:00 pm

Hy,

I'm currently using the community version and the last one is 2.5.3.

If we cannot change it in 2.5.3 we will try to change the validation we do in the script to be faster (currently it make some calls to some apis).

Thanks for the help!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Delay in the vpn traffic when old user tries to create new vpn

Post by TinCanTech » Thu Sep 09, 2021 10:25 pm

It is quite easy to build version 2.6 yourself, then you can use deferred-auth.

Post Reply