How OpenVPN runs scripts like tls-verify?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
bsavelev
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 14, 2021 8:16 am

How OpenVPN runs scripts like tls-verify?

Post by bsavelev » Thu Oct 14, 2021 8:29 am

Hi!

I have small openvpn setup for 100+ ppl with Ubuntu 18.04 and openvpn 2.4.4-2ubuntu1.6
server.conf

port 1194
proto udp
dev tun0

crl-verify ca.crl
dh dh2048-live.pem
pkcs12 server-live.p12
askpass server-live.txt
remote-cert-tls client

server 10.16.0.0 255.255.0.0
push "dhcp-option DNS 10.16.0.1"

client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist /var/log/openvpn/ipp.txt

keepalive 5 30
persist-key
persist-tun
sndbuf 0
rcvbuf 0
txqueuelen 1000
verb 4

explicit-exit-notify 1
management 127.0.0.1 444
status-version 2
script-security 2
tls-verify /etc/openvpn/server/tls-verify.sh
ccd-exclusive

cd /etc/openvpn
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-disable
topology subnet


I use tls-verify script for audit purpose and ccd generation.

Usually this script running not very long - about 10ms
After some changes my script start to run much longer - around 1sec.

With this change I start to see packet loss/delay in VPN tunnel, exact in the same time when script is running.
Reverting changes in script helps to get back to normal.

So, the question is:
How openvpn runs tls-verify script (and others)?
Mean - In main thread, sync, with blocking all traffic processing?

bsavelev
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 14, 2021 8:16 am

Re: How OpenVPN runs scripts like tls-verify?

Post by bsavelev » Thu Oct 14, 2021 10:22 am

The main thing I trying to understand - why script execution for one client affects all connected clients?


TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How OpenVPN runs scripts like tls-verify?

Post by TinCanTech » Thu Oct 14, 2021 1:17 pm

Only --client-connect supports deferred-auth, --tls-verify does not.

Post Reply