I have small openvpn setup for 100+ ppl with Ubuntu 18.04 and openvpn 2.4.4-2ubuntu1.6
server.conf
port 1194
proto udp
dev tun0
crl-verify ca.crl
dh dh2048-live.pem
pkcs12 server-live.p12
askpass server-live.txt
remote-cert-tls client
server 10.16.0.0 255.255.0.0
push "dhcp-option DNS 10.16.0.1"
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 5 30
persist-key
persist-tun
sndbuf 0
rcvbuf 0
txqueuelen 1000
verb 4
explicit-exit-notify 1
management 127.0.0.1 444
status-version 2
script-security 2
tls-verify /etc/openvpn/server/tls-verify.sh
ccd-exclusive
cd /etc/openvpn
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-disable
topology subnet
I use tls-verify script for audit purpose and ccd generation.
Usually this script running not very long - about 10ms
After some changes my script start to run much longer - around 1sec.
With this change I start to see packet loss/delay in VPN tunnel, exact in the same time when script is running.
Reverting changes in script helps to get back to normal.
So, the question is:
How openvpn runs tls-verify script (and others)?
Mean - In main thread, sync, with blocking all traffic processing?