Sessions blocked during authtentication of new session

[hlzhnz]

Hello,
when a new client connects via openVPN, all other sessions are blocked for a short time, exactly as long as the new client authenticates.
This happens regardless of the authentication method. The longer the new client takes to authenticate, the longer the other sessions are blocked.

I tried it with the following authentications, the result is always the same, only auth-ldap is much faster, so you don't notice the delay.

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
auth-user-pass-verify "/usr/local/bin/otp-auth.py" via-file


Can anyone help me with this?

regards


server.conf:

cd /etc/openvpn/
management 127.0.0.1 5555
auth-user-pass-verify "/usr/local/bin/otp-auth.py" via-file
script-security 2
client-connect /usr/local/bin/client-connect.sh
client-disconnect /usr/local/bin/client-disconnect.sh
verify-client-cert none
username-as-common-name
duplicate-cn
local 192.168.7.44
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/openvpn.example.net.crt
key /etc/openvpn/easy-rsa/keys/openvpn.example.net.key
dh /etc/openvpn/dh2048.pem
topology subnet
mode server
tls-server
ifconfig 172.20.32.1 255.255.240.0
ifconfig-pool 172.20.32.32 172.20.47.254
push "route-gateway 172.20.32.1"
push "route 172.16.0.0 255.240.0.0 vpn_gateway"
push "route 192.4.100.0 255.255.254.0 vpn_gateway"
push "route 10.0.0.0 255.0.0.0 vpn_gateway"
push "route 192.168.50.0 255.255.255.0 vpn_gateway"
push "route 100.0.0.0 255.0.0.0 vpn_gateway"
push "route 192.168.130.0 255.255.255.0 vpn_gateway"
push "topology subnet"
push "explicit-exit-notify 1"
push "auth-nocache"
push "reneg-sec 0"
reneg-sec 0
push "dhcp-option DNS 192.168.2.11"
push "dhcp-option DNS 192.168.2.12"
push "dhcp-option DOMAIN example.net"
keepalive 5 30
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 4
mute 5
explicit-exit-notify 1


log:
2022-04-07 18:58:06 us=671156 48 variation(s) on previous 5 message(s) suppressed by --mute
2022-04-07 18:58:06 us=671658 MULTI: multi_create_instance called
2022-04-07 18:58:06 us=672366 147.53.220.235:48679 Re-using SSL/TLS context
2022-04-07 18:58:06 us=672766 147.53.220.235:48679 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-07 18:58:06 us=673038 147.53.220.235:48679 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-07 18:58:06 us=673346 147.53.220.235:48679 LZ4v2 compression initializing
2022-04-07 18:58:06 us=674364 147.53.220.235:48679 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2022-04-07 18:58:06 us=674555 147.53.220.235:48679 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2022-04-07 18:58:06 us=674873 147.53.220.235:48679 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2022-04-07 18:58:06 us=675108 147.53.220.235:48679 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2022-04-07 18:58:06 us=675517 147.53.220.235:48679 TLS: Initial packet from [AF_INET]147.53.220.235:48679, sid=dbbf70cf bd509041
2022-04-07 18:58:06 us=801586 147.53.220.235:48679 peer info: IV_VER=3.git::662eae9a:Release
2022-04-07 18:58:06 us=801929 147.53.220.235:48679 peer info: IV_PLAT=android
2022-04-07 18:58:06 us=802063 147.53.220.235:48679 peer info: IV_NCP=2
2022-04-07 18:58:06 us=802227 147.53.220.235:48679 peer info: IV_TCPNL=1
2022-04-07 18:58:06 us=802401 147.53.220.235:48679 peer info: IV_PROTO=2
2022-04-07 18:58:06 us=802561 147.53.220.235:48679 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
2022-04-07 18:58:06 us=802777 147.53.220.235:48679 peer info: IV_SSO=openurl
auth success!
2022-04-07 18:58:07 us=886705 147.53.220.235:48679 TLS: Username/Password authentication succeeded for username 'domain\username' [CN SET]
2022-04-07 18:58:07 us=887110 147.53.220.235:48679 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1557'
2022-04-07 18:58:07 us=887264 147.53.220.235:48679 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
2022-04-07 18:58:07 us=890033 147.53.220.235:48679 PID_ERR replay [0] [TLS_WRAP-0] [111111] 1649350753:6 1649350753:6 t=1649350687[0] r=[-1,64,15,0,1] sl=[58,6,64,528]
2022-04-07 18:58:07 us=890374 147.53.220.235:48679 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #6 / time = (1649350753) 2022-04-07 18:59:13 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2022-04-07 18:58:07 us=890561 147.53.220.235:48679 TLS Error: incoming packet authentication failed from [AF_INET]147.53.220.235:48679
2022-04-07 18:58:07 us=926015 147.53.220.235:48679 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
2022-04-07 18:58:07 us=926415 147.53.220.235:48679 [domain\username] Peer Connection Initiated with [AF_INET]147.53.220.235:48679
2022-04-07 18:58:07 us=926623 domain\username/147.53.220.235:48679 MULTI_sva: pool returned IPv4=172.20.32.32, IPv6=(Not enabled)
10.0.0.0/8
2022-04-07 18:58:08 us=126155 domain\username/147.53.220.235:48679 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_f3b7c60dd35de8320ad789c7c03400f.tmp
2022-04-07 18:58:08 us=126497 domain\username/147.53.220.235:48679 MULTI: Learn: 172.20.32.200 -> domain\username/147.53.220.235:48679
2022-04-07 18:58:08 us=126537 domain\username/147.53.220.235:48679 MULTI: primary virtual IP for domain\username/147.53.220.235:48679: 172.20.32.200
2022-04-07 18:58:08 us=126569 domain\username/147.53.220.235:48679 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-04-07 18:58:08 us=126621 domain\username/147.53.220.235:48679 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
2022-04-07 18:58:08 us=126764 domain\username/147.53.220.235:48679 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-07 18:58:08 us=126799 domain\username/147.53.220.235:48679 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-07 18:58:08 us=127441 domain\username/147.53.220.235:48679 PUSH: Received control message: 'PUSH_REQUEST'
2022-04-07 18:58:08 us=127554 domain\username/147.53.220.235:48679 SENT CONTROL [domain\username]: 'PUSH_REPLY,route-gateway 172.20.32.1,route 172.16.0.0 255.240.0.0 vpn_gateway,route 192.4.100.0 255.255.254.0 vpn_gateway,route 10.0.0.0 255.0.0.0 vpn_gateway,route 192.168.50.0 255.255.255.0 vpn_gateway,route 100.0.0.0 255.0.0.0 vpn_gateway,route 192.168.130.0 255.255.255.0 vpn_gateway,topology subnet,explicit-exit-notify 1,auth-nocache,reneg-sec 0,dhcp-option DNS 172.27.2.11,dhcp-option DNS 172.27.2.12,dhcp-option DOMAIN domain.net,compress lz4-v2,ping 5,ping-restart 30,ifconfig 172.20.32.200 255.255.240.0,peer-id 13,cipher AES-256-GCM' (status=1)

[TinCanTech]

This is currently, how OpenVPN works.

OpenVPN 2.5 has a mechanism for deferred auth, which does not block during session authentication.
But you must only use one authentication plugin if you use deferred auth.

See details: https://build.openvpn.net/man/openvpn-2 ... vpn.8.html

[hlzhnz]

Thanx!

This works fine, i use now:

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/bin/otp-auth.py

https://github.com/fac/auth-script-openvpn