Max simultaneous client connections

[swautier]

Hi All,

Is there a theoritical max amount of simultaneous connections?

By default, max-clients = 1024. But it looks like one can simply push it to a bigger value.
Of course, HDD, RAM, bandwidth and CPU are bottlenecks. But let's assume I have a BIG machine (understand Bi-Xeon / 24 CPUs / 2.6 GHz + 24GB RAM + 200Mbps bandwidth + very low activity clients), will I hit a theoritical limit?

The reason I ask is that we recently hit the 1024 clients default limit. I pushed max-clients to 2000 but we're having problems. Such as some clients disconnecting on ping-exit: It looks like they don't receive any ping from the server. Note that the problem occured on a much older server (not the one I described above) and older SW: OpenVPN 2.0.5. We never had that problem before though

We decided to switch to a fatter server assuming the limit we're hitting is HW. But we're not quite sure it will work.
(Of course, splitting the connections to 2+ different servers was decided but will take time to set up, for reasons beyond the scope of this topic).

TIA for your lights.

Serge.

[enjoyjoy]

We have a similar issue when there are 200+ simultaneous clients.
The CPU, memory, bandwidth is far below the machine's capability.

The mode is TAP and broadcasting.

[krzee]

you really got 1024 clients connected to a single openvpn service!?
devs have had problems after only 200 connections!
be aware that openvpn is not threaded, and you are only actually using 1 cpu core for openvpn (openssl will still run on other cores). you do not need another server... just more openvpn server instances running on that savage machine you already own

[swautier]

Yes, we have 1K connected clients on an instance! Even though most of them are just sitting there waiting for someone to talk to them.

Actually, we have 4 instances each on its own bridged TAP interface. There's a fairly advanced set of iptables/ebtables rules to manage connections between clients.

I'm almost done moving the whole setup to another bigger machine.

The single threaded issue may indeed be the bottleneck, especially given the fact that we're having a hard time reconnecting everybody: Everything worked fine until we hit the max-clients limit and had to restart the system with a higher max-clients. From there on, we couldn't manage to get everybody correctly up again. Some clients keep disconnecting and reconnecting because of keep-alive. Probably because the server is too busy reconnecting the others to send keep alives.

[krzee]

omg you are doing this on a tap bridge too!?!?
i hope your ebtables rules are blocking broadcasts... since a broadcast domain of that size would create a ton of broadcast radiation, or even a broadcast storm

[swautier]

> i hope your ebtables rules are blocking broadcasts

Yes we do

FWIW, We have it working now. You're right that horse power was not the bottleneck.
As I speak, we have 4 instances, 2 of which are nicely loaded:
- TCP 443 : 253 clients (this one works like a charm)
- UDP 1194 : 1090 clients

I had to increase bcast-buffers to 4096 (max-clients is pushed at 2000).
Also we tweaked a couple of kernel params. Not sure it makes a huge difference though.

Oddly enough, we observe lots of ECONNREFUSED messages coming straight from the UDP recvfrom() call. But (also: oddly enough) they don't seem to affect the good working of the setup.

[enjoyjoy]

====Also we tweaked a couple of kernel params====

What are these params, we have a similar problem and have no ideas of how to resolve it

[Filblade]

Hello

I've installed an OpenVPN server on a dell computer, I'd like to know how many simultaneous client connections it can have ?

The CPU is an i3, 2 GB of RAM and with a low activity of the clients.

How can I know his limitations ?