out of cpu power: how to retard cuncurrent connections?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
cmatte
OpenVpn Newbie
Posts: 15
Joined: Wed Feb 02, 2011 7:03 pm

out of cpu power: how to retard cuncurrent connections?

Post by cmatte » Tue Feb 15, 2011 9:25 pm

Hi,
I'd like to use a tiny router that acts as a OpenVPN Server. It has very low CPU power (200Mhz), so it has plenty of problems handshaking the initial TLS connection with multiple clients with big keys. So I get so many connection tries that fail on the server with:

Code: Select all

Tue Feb 15 21:43:14 2011 read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Tue Feb 15 21:43:14 2011 ip:port TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 15 21:43:14 2011 ip:port TLS Error: TLS handshake failed
Tue Feb 15 21:43:14 2011 ip:port SIGUSR1[soft,tls-error] received, client-instance restarting
and so on. It always arrives to check OK the certs but doesn't establish the connection, giving that error after 10-20s.
On the client I get:

Code: Select all

Tue Feb 15 21:48:19 2011 UDPv4 link local: [undef]
Tue Feb 15 21:48:19 2011 UDPv4 link remote: ip:port
Tue Feb 15 21:49:19 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 15 21:49:19 2011 TLS Error: TLS handshake failed
Tue Feb 15 21:49:19 2011 SIGUSR1[soft,tls-error] received, process restarting
So, this way the system is unusable. I am currently waiting since 40 minutes and 3 clients can't connect, same error over and over and over again. CPU load of the machine stays from 70 to 100% all the time.
Is there some hint to workaround this? Setting a longer TLS timeout? Imposing only one client can establish a connection at a time? I mean, not having a single client all the time, but letting only one do the initial TLS handshake at a time. This function would cure all my matters, because if I stop OpenVPN client on one of the 3 clients, and start it later, it then works as it should and they can communicate and satisfy all my bandwidth needs. Is UDP timeout on the router important? It's 120s now, is it ok?

Thanks.
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: out of cpu power: how to retard cuncurrent connections?

Post by janjust » Tue Feb 15, 2011 10:00 pm

In theory , it should be possible to add a script which allows only a single client to connect at a time, but I am not sure if it will be worth the hassle (read up on 'client-connect' if you dare to take this route)

Are you certain it's the TLS handshake that is causing problems? Check the firewall rules also.

What key sizes are you using? Using 4096 bit keys for the client/server cert is not really necessary - 1024 bit RSA has not even been cracked yet.

Finally, you can set a longer timeout period for the TLS handshake on both client and server by adding
hand-window 120
to both client and server configs.
Top
cmatte
OpenVpn Newbie
Posts: 15
Joined: Wed Feb 02, 2011 7:03 pm

Re: out of cpu power: how to retard cuncurrent connections?

Post by cmatte » Tue Feb 15, 2011 10:27 pm

janjust wrote: Finally, you can set a longer timeout period for the TLS handshake on both client and server by adding
hand-window 120
to both client and server configs.
I LOVE this forum because of prepared, precise and technical persons like you!
This is a great workaround. I did the same try as before with the 3 clients concurrently connecting and after 70-80 seconds max from the first initialization every connection is fully initiated and established. No more errors, I've put an higher value to be sure, so I'll have no more worries in the future. Thanks a lot mate ;)
Top
Post Reply

Return to “Configuration”