[Solved] OpenVPN soft reset under heavy load
Posted: Mon Jan 30, 2017 6:47 pm
Params:
Server: OpenVPN x86_64 2.3.14-1.el7 from epel repository
Server: CentOS Linux release 7.3.1611, 1 CPU @ 2.6 Ghz, 2048 RAM
Client1: OpenVPN 2.3.14 with GUI under Windows XP
Client2: OpenVPN 2.4.0 with GUI under Windows 7
What happens:
Regular network usage for surfing, youtube watching, ping -t'ing and so on works flawless. On both TCP and UDP protocols only occasional packet losses (poor server) and no disconnects. When I try to stress test bandwidth, OpenVPN client drops the connection and requests authentication. It happens on any stress test - uTorrent, FlashGet or IPERF between two openvpn clients in less than a minute of testing.
What have I tried:
Authentication with FreeRADIUS works fine. The issue appears only when I create around 10 Mbit/s of bandwidth.
Here're the logs: Could it be the issue of server performance? However, server isn't loaded more than on 20% of CPU (by htop data).
Any help would be extremely appreciated. Or even the direction of possible issue source or advice how to narrow the field to search in.
Server: OpenVPN x86_64 2.3.14-1.el7 from epel repository
Server: CentOS Linux release 7.3.1611, 1 CPU @ 2.6 Ghz, 2048 RAM
Client1: OpenVPN 2.3.14 with GUI under Windows XP
Client2: OpenVPN 2.4.0 with GUI under Windows 7
What happens:
Regular network usage for surfing, youtube watching, ping -t'ing and so on works flawless. On both TCP and UDP protocols only occasional packet losses (poor server) and no disconnects. When I try to stress test bandwidth, OpenVPN client drops the connection and requests authentication. It happens on any stress test - uTorrent, FlashGet or IPERF between two openvpn clients in less than a minute of testing.
What have I tried:
- Switched betweed UDP and TCP protocols
- Tried setting ping-restart 0
- Different keepalive values
- Different tls-timeout values
- comp-lzo on and off
- increasing verbosity to 5
- looking into wireshark
SERVER
port 1194
proto udp
dev tun
topology subnet
server 10.11.0.0 255.255.255.0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn01.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
crl-verify /etc/openvpn/keys/crl.pem
tls-server
tls-auth /etc/openvpn/keys/ta.key 0
tls-timeout 0
cipher BF-CBC
client-config-dir /etc/openvpn/ccd
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
ifconfig-pool-persist ipp.txt
persist-key
persist-tun
ping 10
ping-restart 0
reneg-sec 0
max-clients 100
push "persist-key"
push "ping 10"
push "ping-restart 0"
push "persist-tun"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
status /var/log/openvpn/openvpn-status.log 1
status-version 3
log-append /var/log/openvpn/openvpn-server.log
verb 4
proto udp
dev tun
topology subnet
server 10.11.0.0 255.255.255.0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn01.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
crl-verify /etc/openvpn/keys/crl.pem
tls-server
tls-auth /etc/openvpn/keys/ta.key 0
tls-timeout 0
cipher BF-CBC
client-config-dir /etc/openvpn/ccd
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
ifconfig-pool-persist ipp.txt
persist-key
persist-tun
ping 10
ping-restart 0
reneg-sec 0
max-clients 100
push "persist-key"
push "ping 10"
push "ping-restart 0"
push "persist-tun"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
status /var/log/openvpn/openvpn-status.log 1
status-version 3
log-append /var/log/openvpn/openvpn-server.log
verb 4
CLIENT
client
proto udp
dev tun
remote 11.22.33.44 1194
tls-client
ca "key/ca.crt"
cert "key/developer1.crt"
key "key/client.key"
tls-auth "key/ta.key" 1
tls-client
cipher BF-CBC
resolv-retry infinite
reneg-sec 0
verb 4
auth-user-pass
auth-nocache
ip-win32 netsh
route-method exe
route-delay 5
proto udp
dev tun
remote 11.22.33.44 1194
tls-client
ca "key/ca.crt"
cert "key/developer1.crt"
key "key/client.key"
tls-auth "key/ta.key" 1
tls-client
cipher BF-CBC
resolv-retry infinite
reneg-sec 0
verb 4
auth-user-pass
auth-nocache
ip-win32 netsh
route-method exe
route-delay 5
Here're the logs: Could it be the issue of server performance? However, server isn't loaded more than on 20% of CPU (by htop data).
Any help would be extremely appreciated. Or even the direction of possible issue source or advice how to narrow the field to search in.
