Hi Jason, On 12/08/15 04:12, Jason Haar wrote: > Hi there > > There have been a few occasions where some valid Windows client would > continually hit our openvpn server, but something goes wrong on the > client end and it immediately retries: around once every 5 seconds. No > idea what the root cause is (besides "it's Windows" ;-), but it's the > impact on the server that this email is about > > We use the script options on "--up",etc - so what happens is there is a > flood of scripts being run against this "client-that-is-broken" and > basically the load average goes through the roof (ie due to the scripts > more than openvpn itself) and the entire server starts to stagger - > which would affect all the nicely connected clients. To reiterate, this > means the client gets a tunnel up and running, but then immediately gets > another tunnel up and running (the first one still going, calling "--up" > scripts and yet that client session is dead, waiting for the server to > time it out) > > Not much to go on I know, but could there be some way for openvpn server > to keep track of something like "timestamp:externalIP:cert" and > basically start ignoring new sessions if it sees more than one every XX > seconds? That would reduce the damage such events cause (note I don't > include ports in my suggestion because an openvpn server may have > multiple ports available to all clients - so they're not unique) > > interesting question :) two things come to mind: 1) have you tried using iptables rules ? even for UDP based setups you can use stuff like
--state NEW --name vpncheck --set --state NEW --name vpncheck --rcheck --seconds 30 --hitcount 4 -j LOG --log-prefix "VPN REJECT: " --state NEW --name vpncheck --rcheck --seconds 30 --hitcount 4 -j REJECT --reject-with tcp-reset (for TCP this certainly works) - the --rcheck flag will keep track of the incoming client IP 2) use a --tls-verify script in something like bash to write out the incoming connection details, e.g. # only check the client cert, not a CA or sub-CA if [ "$1" -ne "0" ] then exit 0 fi now=`date "+%s` echo $now >> ${X509_0_CN}:${untrusted_ip}.clog in the same script, use a tail -4 ${X509_0_CN}:${untrusted_ip}.clog | head +1 | cut -d: -f1 construct to get the date (in seconds) from 4 attempts ago - substract the current two dates and if it's less than X seconds then return 1 to indicate a failed verification. Such a script should be fairly quick and should not consume too many CPU resources... I'd only resort to this if iptables is not able to handle it, though. HTH, JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users