Hi Jason,
On 12/08/15 04:12, Jason Haar wrote:
> Hi there
>
> There have been a few occasions where some valid Windows client would
> continually hit our openvpn server, but something goes wrong on the
> client end and it immediately retries: around once every 5 seconds. No
> idea what the root cause is (besides "it's Windows" ;-), but it's the
> impact on the server that this email is about
>
> We use the script options on "--up",etc - so what happens is there is a
> flood of scripts being run against this "client-that-is-broken" and
> basically the load average goes through the roof (ie due to the scripts
> more than openvpn itself) and the entire server starts to stagger -
> which would affect all the nicely connected clients. To reiterate, this
> means the client gets a tunnel up and running, but then immediately gets
> another tunnel up and running (the first one still going, calling "--up"
> scripts and yet that client session is dead, waiting for the server to
> time it out)
>
> Not much to go on I know, but could there be some way for openvpn server
> to keep track of something like "timestamp:externalIP:cert" and
> basically start ignoring new sessions if it sees more than one every XX
> seconds? That would reduce the damage such events cause (note I don't
> include ports in my suggestion because an openvpn server may have
> multiple ports available to all clients - so they're not unique)
>
>
interesting question :)
two things come to mind:
1) have you tried using iptables rules ? even for UDP based setups you
can use stuff like
--state NEW --name vpncheck --set
--state NEW --name vpncheck --rcheck --seconds 30 --hitcount 4 -j LOG
--log-prefix "VPN REJECT: "
--state NEW --name vpncheck --rcheck --seconds 30 --hitcount 4 -j REJECT
--reject-with tcp-reset
(for TCP this certainly works) - the --rcheck flag will keep track of
the incoming client IP
2) use a --tls-verify script in something like bash to write out the
incoming connection details, e.g.
# only check the client cert, not a CA or sub-CA
if [ "$1" -ne "0" ]
then
exit 0
fi
now=`date "+%s`
echo $now >> ${X509_0_CN}:${untrusted_ip}.clog
in the same script, use a
tail -4 ${X509_0_CN}:${untrusted_ip}.clog | head +1 | cut -d: -f1
construct to get the date (in seconds) from 4 attempts ago - substract
the current two dates and if it's less than X seconds then return 1 to
indicate a failed verification.
Such a script should be fairly quick and should not consume too many CPU
resources...
I'd only resort to this if iptables is not able to handle it, though.
HTH,
JJK
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
