Hi,
On 08/01/21 12:37, Gert Doering wrote:
Hi,
On Fri, Jan 08, 2021 at 11:33:38AM +0100, Ralf Hildebrandt wrote:
We have a flock of openvpn Servers. We're using DNS round robin
(openvpn.charite.de).
Currentlym we have
421 clients on machine 0
465 clients on machine 1
598 clients on machine 2
246 clients on machine 3
How can I change my auth-user-pass-verify / client-connect or
learn-address scripts to prevent MORE clients on machine 2?
I could return AUTH_FAILED, but that would irritate the users, since
their clients would ask for a (new) password.
I actually not not have an answer to your question (not sure there is
anything else to return today, *but* I do not understand that code
part very well).
I do know that explicit-exit-notify is signalled with an extra parameter
that tells the client "reconnect" or "go to the next server"
("RESTART,[N]" vs. "RESTART").
So, depending on your authentication, it might be an idea to "let them
in", and then disconnect them right away (via management interface)
with a "client-kill cid RESTART,[N]" message.
I'd take a different approach: if you "let them in" and then send a
restart the user will still be queried for the password again (if
caching is disabled)
For clients using 2FA auth, this will be very annoying (= won't work),
unless you also have --auth-gen-token + secret active. For clients using
(cached) auth+pass or cert-only, this might work out nicely.
But, you need to talk to the management interface.
(Maybe I'm all wrong and there is a way to send RESTART from plugin
or scripts, and I just don't know it yet)
just browsed the source code and I cannot find a way to send a RESTART...
My approach would be to reject new clients *BEFORE* the client has a
change to authenticate using username+password. I'd add a tls-verify
script (which is the first one to get called when a client connects) ,
then look at the load and simply kick out the client. This will cause
the client to stall but eventually it will try a reconnect (depending on
how things are configured) and (hopefully) the second time it will
choose a different server. And as no (authenticated) connection has been
established during a tls-verify script/plugin there is also no method to
send a signal to the client...
This way, you may be able to avoid having to type in a password more
than once but the connection startup time will get VERY lengthy in UDP
mode, as the client has to wait for a certain timeout before trying
again/the next server.
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
