Opened 2 years ago

Last modified 7 weeks ago

#1010 new Bug / Defect

p2p, tls-client/tls-server, connect-retry not playing nicely

Reported by: Gert Döring Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: selvanair

Description

we've sabotaged p2p with tls-client/tls-server in interesting ways in 2.4

--connect-retry has an exponentially growing delay nowadys, leading to up-to-300s "dead time" on the tls-server(!) side -- so when the network gets disrupted for a longer time, and ping-restart is in use, it can happen that the tls-server is just "not listening" to incoming client packets when the client tries, and when the server is ready to listen, the client is in connect-retry sleep...

workaround: --connect-retry 1 1 on the --tls-server side

Better fix: default to "no increase in delay" (as a default) on --tls-server

Change History (4)

comment:1 Changed 2 years ago by Gert Döring

mmmh, looking at the commit

commit 5d429efd9720109b9c9f1265f5d351a75a401942
Author: Selva Nair <selva.nair@…>
Date: Tue Jul 5 11:32:50 2016 -0400

Exponentially back off on repeated connect retries

message, I see

  • Apply backoff only in the udp and tcp-client modes. Backing off on tcp-server could be exploited by a client in p2p-mode to maliciously slow it down (thanks to Arne Schwabe for pointing this out.

so Arne noticed a variant of this already :-) - unfortunately, the combination of "udp, tls-server, no remote [= passive listening] and ping-restart" also triggers this.

comment:2 Changed 2 years ago by selvanair

So the offending case is (topology == TOP_P2P && !options.ce.remote).

Shall we make the backoff conditional on (options.ce.remote != NULL) as that will be false for the listening side (server or p2p) ?

comment:3 Changed 2 years ago by Barbarossa

Hi,

As requested by Gert here an excerpt from our main OpenVPN logs showing the timing problems :-)

Jan  4 06:37:42 cr03 ovpn-cr03_bbr-wagsh[499]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  4 06:37:42 cr03 ovpn-cr03_bbr-wagsh[499]: Preserving previous TUN/TAP instance: ovpn-bbr-wagsh
Jan  4 06:37:42 cr03 ovpn-cr03_bbr-wagsh[499]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jan  4 06:37:42 cr03 ovpn-cr03_bbr-wagsh[499]: Using bind-dev vrf_external
Jan  4 06:37:42 cr03 ovpn-cr03_bbr-wagsh[499]: UDPv4 link local (bound): [AF_INET]a.b.c.d:54010
Jan  4 06:37:42 cr03 ovpn-cr03_bbr-wagsh[499]: UDPv4 link remote: [AF_UNSPEC]
Jan  4 06:38:12 cr03 ovpn-cr03_bbr-wagsh[499]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Jan  4 06:38:12 cr03 ovpn-cr03_bbr-wagsh[499]: SIGUSR1[soft,ping-restart] received, process restarting
Jan  4 06:40:12 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan  4 06:40:12 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  4 06:40:12 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: Preserving previous TUN/TAP instance: ovpn-cr03
Jan  4 06:40:12 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:54010
Jan  4 06:40:12 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: UDP link local: (not bound)
Jan  4 06:40:12 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: UDP link remote: [AF_INET]a.b.c.d:54010
Jan  4 06:40:42 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Jan  4 06:40:42 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: SIGUSR1[soft,ping-restart] received, process restarting
Jan  4 06:43:12 cr03 ovpn-cr03_bbr-wagsh[499]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  4 06:43:12 cr03 ovpn-cr03_bbr-wagsh[499]: Preserving previous TUN/TAP instance: ovpn-bbr-wagsh
Jan  4 06:43:12 cr03 ovpn-cr03_bbr-wagsh[499]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jan  4 06:43:12 cr03 ovpn-cr03_bbr-wagsh[499]: Using bind-dev vrf_external
Jan  4 06:43:12 cr03 ovpn-cr03_bbr-wagsh[499]: UDPv4 link local (bound): [AF_INET]a.b.c.d:54010
Jan  4 06:43:12 cr03 ovpn-cr03_bbr-wagsh[499]: UDPv4 link remote: [AF_UNSPEC]
Jan  4 06:43:42 cr03 ovpn-cr03_bbr-wagsh[499]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Jan  4 06:43:42 cr03 ovpn-cr03_bbr-wagsh[499]: SIGUSR1[soft,ping-restart] received, process restarting
Jan  4 06:45:42 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan  4 06:45:42 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  4 06:45:42 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: Preserving previous TUN/TAP instance: ovpn-cr03
Jan  4 06:45:42 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: TCP/UDP: Preserving recently used remote address: [AF_INET]a.b.c.d:54010
Jan  4 06:45:42 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: UDP link local: (not bound)
Jan  4 06:45:42 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: UDP link remote: [AF_INET]185.46.137.162:54010
Jan  4 06:46:12 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Jan  4 06:46:12 bbr-wagsh ovpn-cr03_bbr-wagsh[15381]: SIGUSR1[soft,ping-restart] received, process restarting

Server configuration:

local   a.b.c.d
port    54010

tls-server
bind-dev	vrf_external

proto   udp

dev-type tap
dev ovpn-bbr-wagsh

ca      /etc/ssl/certs/ffho-cacert.pem
cert    /etc/ssl/certs/cr03....cert.pem
key     /etc/ssl/private/cr03....key.pem
dh      /etc/openvpn/dh1024.pem

script-security 2
up      /etc/openvpn/ifup
down    /etc/openvpn/ifdown

keepalive 10 30

comp-lzo

persist-key
persist-tun

status /var/log/openvpn/openvpn-status-cr03_bbr-wagsh.log

verb 1

Client configuration:

remote	a.b.c.d 54010

tls-client
nobind
bind-dev	vrf_external

proto   udp

dev-type tap
dev ovpn-cr03

ca      /etc/ssl/certs/ffho-cacert.pem
cert    /etc/ssl/certs/bbr-wagsh....cert.pem
key     /etc/ssl/private/bbr-wagsh....key.pem
dh      /etc/openvpn/dh1024.pem

script-security 2
up      /etc/openvpn/ifup
down    /etc/openvpn/ifdown

keepalive 10 30

comp-lzo

persist-key
persist-tun

status /var/log/openvpn/openvpn-status-cr03_bbr-wagsh.log

verb 1

The bad thing is, that it's hard to trigger this problem. It seems that it takes a while to reach this state. :-)

Best
Max

comment:4 Changed 16 months ago by marthasimons

Spam

Last edited 7 weeks ago by Eric Crist (previous) (diff)
Note: See TracTickets for help on using tickets.