Opened 9 years ago

Last modified 21 months ago

#585 new Bug / Defect

Authentication should be processed in parallel to avoid trafic disruption

Reported by: sthibault Owned by:
Priority: major Milestone:
Component: plug-ins / plug-in API Version: OpenVPN 2.2.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

The whole story is discussed on openvpn-devel (https://sourceforge.net/p/openvpn/mailman/message/34333737/). Basically, what happened is that due to one radius server being offline for maintenance, the radius authentication plugin waits for a timeout before trying the the other server and succeed. In the meanwhile the openvpn trafic is stalled.

So I'm suggesting that authentication plugin calls should be done somehow in parallel with trafic processing, e.g. by doing it in a thread, just like ssl negociation is apparently done in a separate thread. That way trafic processing won't be delayed by authentication timeouts.

Change History (6)

comment:1 Changed 9 years ago by sthibault

The mailing list suggests that this is already implemented for OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, which openvpn-auth-radius does use. It has to return OPENVPN_PLUGIN_FUNC_DEFERRED to enable it, the source does seem to be using it, and I see openvpn create acf files, but it seem the plugin still ends up in the non-deferred case. I'll have a closer look.

comment:2 Changed 9 years ago by sthibault

Mmm, it seems the openvpn-auth-radius plugin defaults to not using acf....

comment:3 Changed 9 years ago by sthibault

And it's buggy, making the main loop synchronize with authentication. Anyway, really not a bug in openvpn.

comment:4 Changed 9 years ago by ValdikSS

I'd like to introduce my radiusplugin fork which contain several patches:

  • IPv6 Accounting fix by Comic Chang
  • iroute netmask computation fix by Samuel Thibault
  • IPv6 support patches by Samuel Thibault
  • Accounting and memory leak related patches by Dmytro Vasylenko
  • Accounting fixes by Yafeng Shan
  • Asynchronous client-connect and instant client-disconnect by me

With the latest patch, radiusplugin won't stall OpenVPN's main thread when clients are connecting or disconnecting.

https://github.com/ValdikSS/openvpn-radiusplugin

Asynchronous client-connect requires additional OpenVPN patch by Fabian Knittel which you can get here
https://github.com/fknittel/openvpn/tree/feat_deferred_client-connect

Or you can grab latest stable OpenVPN with this and other patches in my repository
https://github.com/ValdikSS/openvpn-with-patches

comment:5 Changed 21 months ago by Gert Döring

Asynchronous --client-connect is part of OpenVPN proper since 2.5.0 - so this extra patch is (finally) no longer needed.

@valdikss, what is the status of radiusplugin? Do you still maintain it?

comment:6 in reply to:  5 Changed 21 months ago by ValdikSS

Replying to Gert Döring:

@valdikss, what is the status of radiusplugin? Do you still maintain it?

No, I do not. It's flawed in multiple places in a different ways. I ended up rewriting a subset of radius which I use in my services in only a full single day in a form of python module + C plugin shim, and it works better than radiusplugin.

Note: See TracTickets for help on using tickets.