Opened 9 years ago
Last modified 21 months ago
#585 new Bug / Defect
Authentication should be processed in parallel to avoid trafic disruption
Reported by: | sthibault | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | plug-ins / plug-in API | Version: | OpenVPN 2.2.1 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
The whole story is discussed on openvpn-devel (https://sourceforge.net/p/openvpn/mailman/message/34333737/). Basically, what happened is that due to one radius server being offline for maintenance, the radius authentication plugin waits for a timeout before trying the the other server and succeed. In the meanwhile the openvpn trafic is stalled.
So I'm suggesting that authentication plugin calls should be done somehow in parallel with trafic processing, e.g. by doing it in a thread, just like ssl negociation is apparently done in a separate thread. That way trafic processing won't be delayed by authentication timeouts.
Change History (6)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
Mmm, it seems the openvpn-auth-radius plugin defaults to not using acf....
comment:3 Changed 9 years ago by
And it's buggy, making the main loop synchronize with authentication. Anyway, really not a bug in openvpn.
comment:4 Changed 9 years ago by
I'd like to introduce my radiusplugin fork which contain several patches:
- IPv6 Accounting fix by Comic Chang
- iroute netmask computation fix by Samuel Thibault
- IPv6 support patches by Samuel Thibault
- Accounting and memory leak related patches by Dmytro Vasylenko
- Accounting fixes by Yafeng Shan
- Asynchronous client-connect and instant client-disconnect by me
With the latest patch, radiusplugin won't stall OpenVPN's main thread when clients are connecting or disconnecting.
https://github.com/ValdikSS/openvpn-radiusplugin
Asynchronous client-connect requires additional OpenVPN patch by Fabian Knittel which you can get here
https://github.com/fknittel/openvpn/tree/feat_deferred_client-connect
Or you can grab latest stable OpenVPN with this and other patches in my repository
https://github.com/ValdikSS/openvpn-with-patches
comment:5 follow-up: 6 Changed 21 months ago by
Asynchronous --client-connect
is part of OpenVPN proper since 2.5.0 - so this extra patch is (finally) no longer needed.
@valdikss, what is the status of radiusplugin? Do you still maintain it?
comment:6 Changed 21 months ago by
Replying to Gert Döring:
@valdikss, what is the status of radiusplugin? Do you still maintain it?
No, I do not. It's flawed in multiple places in a different ways. I ended up rewriting a subset of radius which I use in my services in only a full single day in a form of python module + C plugin shim, and it works better than radiusplugin.
The mailing list suggests that this is already implemented for OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, which openvpn-auth-radius does use. It has to return OPENVPN_PLUGIN_FUNC_DEFERRED to enable it, the source does seem to be using it, and I see openvpn create acf files, but it seem the plugin still ends up in the non-deferred case. I'll have a closer look.