wiki:PingInactivePatch

--ping/--inactive patch testing

Basically, when --inactive is used together with --ping, OpenVPN's ping packets are counted as traffic, and if pings are set more often than the --inactive timeout, effectively the purpose of --inactive is defeated. This patch tries to fix that behavior.

Links for more information:

http://article.gmane.org/gmane.network.openvpn.devel/3676/

http://article.gmane.org/gmane.network.openvpn.devel/3673/

The actual patch

James suggested to test it more thoroughly, because he suspects that in certain conditions (eg encryption disabled) the patch could prevent pings from being sent.

The actual test consists of seven distinct tests, detailed below. All these seven tests will be performed several times, using different configurations:

  • With certificates and encryption enabled
  • With static keys and encryption enabled
  • With certificates and encryption disabled
  • With static keys and encryption disabled

Here I describe how to perform each test, and supply some sample configurations that can be used for each of the four different scenarios.

Configuration files used for the tests are attached to the page. The names should be self-explanatory. The certificates used are those included with the source distribution in the sample-keys/ directory.

Test 1

  • Use --ping 10 (on client and server) and without --inactive, and verify that pings are sent in both directions
  • Start the server with appropriate debugging level (6)
  • Start the client with appropriate debugging level (6)
  • Look for OpenVPN internal pings in the logs

Test 2

  • Use --ping 10 (on client and server) and --inactive 40 (on client only), and verify that pings are sent, yet the connection is closed by the client after 40 seconds of no user traffic
  • Start the server with appropriate debugging level (6)
  • Start the client with appropriate debugging level (6)
  • Wait 40 seconds, client should close the connection
  • Look for OpenVPN internal pings in the logs

Test 3

  • Use --ping 10 (on client and server) and --inactive 40 (on server only), and verify that pings are sent, yet the connection is closed by the server after 40 seconds of no user traffic
  • Start the server with appropriate debugging level (6)
  • Start the client with appropriate debugging level (6)
  • Wait 40 seconds, server should disconnect client
  • Look for OpenVPN internal pings in the logs

Test 4

  • Use --ping 10 (on client and server) and --inactive 40 100 (on client only), and verify that pings are sent, and the connection is closed by the client the first time it detects that 40 seconds have passed with less than 100 bytes of traffic (excluding pings)
  • Start the server with appropriate debugging level (6)
  • Start the client with appropriate debugging level (6)
  • Wait 40 seconds, client should disconnect
  • Look for OpenVPN internal pings in the logs

Test 5

  • Use --ping 10 (on client and server) and --inactive 40 100 (on client only), and verify that pings are sent, and the connection is NOT closed by the client if no 40-seconds time window exists where less than 100 bytes are sent
  • Start the server with appropriate debugging level (6)
  • Start the client with appropriate debugging level (6)
  • Before 40 seconds pass, start pinging the server from the client (ie using "ping", not related to OpenVPN's internal pings)
  • Wait 120 seconds, VPN should stay up
  • Stop pinging the server
  • Wait 40 seconds, client should disconnect
  • Look for OpenVPN internal pings in the logs during inactivity (if there is user traffic, OpenVPN internal pings are not sent)

Test 6

  • Use --ping 10 (on client and server) and --inactive 40 100 (on server only), and verify that pings are sent, and the connection is closed by the server the first time it detects that 40 seconds have passed with less than 100 bytes of traffic (excluding pings)
  • Start the server with appropriate debugging level (6)
  • Start the client with appropriate debugging level (6)
  • Wait 40 seconds, server should disconnect the client
  • Look for OpenVPN internal pings in the logs

Test 7

  • Use --ping 10 (on client and server) and --inactive 40 100 (on server only), and verify that pings are sent, and the connection is NOT closed by the server if no 40-seconds time window exists where less than 100 bytes are sent.
  • Start the server with appropriate debugging level (6)
  • Start the client with appropriate debugging level (6)
  • Before 40 seconds pass, start pinging the server from the client (ie using "ping", not related to OpenVPN's internal pings)
  • Wait 120 seconds, VPN should stay up
  • Stop pinging the server
  • Wait 40 seconds, server should disconnect the client
  • Look for OpenVPN internal pings in the logs during inactivity periods

To run the tests, apply the patch, build OpenVPN and deploy it to a client and a server. Download the config tarballs, edit the files to use your IP addresses, and run the tests. Using a patched OpenVPN and the provided configuration files, all the tests were successful for me.

Last modified 8 years ago Last modified on 07/10/10 23:44:49

Attachments (2)

Download all attachments as: .zip