[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvpn-users
Subject:    Re: [Openvpn-users] Flock of openvpn Servers: how to make one machine stop accepting NEW clients?
From:       Jan Just Keijser <janjust () nikhef ! nl>
Date:       2021-01-08 13:52:15
Message-ID: 1dbcdce2-5e2b-680c-9fbe-9a904840143e () nikhef ! nl
[Download RAW message or body]

Hi,

On 08/01/21 12:37, Gert Doering wrote:
> Hi,
>
> On Fri, Jan 08, 2021 at 11:33:38AM +0100, Ralf Hildebrandt wrote:
>> We have a flock of openvpn Servers. We're using DNS round robin (openvpn.charite.de).
>>
>> Currentlym we have
>> 421 clients on machine 0
>> 465 clients on machine 1
>> 598 clients on machine 2
>> 246 clients on machine 3
>>
>> How can I change my auth-user-pass-verify / client-connect or
>> learn-address scripts to prevent MORE clients on machine 2?
>>
>> I could return AUTH_FAILED, but that would irritate the users, since
>> their clients would ask for a (new) password.
> I actually not not have an answer to your question (not sure there is
> anything else to return today, *but* I do not understand that code
> part very well).
>
> I do know that explicit-exit-notify is signalled with an extra parameter
> that tells the client "reconnect" or "go to the next server"
> ("RESTART,[N]" vs. "RESTART").
>
> So, depending on your authentication, it might be an idea to "let them
> in", and then disconnect them right away (via management interface)
> with a "client-kill cid RESTART,[N]" message.

I'd take a different approach:  if you "let them in"  and then send a 
restart the user will still be queried for the password again (if 
caching is disabled)
>
> For clients using 2FA auth, this will be very annoying (= won't work),
> unless you also have --auth-gen-token + secret active.  For clients using
> (cached) auth+pass or cert-only, this might work out nicely.
>
> But, you need to talk to the management interface.
>
>
> (Maybe I'm all wrong and there is a way to send RESTART from plugin
> or scripts, and I just don't know it yet)
just browsed the source code and I cannot find a way to send a RESTART...

My approach would be to reject new clients *BEFORE* the client has a 
change to authenticate using username+password. I'd add a tls-verify 
script (which is the first one to get called when a client connects) , 
then look at the load and simply kick out the client. This will cause 
the client to stall but eventually it will try a reconnect (depending on 
how things are configured) and (hopefully) the second time it will 
choose a different server. And as no (authenticated) connection has been 
established during a tls-verify script/plugin there is also no method to 
send a signal to the client...

This way, you may be able to avoid having to type in a password more 
than once but the connection startup time will get VERY lengthy in UDP 
mode, as the client has to wait for a certain timeout before trying 
again/the next server.


HTH,

JJK



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
[prev in list] [next in list] [prev in thread] [next in thread]