[prev in list] [next in list] [prev in thread] [next in thread]
List: openvpn-users
Subject: Re: [Openvpn-users] Flock of openvpn Servers: how to make one machine stop accepting NEW clients?
From: Jan Just Keijser <janjust () nikhef ! nl>
Date: 2021-01-08 13:52:15
Message-ID: 1dbcdce2-5e2b-680c-9fbe-9a904840143e () nikhef ! nl
[Download RAW message or body]
Hi,
On 08/01/21 12:37, Gert Doering wrote:
> Hi,
>
> On Fri, Jan 08, 2021 at 11:33:38AM +0100, Ralf Hildebrandt wrote:
>> We have a flock of openvpn Servers. We're using DNS round robin (openvpn.charite.de).
>>
>> Currentlym we have
>> 421 clients on machine 0
>> 465 clients on machine 1
>> 598 clients on machine 2
>> 246 clients on machine 3
>>
>> How can I change my auth-user-pass-verify / client-connect or
>> learn-address scripts to prevent MORE clients on machine 2?
>>
>> I could return AUTH_FAILED, but that would irritate the users, since
>> their clients would ask for a (new) password.
> I actually not not have an answer to your question (not sure there is
> anything else to return today, *but* I do not understand that code
> part very well).
>
> I do know that explicit-exit-notify is signalled with an extra parameter
> that tells the client "reconnect" or "go to the next server"
> ("RESTART,[N]" vs. "RESTART").
>
> So, depending on your authentication, it might be an idea to "let them
> in", and then disconnect them right away (via management interface)
> with a "client-kill cid RESTART,[N]" message.
I'd take a different approach: if you "let them in" and then send a
restart the user will still be queried for the password again (if
caching is disabled)
>
> For clients using 2FA auth, this will be very annoying (= won't work),
> unless you also have --auth-gen-token + secret active. For clients using
> (cached) auth+pass or cert-only, this might work out nicely.
>
> But, you need to talk to the management interface.
>
>
> (Maybe I'm all wrong and there is a way to send RESTART from plugin
> or scripts, and I just don't know it yet)
just browsed the source code and I cannot find a way to send a RESTART...
My approach would be to reject new clients *BEFORE* the client has a
change to authenticate using username+password. I'd add a tls-verify
script (which is the first one to get called when a client connects) ,
then look at the load and simply kick out the client. This will cause
the client to stall but eventually it will try a reconnect (depending on
how things are configured) and (hopefully) the second time it will
choose a different server. And as no (authenticated) connection has been
established during a tls-verify script/plugin there is also no method to
send a signal to the client...
This way, you may be able to avoid having to type in a password more
than once but the connection startup time will get VERY lengthy in UDP
mode, as the client has to wait for a certain timeout before trying
again/the next server.
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic