vpn flooding logs

Home Page Forums Network Management Signal a BUG vpn flooding logs

This topic contains 3 replies, has 0 voices, and was last updated by  ppalias 7 years, 9 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #42685

    ppalias
    Member

    I have a LAN-to-LAN vpn with a openwrt on the other side. The settings on the ZS side were:

    root@zeroshell root> ps auxw | grep vpn
    root 6880 0.0 0.8 3992 1512 ? S Oct12 0:20 openvpn --dev VPN00 --remote REMOTE.SERVER.ADDR --port 1195 --proto udp --secret /tmp/VPN00.psk --dev-type tap --float --ping 1 --ping-restart 7 --management 127.0.0.1 34000 --daemon VPN00_L2L --comp-lzo --persist-tun --persist-remote-ip --persist-local-ip --persist-key --ifconfig 10.14.149.133 255.255.255.252 --down /root/kerbynet.cgi/scripts/vpn_mii

    On the Openwrt side the settings are:

    root@wrt54gs:/etc/openvpn# cat my-vpn.conf
    dev tap
    proto udp
    ifconfig 10.14.149.134 255.255.255.252
    remote REMOTE_ADDRESS 1195
    resolv-retry infinite
    keepalive 10 60
    nobind
    persist-key
    persist-tun
    persist-remote-ip
    persist-local-ip
    secret /root/vpn.psk
    comp-lzo
    verb 3
    route 10.0.0.0 255.0.0.0 10.14.149.133

    Problem was that in ZS the logs were flooded by the following:

    10:59:45 Inactivity timeout (–ping-restart), restarting
    10:59:45 SIGUSR1[soft,ping-restart] received, process restarting
    10:59:47 Re-using pre-shared static key
    10:59:47 LZO compression initialized
    10:59:47 TCP/UDP: Preserving recently used remote address: 79.167.168.219:1195
    10:59:47 Preserving previous TUN/TAP instance: VPN00
    10:59:47 UDPv4 link local (bound): [undef]:1195
    10:59:47 UDPv4 link remote: 79.167.168.219:1195

    10:59:54 Inactivity timeout (–ping-restart), restarting
    10:59:54 SIGUSR1[soft,ping-restart] received, process restarting
    10:59:56 Re-using pre-shared static key
    10:59:56 LZO compression initialized
    10:59:56 TCP/UDP: Preserving recently used remote address: 79.167.168.219:1195
    10:59:56 Preserving previous TUN/TAP instance: VPN00
    10:59:56 UDPv4 link local (bound): [undef]:1195
    10:59:56 UDPv4 link remote: 79.167.168.219:1195

    11:00:03 Inactivity timeout (–ping-restart), restarting
    11:00:03 SIGUSR1[soft,ping-restart] received, process restarting
    11:00:05 Re-using pre-shared static key
    11:00:05 LZO compression initialized
    11:00:05 TCP/UDP: Preserving recently used remote address: 79.167.168.219:1195
    11:00:05 Preserving previous TUN/TAP instance: VPN00
    11:00:05 UDPv4 link local (bound): [undef]:1195
    11:00:05 UDPv4 link remote: 79.167.168.219:1195

    As a result I almost reached the logging limit, plus there was this doubt about having my connection restarted every 7 secs. The solution I gave was to create a file /Database/patches/vpn_ctl

    #!/bin/sh
    . /etc/kerbynet.conf
    function TERM () {
    I=0
    while [ $I -lt 30 ] ; do
    PID="`ps -ef |grep openvpn |grep " --dev $1 " |awk '{print $2}'`"
    if ! [ -z "$PID" ] ; then
    kill -TERM $PID
    sleep 1
    else
    return 0
    fi
    I=$((I+1))
    done
    PID="`ps -ef |grep openvpn |grep " --dev $1 " |awk '{print $2}'`"
    if ! [ -z "$PID" ] ; then
    kill -9 $PID
    sleep 3
    fi
    return 1
    }
    INTERFACE="$1"
    STATUS="$2"
    [ -z "$INTERFACE" ] && exit 1
    CONFIG="$REGISTER/system/net/interfaces/$INTERFACE"
    if [ "$INTERFACE" == VPN99 ] ; then
    exit
    fi
    if cd "$CONFIG" 2> /dev/null ; then
    if [ -z "$STATUS" ] ; then
    STATUS=`cat $CONFIG/STATUS`
    fi
    if [ "$STATUS" == up ] ; then
    if TERM $INTERFACE; then
    NUM=${INTERFACE:3:2}
    if [ "${NUM:0:1}" == 0 ] ; then
    NUM=${NUM:1:1}
    fi
    MGT=$[34000+$NUM]
    REMOTEIP=`cat TUNNEL/RemoteIP`
    if ! [ -z "$REMOTEIP" ] ; then
    REMOTEIP="--remote $REMOTEIP"
    fi
    PORT=`cat TUNNEL/Port`
    PROTO=`cat TUNNEL/Proto`
    AUTHENTICATION=`cat TUNNEL/Authentication 2>/dev/null`
    TLSROLE=`cat TUNNEL/TLSRole`
    REMOTECN=`cat TUNNEL/RemoteCN`
    COMPRESSION=`cat TUNNEL/Compression`
    CRYPTO=`cat TUNNEL/Crypto`
    PARAMETERS="`cat TUNNEL/Parameters`"
    if ! [ -z "$REMOTECN" ] ; then
    REMOTECN="--tls-remote `echo $REMOTECN | sed -r 's/[# {}()^?!*[]/_/g'`"
    fi
    if [ "$TLSROLE" == Server ] ; then
    TLSROLE=server
    RESTART=7
    else
    TLSROLE=client
    RESTART=11
    fi
    if [ "$PROTO" == TCP ] ; then
    PROTO=tcp-$TLSROLE
    else
    PROTO=udp
    fi
    if [ "$COMPRESSION" == yes ] ; then
    COMPRESSION="--comp-lzo"
    else
    COMPRESSION=""
    fi
    if [ "$CRYPTO" != yes ] ; then
    CRYPTO="--cipher none"
    else
    CRYPTO=""
    fi
    #ifconfig $INTERFACE up
    if [ "$AUTHENTICATION" = PSK ] ; then
    AUTHSTRING="--secret /tmp/$INTERFACE.psk"
    echo "
    BEGIN OpenVPN Static key V1
    " > "/tmp/$INTERFACE.psk"
    cat $CONFIG/TUNNEL/PSK >> "/tmp/$INTERFACE.psk"
    echo "
    END OpenVPN Static key V1
    " >> "/tmp/$INTERFACE.psk"
    chmod 600 /tmp/$INTERFACE.psk
    else
    AUTHSTRING="--tls-$TLSROLE --dh $SSLDIR/dh.pem --ca $SSLDIR/trusted_CAs.pem --cert $CONFIG/TLS/cert.pem --key $CONFIG/TLS/key.pem $REMOTECN"
    fi
    $SCRIPTS/nb_vpn
    if bash -c "openvpn --dev $INTERFACE $REMOTEIP --port $PORT --proto $PROTO $AUTHSTRING --dev-type tap --float --keepalive 10 60 --management 127.0.0.1 $MGT --daemon ${INTERFACE}_L2L $COMPRESSION $CRYPTO $PARAMETERS --down '$SCRIPTS/vpn_mii'" ; then
    SEM="/tmp/VPN_MII_$INTERFACE"
    rm -f $SEM
    $SCRIPTS/vpn_mii $INTERFACE
    [ -z "$NOVPNWAIT" ] && sleep 5
    else
    exit 5
    fi
    else
    exit 2
    fi
    else
    TERM $INTERFACE || exit 1
    ifconfig $INTERFACE down
    fi

    fi

    and vpn_ctl.1


    #!/bin/sh
    . /etc/kerbynet.conf
    function TERM () {
    I=0
    while [ $I -lt 30 ] ; do
    PID="`ps -ef |grep openvpn |grep " --dev $1 " |awk '{print $2}'`"
    if ! [ -z "$PID" ] ; then
    kill -TERM $PID
    sleep 1
    else
    return 0
    fi
    I=$((I+1))
    done
    return 1
    }
    INTERFACE="$1"
    STATUS="$2"
    [ -z "$INTERFACE" ] && exit 1
    CONFIG="$REGISTER/system/net/interfaces/$INTERFACE"
    if [ "$INTERFACE" == VPN99 ] ; then
    exit
    fi
    if cd "$CONFIG" 2> /dev/null ; then
    if [ -z "$STATUS" ] ; then
    STATUS=`cat $CONFIG/STATUS`
    fi
    if [ "$STATUS" == up ] ; then
    if TERM $INTERFACE; then
    NUM=${INTERFACE:3:2}
    if [ "${NUM:0:1}" == 0 ] ; then
    NUM=${NUM:1:1}
    fi
    MGT=$[34000+$NUM]
    REMOTEIP=`cat TUNNEL/RemoteIP`
    if ! [ -z "$REMOTEIP" ] ; then
    REMOTEIP="--remote $REMOTEIP"
    fi
    PORT=`cat TUNNEL/Port`
    PROTO=`cat TUNNEL/Proto`
    TLSROLE=`cat TUNNEL/TLSRole`
    REMOTECN=`cat TUNNEL/RemoteCN`
    COMPRESSION=`cat TUNNEL/Compression`
    CRYPTO=`cat TUNNEL/Crypto`
    PARAMETERS=`cat TUNNEL/Parameters`
    if ! [ -z "$REMOTECN" ] ; then
    REMOTECN="--tls-remote `echo $REMOTECN | sed -r 's/[# {}()^?!*[]/_/g'`"
    fi
    if [ "$TLSROLE" == Server ] ; then
    TLSROLE=server
    RESTART=5
    else
    TLSROLE=client
    RESTART=3
    fi
    if [ "$PROTO" == TCP ] ; then
    PROTO=tcp-$TLSROLE
    else
    PROTO=udp
    fi
    if [ "$COMPRESSION" == yes ] ; then
    COMPRESSION="--comp-lzo"
    else
    COMPRESSION=""
    fi
    if [ "$CRYPTO" != yes ] ; then
    CRYPTO="--cipher none"
    else
    CRYPTO=""
    fi
    ifconfig $INTERFACE up
    if openvpn --dev $INTERFACE $REMOTEIP --port $PORT --proto $PROTO --tls-$TLSROLE --dh $SSLDIR/dh.pem --ca $SSLDIR/trusted_CAs.pem --cert $CONFIG/TLS/cert.pem --key $CONFIG/TLS/key.pem $REMOTECN --dev-type tap --keepalive 10 60 --management 127.0.0.1 $MGT --daemon ${INTERFACE}_L2L $COMPRESSION $CRYPTO $PARAMETERS ; then
    sleep 5
    else
    exit 5
    fi
    else
    exit 2
    fi
    else
    TERM $INTERFACE || exit 1
    ifconfig $INTERFACE down
    fi

    fi

    where I swapped the

    --ping 1 --ping-restart 7

    with

    --keepalive 10 60

    put it in a preboot script, reloaded and it seems to work fine now.
    From the log I see

    11:11:34 Peer Connection Initiated with 79.167.151.53:41217
    11:11:34 Initialization Sequence Completed
    11:11:37 Interface VPN00 is UP
    11:11:42 message repeated 16 times

    Time is 11:26 now and nothing else is added.

    #51192

    dr1
    Member

    For simplicty you can specifiy those options in the Extra options because it will accept them twice. I believe it wont accept keepalive if the ping options are set, but you can set the ping options twice, and keepalive is just a simplified way to set the ping options.
    Other option also is to set the value on the other side of the vpn to be compatible with the 7 second reset.

    I see this more of a feature request to have ALL the options be adjustable from the GUI, and I’d agree!

    #51193

    ppalias
    Member

    Yeah the problem was that I could not add the “keepalive” option, since the script itself had the “ping” option. Thus I had to rewrite the script. Obviously having a full control over what is loaded via the gui would be great.

    #51194

    Anonymous
    Member

    DELETED

    #51195

    imported_fulvio
    Participant

    Could you try with the beta14 that use keepalve option?

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.