vpn flooding logs

Forums Network Management Signal a BUG vpn flooding logs

  • This topic is empty.
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • October 13, 2010 at 8:26 am #42685
    ppalias
    Member

    I have a LAN-to-LAN vpn with a openwrt on the other side. The settings on the ZS side were:

    root@zeroshell root> ps auxw | grep vpn
    
root      6880  0.0  0.8  3992 1512 ?        S    Oct12   0:20 openvpn --dev VPN00 --remote REMOTE.SERVER.ADDR --port 1195 --proto udp --secret /tmp/VPN00.psk --dev-type tap --float --ping 1 --ping-restart 7 --management 127.0.0.1 34000 --daemon VPN00_L2L --comp-lzo --persist-tun --persist-remote-ip --persist-local-ip --persist-key --ifconfig 10.14.149.133 255.255.255.252 --down /root/kerbynet.cgi/scripts/vpn_mii

    On the Openwrt side the settings are:

    root@wrt54gs:/etc/openvpn# cat my-vpn.conf
    
dev tap
    
proto udp
    
ifconfig 10.14.149.134 255.255.255.252
    
remote REMOTE_ADDRESS 1195
    
resolv-retry infinite
    
keepalive 10 60
    
nobind
    
persist-key
    
persist-tun
    
persist-remote-ip
    
persist-local-ip
    
secret /root/vpn.psk
    
comp-lzo
    
verb 3
    
route 10.0.0.0 255.0.0.0 10.14.149.133

    Problem was that in ZS the logs were flooded by the following:

    10:59:45 Inactivity timeout (–ping-restart), restarting
    10:59:45 SIGUSR1[soft,ping-restart] received, process restarting
    10:59:47 Re-using pre-shared static key
    10:59:47 LZO compression initialized
    10:59:47 TCP/UDP: Preserving recently used remote address: 79.167.168.219:1195
    10:59:47 Preserving previous TUN/TAP instance: VPN00
    10:59:47 UDPv4 link local (bound): [undef]:1195
    10:59:47 UDPv4 link remote: 79.167.168.219:1195
    10:59:54 Inactivity timeout (–ping-restart), restarting
    10:59:54 SIGUSR1[soft,ping-restart] received, process restarting
    10:59:56 Re-using pre-shared static key
    10:59:56 LZO compression initialized
    10:59:56 TCP/UDP: Preserving recently used remote address: 79.167.168.219:1195
    10:59:56 Preserving previous TUN/TAP instance: VPN00
    10:59:56 UDPv4 link local (bound): [undef]:1195
    10:59:56 UDPv4 link remote: 79.167.168.219:1195
    11:00:03 Inactivity timeout (–ping-restart), restarting
    11:00:03 SIGUSR1[soft,ping-restart] received, process restarting
    11:00:05 Re-using pre-shared static key
    11:00:05 LZO compression initialized
    11:00:05 TCP/UDP: Preserving recently used remote address: 79.167.168.219:1195
    11:00:05 Preserving previous TUN/TAP instance: VPN00
    11:00:05 UDPv4 link local (bound): [undef]:1195
    11:00:05 UDPv4 link remote: 79.167.168.219:1195

    As a result I almost reached the logging limit, plus there was this doubt about having my connection restarted every 7 secs. The solution I gave was to create a file /Database/patches/vpn_ctl

    #!/bin/sh
    
. /etc/kerbynet.conf
    
function TERM () {
    
I=0
    
while [ $I -lt 30 ] ; do
    
PID="`ps -ef |grep openvpn |grep " --dev $1 " |awk '{print $2}'`"
    
if ! [ -z "$PID" ] ; then
    
kill -TERM $PID
    
sleep 1
    
else
    
return 0
    
fi
    
I=$((I+1))
    
done
    
PID="`ps -ef |grep openvpn |grep " --dev $1 " |awk '{print $2}'`"
    
if ! [ -z "$PID" ] ; then
    
kill -9 $PID
    
sleep 3
    
fi
    
return 1
    
}
    
INTERFACE="$1"
    
STATUS="$2"
    
[ -z "$INTERFACE" ] && exit 1
    
CONFIG="$REGISTER/system/net/interfaces/$INTERFACE"
    
if [ "$INTERFACE" == VPN99 ] ; then
    
exit
    
fi
    
if cd "$CONFIG" 2> /dev/null ; then
    
if [ -z "$STATUS" ] ; then
    
STATUS=`cat $CONFIG/STATUS`
    
fi
    
if [ "$STATUS" == up ] ; then
    
if TERM $INTERFACE; then
    
NUM=${INTERFACE:3:2}
    
if [ "${NUM:0:1}" == 0  ] ; then
    
NUM=${NUM:1:1}
    
fi
    
MGT=$[34000+$NUM]
    
REMOTEIP=`cat TUNNEL/RemoteIP`
    
if ! [ -z "$REMOTEIP" ] ; then
    
REMOTEIP="--remote $REMOTEIP"
    
fi
    
PORT=`cat TUNNEL/Port`
    
PROTO=`cat TUNNEL/Proto`
    
AUTHENTICATION=`cat TUNNEL/Authentication 2>/dev/null`
    
TLSROLE=`cat TUNNEL/TLSRole`
    
REMOTECN=`cat TUNNEL/RemoteCN`
    
COMPRESSION=`cat TUNNEL/Compression`
    
CRYPTO=`cat TUNNEL/Crypto`
    
PARAMETERS="`cat TUNNEL/Parameters`"
    
if ! [ -z "$REMOTECN" ] ; then
    
REMOTECN="--tls-remote `echo $REMOTECN | sed -r 's/[# {}()^?!*[]/_/g'`"
    
fi
    
if [ "$TLSROLE" == Server ] ; then
    
TLSROLE=server
    
RESTART=7
    
else
    
TLSROLE=client
    
RESTART=11
    
fi
    
if [ "$PROTO" == TCP ] ; then
    
PROTO=tcp-$TLSROLE
    
else
    
PROTO=udp
    
fi
    
if [ "$COMPRESSION" == yes ] ; then
    
COMPRESSION="--comp-lzo"
    
else
    
COMPRESSION=""
    
fi
    
if [ "$CRYPTO" != yes ] ; then
    
CRYPTO="--cipher none"
    
else
    
CRYPTO=""
    
fi
    
#ifconfig $INTERFACE up
    
if [ "$AUTHENTICATION" = PSK ] ; then
    
AUTHSTRING="--secret /tmp/$INTERFACE.psk"
    
echo "

    
BEGIN OpenVPN Static key V1

    
" > "/tmp/$INTERFACE.psk"
    
cat $CONFIG/TUNNEL/PSK >> "/tmp/$INTERFACE.psk"
    
echo "

    
END OpenVPN Static key V1

    
" >> "/tmp/$INTERFACE.psk"
    
chmod 600 /tmp/$INTERFACE.psk
    
else
    
AUTHSTRING="--tls-$TLSROLE --dh $SSLDIR/dh.pem --ca $SSLDIR/trusted_CAs.pem --cert $CONFIG/TLS/cert.pem --key $CONFIG/TLS/key.pem $REMOTECN"
    
fi
    
$SCRIPTS/nb_vpn
    
if bash -c "openvpn --dev $INTERFACE $REMOTEIP --port $PORT --proto $PROTO $AUTHSTRING --dev-type tap --float --keepalive 10 60 --management 127.0.0.1 $MGT --daemon ${INTERFACE}_L2L $COMPRESSION $CRYPTO $PARAMETERS --down '$SCRIPTS/vpn_mii'" ; then
    
SEM="/tmp/VPN_MII_$INTERFACE"
    
rm -f $SEM
    
$SCRIPTS/vpn_mii $INTERFACE
    
[ -z "$NOVPNWAIT" ] && sleep 5
    
else
    
exit 5
    
fi
    
else
    
exit 2
    
fi
    
else
    
TERM $INTERFACE || exit 1
    
ifconfig $INTERFACE down
    
fi
    

    
fi

    and vpn_ctl.1


    
#!/bin/sh
    
. /etc/kerbynet.conf
    
function TERM () {
    
I=0
    
while [ $I -lt 30 ] ; do
    
PID="`ps -ef |grep openvpn |grep " --dev $1 " |awk '{print $2}'`"
    
if ! [ -z "$PID" ] ; then
    
kill -TERM $PID
    
sleep 1
    
else
    
return 0
    
fi
    
I=$((I+1))
    
done
    
return 1
    
}
    
INTERFACE="$1"
    
STATUS="$2"
    
[ -z "$INTERFACE" ] && exit 1
    
CONFIG="$REGISTER/system/net/interfaces/$INTERFACE"
    
if [ "$INTERFACE" == VPN99 ] ; then
    
exit
    
fi
    
if cd "$CONFIG" 2> /dev/null ; then
    
if [ -z "$STATUS" ] ; then
    
STATUS=`cat $CONFIG/STATUS`
    
fi
    
if [ "$STATUS" == up ] ; then
    
if TERM $INTERFACE; then
    
NUM=${INTERFACE:3:2}
    
if [ "${NUM:0:1}" == 0  ] ; then
    
NUM=${NUM:1:1}
    
fi
    
MGT=$[34000+$NUM]
    
REMOTEIP=`cat TUNNEL/RemoteIP`
    
if ! [ -z "$REMOTEIP" ] ; then
    
REMOTEIP="--remote $REMOTEIP"
    
fi
    
PORT=`cat TUNNEL/Port`
    
PROTO=`cat TUNNEL/Proto`
    
TLSROLE=`cat TUNNEL/TLSRole`
    
REMOTECN=`cat TUNNEL/RemoteCN`
    
COMPRESSION=`cat TUNNEL/Compression`
    
CRYPTO=`cat TUNNEL/Crypto`
    
PARAMETERS=`cat TUNNEL/Parameters`
    
if ! [ -z "$REMOTECN" ] ; then
    
REMOTECN="--tls-remote `echo $REMOTECN | sed -r 's/[# {}()^?!*[]/_/g'`"
    
fi
    
if [ "$TLSROLE" == Server ] ; then
    
TLSROLE=server
    
RESTART=5
    
else
    
TLSROLE=client
    
RESTART=3
    
fi
    
if [ "$PROTO" == TCP ] ; then
    
PROTO=tcp-$TLSROLE
    
else
    
PROTO=udp
    
fi
    
if [ "$COMPRESSION" == yes ] ; then
    
COMPRESSION="--comp-lzo"
    
else
    
COMPRESSION=""
    
fi
    
if [ "$CRYPTO" != yes ] ; then
    
CRYPTO="--cipher none"
    
else
    
CRYPTO=""
    
fi
    
ifconfig $INTERFACE up
    
if openvpn --dev $INTERFACE $REMOTEIP --port $PORT --proto $PROTO --tls-$TLSROLE --dh $SSLDIR/dh.pem --ca $SSLDIR/trusted_CAs.pem --cert $CONFIG/TLS/cert.pem --key $CONFIG/TLS/key.pem $REMOTECN --dev-type tap --keepalive 10 60 --management 127.0.0.1 $MGT --daemon ${INTERFACE}_L2L $COMPRESSION $CRYPTO $PARAMETERS   ; then
    
sleep 5
    
else
    
exit 5
    
fi
    
else
    
exit 2
    
fi
    
else
    
TERM $INTERFACE || exit 1
    
ifconfig $INTERFACE down
    
fi
    

    
fi

    where I swapped the 

    --ping 1 --ping-restart 7

    with 

    --keepalive 10 60

    put it in a preboot script, reloaded and it seems to work fine now.
    From the log I see

    11:11:34 Peer Connection Initiated with 79.167.151.53:41217
    11:11:34 Initialization Sequence Completed
    11:11:37 Interface VPN00 is UP
    11:11:42 message repeated 16 times

    Time is 11:26 now and nothing else is added.

    October 25, 2010 at 7:15 pm #51192
    dr1
    Member

    For simplicty you can specifiy those options in the Extra options because it will accept them twice. I believe it wont accept keepalive if the ping options are set, but you can set the ping options twice, and keepalive is just a simplified way to set the ping options.
    Other option also is to set the value on the other side of the vpn to be compatible with the 7 second reset.

    I see this more of a feature request to have ALL the options be adjustable from the GUI, and I’d agree!

    October 26, 2010 at 6:43 am #51193
    ppalias
    Member

    Yeah the problem was that I could not add the “keepalive” option, since the script itself had the “ping” option. Thus I had to rewrite the script. Obviously having a full control over what is loaded via the gui would be great.

    May 19, 2011 at 2:09 pm #51194
    Anonymous
    Member

    DELETED

    May 19, 2011 at 6:06 pm #51195
    imported_fulvio
    Participant

    Could you try with the beta14 that use keepalve option?

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.