[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] ECONNREFUSED and packet flood

  • Subject: [Openvpn-users] ECONNREFUSED and packet flood
  • From: Florin Andrei <florin@xxxxxxxxxxxxxxx>
  • Date: 18 Feb 2004 21:50:57 -0800
Weird issue with openvpn-1.6_beta6 on Fedora Core 1:

At some point, syslog goes nuts with messages such as...

Feb 17 00:00:05 styx openvpn[2275]: read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)
Feb 17 00:00:05 styx openvpn[2275]: read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)
Feb 17 00:00:05 styx openvpn[2260]: read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)
Feb 17 00:00:05 styx openvpn[2260]: read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)

...and it just keeps on going, until someone logs into the server to
cycle the openvpn service.
At the time the messages are spewed to the logs, openvpn generates a lot
of traffic, gobbling up the external bandwidth (i can see it in MRTG,
it's a big nasty hump) and essentially performing a do-it-yourself DoS
on the Internet pipe.

The clients are typical Win2K machines on dynamic addresses.

Here's a typical config on the server:

#########################################
port XXXX
dev tap0
secret XXXXXXXX.key
local XXXXXXXXXXXXX.190
fragment 1400
mssfix
ping 10
comp-lzo
user XXXXXXXXX
group XXXXXXXXX
verb 2
#########################################

What can i do to fix it?

Am i correct to assume that the --ping-timer-rem would help in this
scenario? Maybe in combination with --ping-restart?
If so, what would be some good values for the parameters? I'm
contemplating a combination such as:

ping 10
ping-restart 30
ping-timer-rem

Is 30 too conservative?

Ideally, i'd like to preserve "ping 10" in the config, but put the
server in listen mode if the client goes on strike.

Above all, i want to avoid flooding the Internet pipe!

Thank you,

-- 
Florin Andrei

http://florin.myip.org/



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users