Community discussions

MikroTik App
 
meconiotronic
newbie
Topic Author
Posts: 30
Joined: Wed Mar 14, 2012 9:50 am

Open VPN server on CHR trouble with 7.8

Tue Mar 07, 2023 2:35 pm

Hi, i have upgraded my CHR ovpn concentrator/dude server to the latest 7.8 from 7.7. It has 2 virtual cpu 1.699 Mhz and 4 giga of ram. I have 122 client connecting on it. When i have upgraded this at reboot i obtain cpu 100% on both cores and profiles show cpu consumption to 100% about ssl, i thing that a massive connect of all of my client saturated it. So i have created this firewall filter rule:
chain=input action=drop connection-state=!established protocol=tcp src-address-list=!Whitelist_ip dst-port=1194 log=no log-prefix=""
If i disable this rule for some second and reactivating it i can reconnect all of my clients a little at a time. When all 122 client are connected the cpu load decerase from 100% to 5-20% and all working OK. But it seems that after some amount of time the problem appear again. I find the virtual machine rebooted (watchdog?) and cpu 100%. with 50% of clients connected. Is a know problem?

I had similar problems with version 7.7 too, but after having connected all the clients helping the server with that firewall rule the connections remained stable for months without ever dropping. From version 7.8 after some random time start to drop and both cpu become 100% saturated.
I've tried unencrypting some clients "none/[null-digest]" in an attempt to lighten the load but that doesn't seem to make any difference. For now there is something that i can do for make my network working again?

7.7 saturate the cpu only on massive client reconnection, but accepting them a little at a time they work forever, cpu usage with all clients connected seems perfectly normal 5-20%.
7.8 saturate the cpu on massive client reconnection, accepting them a little at a time work for some hour, then randomly the cpu goes up to 100% anyway and drops me half of the clients or the CHR reboot itself.
Last edited by meconiotronic on Fri Mar 10, 2023 9:30 am, edited 1 time in total.
 
meconiotronic
newbie
Topic Author
Posts: 30
Joined: Wed Mar 14, 2012 9:50 am

Re: Open VPN server on CHR trouble with 7.8

Thu Mar 09, 2023 9:32 am

There is a new voice in ovpn server "Key renegotiate sec" if i set to zero help a little bit but after several hour cpu 100% and same problem :(.
 
meconiotronic
newbie
Topic Author
Posts: 30
Joined: Wed Mar 14, 2012 9:50 am

Re: Open VPN server on CHR trouble with 7.8

Fri Mar 10, 2023 9:31 am

Nothing, key renegotiation sec value doesnt change anything, after several hour the issue happen again.
 
Gesuino
just joined
Posts: 14
Joined: Mon Jan 21, 2019 5:28 pm

Re: Open VPN server on CHR trouble with 7.8

Mon Mar 13, 2023 6:36 pm

Same here, downgrading to 7.7 work again.
 
ShayanPAL
newbie
Posts: 47
Joined: Thu Dec 19, 2019 12:20 pm

Re: Open VPN server on CHR trouble with 7.8

Wed Mar 29, 2023 1:39 am

Hi Meconiotronic

I have the very exact same problem
do you mean that downgrading to 7.7 and using the rule
chain=input action=drop connection-state=!established protocol=tcp src-address-list=!Whitelist_ip dst-port=1194 log=no log-prefix=""
will work fine?
 
KisukeCZE
just joined
Posts: 7
Joined: Sat Jan 29, 2022 1:06 pm

Re: Open VPN server on CHR trouble with 7.8

Wed Mar 29, 2023 10:09 pm

Anyone tested OVPN on 7.8 over UDP.
For case I experienced it seems OK over UDP, no more kernel crashes or high CPU load. See this. But we have HW router...
 
monkez
just joined
Posts: 5
Joined: Thu Feb 13, 2014 1:37 pm
Location: Příbram, Czech Republic
Contact:

Re: Open VPN server on CHR trouble with 7.8

Mon Oct 09, 2023 6:19 pm

I experience exactly same issue (OVPN server, CHR, 7.11.2, 2x3GHz CPU, 1 GB RAM).
Each hour (default key renegotiation) I lose cca 50% of OVPN clients.

Anyone tried 7.12rc1? They mention "*) ovpn - improved system stability;".
 
User avatar
raphaps
just joined
Posts: 22
Joined: Fri Feb 03, 2023 12:29 am
Location: Brasil
Contact:

Re: Open VPN server on CHR trouble with 7.8

Mon Oct 09, 2023 10:18 pm

I experience exactly same issue (OVPN server, CHR, 7.11.2, 2x3GHz CPU, 1 GB RAM).
Each hour (default key renegotiation) I lose cca 50% of OVPN clients.

Anyone tried 7.12rc1? They mention "*) ovpn - improved system stability;".

These issues with openvpn are chronic in version 7. I have an open support ticket addressing similar problems. I was able to stabilize the connections by making some changes. The first one was disabling "key renegotiate sec" by setting the value to 0 on the OpenVPN server. Then, I disabled renegotiation on the clients as well, using the "reneg-sec 0" option. Lastly, in the profile used on the OpenVPN server, in the "only one" option, I leave it marked as "no." This way, I haven't had any more issues.

Who is online

Users browsing this forum: Semrush [Bot] and 26 guests