Hi, i have upgraded my CHR ovpn concentrator/dude server to the latest 7.8 from 7.7. It has 2 virtual cpu 1.699 Mhz and 4 giga of ram. I have 122 client connecting on it. When i have upgraded this at reboot i obtain cpu 100% on both cores and profiles show cpu consumption to 100% about ssl, i thing that a massive connect of all of my client saturated it. So i have created this firewall filter rule:
chain=input action=drop connection-state=!established protocol=tcp src-address-list=!Whitelist_ip dst-port=1194 log=no log-prefix=""
If i disable this rule for some second and reactivating it i can reconnect all of my clients a little at a time. When all 122 client are connected the cpu load decerase from 100% to 5-20% and all working OK. But it seems that after some amount of time the problem appear again. I find the virtual machine rebooted (watchdog?) and cpu 100%. with 50% of clients connected. Is a know problem?
I had similar problems with version 7.7 too, but after having connected all the clients helping the server with that firewall rule the connections remained stable for months without ever dropping. From version 7.8 after some random time start to drop and both cpu become 100% saturated.
I've tried unencrypting some clients "none/[null-digest]" in an attempt to lighten the load but that doesn't seem to make any difference. For now there is something that i can do for make my network working again?
7.7 saturate the cpu only on massive client reconnection, but accepting them a little at a time they work forever, cpu usage with all clients connected seems perfectly normal 5-20%.
7.8 saturate the cpu on massive client reconnection, accepting them a little at a time work for some hour, then randomly the cpu goes up to 100% anyway and drops me half of the clients or the CHR reboot itself.