openvpn ON vps offen very high CPU use

[fareign]

1. port forward use openvpn.
2. break down wan
3. pull back.
4. then openvpn ON VPS is high CPU use.

Specifications

• OpenMPTCProuter version: 0.62 6.6kernel
• OpenMPTCProuter VPS version: 0.1032 -test
• OpenMPTCProuter VPS provider:
• OpenMPTCProuter platform: rpi4
• Country:

[Ysurac]

It's more fail2ban the is using the CPU here. Can you try to install latest test script ?

[fareign]

It's more fail2ban the is using the CPU here. Can you try to install latest test script ?

is the latest. use MLVPN.,nerver cause this.

[Ysurac]

Latest from when ? MLVPN is not protected by fail2ban

[fareign]

wget -O - https://www.openmptcprouter.com/server-test/debian-x86_64.sh | KERNEL="6.6" sh

[Ysurac]

The question is when, to know when you updated script for latest time, as I made some changes in fail2ban config.

[fareign]

today. I see you change some config, so I test it.but ,still have the problem

[fareign]

root@iZm5e727udorfq8cpb5razZ:~# journalctl -r -u fail2ban Jun 19 22:15:13 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Consumed 1min 22.475s CPU time. Jun 19 22:15:13 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Failed with result 'exit-code'. Jun 19 22:15:13 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Control process exited, code=exited, status=255/EXCEPTION Jun 19 22:15:13 iZm5e727udorfq8cpb5razZ fail2ban-client[91820]: 2025-06-19 22:15:13,787 fail2ban [91820]: ERROR Failed to access socket path> Jun 19 21:52:25 iZm5e727udorfq8cpb5razZ fail2ban-server[506]: Server ready Jun 19 21:52:23 iZm5e727udorfq8cpb5razZ fail2ban-server[506]: 2025-06-19 21:52:23,064 fail2ban.configreader [506]: WARNING 'allowipv6' not defined in 'Defi> Jun 19 21:52:22 iZm5e727udorfq8cpb5razZ systemd[1]: Started fail2ban.service - Fail2Ban Service. -- Boot 8a11417028a94c1392a9d7458df6ab86 -- Jun 19 21:51:57 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Consumed 2.271s CPU time. Jun 19 21:51:57 iZm5e727udorfq8cpb5razZ systemd[1]: Stopped fail2ban.service - Fail2Ban Service. Jun 19 21:51:57 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Deactivated successfully. Jun 19 21:51:57 iZm5e727udorfq8cpb5razZ fail2ban-client[38912]: Shutdown successful Jun 19 21:51:55 iZm5e727udorfq8cpb5razZ systemd[1]: Stopping fail2ban.service - Fail2Ban Service... Jun 19 21:42:09 iZm5e727udorfq8cpb5razZ fail2ban-server[536]: Server ready Jun 19 21:42:07 iZm5e727udorfq8cpb5razZ fail2ban-server[536]: 2025-06-19 21:42:07,214 fail2ban.configreader [536]: WARNING 'allowipv6' not defined in 'Defi> Jun 19 21:42:06 iZm5e727udorfq8cpb5razZ systemd[1]: Started fail2ban.service - Fail2Ban Service. -- Boot 682f1d5ac9ae443185ceea8ec2e78c31 -- Jun 19 21:25:34 iZj6c1yoltwixb045jitd8Z fail2ban-server[2174]: Server ready Jun 19 21:25:31 iZj6c1yoltwixb045jitd8Z fail2ban-server[2174]: 2025-06-19 21:25:31,331 fail2ban.configreader [2174]: WARNING 'allowipv6' not defined in 'De> Jun 19 21:25:30 iZj6c1yoltwixb045jitd8Z systemd[1]: Started fail2ban.service - Fail2Ban Service. -- Boot 0185e815a745460fba78c1436223aa6f -- Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z systemd[1]: fail2ban.service: Failed with result 'exit-code'. Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z fail2ban-server[80924]: 2025-06-19 20:53:47,629 fail2ban [80924]: ERROR Async configuration of serve> Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z fail2ban-server[80924]: 2025-06-19 20:53:47,621 fail2ban [80924]: ERROR Failed during configuration:> Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z fail2ban-server[80924]: 2025-06-19 20:53:47,584 fail2ban.configreader [80924]: WARNING 'allowipv6' not defined in '> Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z systemd[1]: Started fail2ban.service - Fail2Ban Service. ...skipping... Jun 19 22:15:13 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Consumed 1min 22.475s CPU time. Jun 19 22:15:13 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Failed with result 'exit-code'. Jun 19 22:15:13 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Control process exited, code=exited, status=255/EXCEPTION Jun 19 22:15:13 iZm5e727udorfq8cpb5razZ fail2ban-client[91820]: 2025-06-19 22:15:13,787 fail2ban [91820]: ERROR Failed to access socket path> Jun 19 21:52:25 iZm5e727udorfq8cpb5razZ fail2ban-server[506]: Server ready Jun 19 21:52:23 iZm5e727udorfq8cpb5razZ fail2ban-server[506]: 2025-06-19 21:52:23,064 fail2ban.configreader [506]: WARNING 'allowipv6' not defined in 'Defi> Jun 19 21:52:22 iZm5e727udorfq8cpb5razZ systemd[1]: Started fail2ban.service - Fail2Ban Service. -- Boot 8a11417028a94c1392a9d7458df6ab86 -- Jun 19 21:51:57 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Consumed 2.271s CPU time. Jun 19 21:51:57 iZm5e727udorfq8cpb5razZ systemd[1]: Stopped fail2ban.service - Fail2Ban Service. Jun 19 21:51:57 iZm5e727udorfq8cpb5razZ systemd[1]: fail2ban.service: Deactivated successfully. Jun 19 21:51:57 iZm5e727udorfq8cpb5razZ fail2ban-client[38912]: Shutdown successful Jun 19 21:51:55 iZm5e727udorfq8cpb5razZ systemd[1]: Stopping fail2ban.service - Fail2Ban Service... Jun 19 21:42:09 iZm5e727udorfq8cpb5razZ fail2ban-server[536]: Server ready Jun 19 21:42:07 iZm5e727udorfq8cpb5razZ fail2ban-server[536]: 2025-06-19 21:42:07,214 fail2ban.configreader [536]: WARNING 'allowipv6' not defined in 'Defi> Jun 19 21:42:06 iZm5e727udorfq8cpb5razZ systemd[1]: Started fail2ban.service - Fail2Ban Service. -- Boot 682f1d5ac9ae443185ceea8ec2e78c31 -- Jun 19 21:25:34 iZj6c1yoltwixb045jitd8Z fail2ban-server[2174]: Server ready Jun 19 21:25:31 iZj6c1yoltwixb045jitd8Z fail2ban-server[2174]: 2025-06-19 21:25:31,331 fail2ban.configreader [2174]: WARNING 'allowipv6' not defined in 'De> Jun 19 21:25:30 iZj6c1yoltwixb045jitd8Z systemd[1]: Started fail2ban.service - Fail2Ban Service. -- Boot 0185e815a745460fba78c1436223aa6f -- Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z systemd[1]: fail2ban.service: Failed with result 'exit-code'. Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z fail2ban-server[80924]: 2025-06-19 20:53:47,629 fail2ban [80924]: ERROR Async configuration of serve> Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z fail2ban-server[80924]: 2025-06-19 20:53:47,621 fail2ban [80924]: ERROR Failed during configuration:> Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z fail2ban-server[80924]: 2025-06-19 20:53:47,584 fail2ban.configreader [80924]: WARNING 'allowipv6' not defined in '> Jun 19 20:53:47 iZj6c1yoltwixb045jitd8Z systemd[1]: Started fail2ban.service - Fail2Ban Service.

[Ysurac]

Really strange log: You know why there is a so strange time order ?

[fareign]

Really strange log: You know why there is a so strange time order ?

can I remove fail2ban? it seems can work without fail2ban

[fareign]

I stop fail2ban. openvpn still have High cpu USE.

root@iZm5e727udorfq8cpb5razZ:~# journalctl -r -u openvpn Jun 19 23:30:59 iZm5e727udorfq8cpb5razZ systemd[1]: Finished openvpn.service - OpenVPN service. Jun 19 23:30:59 iZm5e727udorfq8cpb5razZ systemd[1]: Starting openvpn.service - OpenVPN service... Jun 19 23:30:59 iZm5e727udorfq8cpb5razZ systemd[1]: Finished openvpn.service - OpenVPN service. Jun 19 23:30:59 iZm5e727udorfq8cpb5razZ systemd[1]: Starting openvpn.service - OpenVPN service... Jun 19 23:30:59 iZm5e727udorfq8cpb5razZ systemd[1]: Stopping openvpn.service - OpenVPN service... Jun 19 23:30:59 iZm5e727udorfq8cpb5razZ systemd[1]: Stopped openvpn.service - OpenVPN service. Jun 19 23:30:59 iZm5e727udorfq8cpb5razZ systemd[1]: openvpn.service: Deactivated successfully. Jun 19 22:40:44 iZm5e727udorfq8cpb5razZ systemd[1]: Finished openvpn.service - OpenVPN service. Jun 19 22:40:44 iZm5e727udorfq8cpb5razZ systemd[1]: Starting openvpn.service - OpenVPN service... Jun 19 22:40:44 iZm5e727udorfq8cpb5razZ systemd[1]: Stopping openvpn.service - OpenVPN service... Jun 19 22:40:44 iZm5e727udorfq8cpb5razZ systemd[1]: Stopped openvpn.service - OpenVPN service. Jun 19 22:40:44 iZm5e727udorfq8cpb5razZ systemd[1]: openvpn.service: Deactivated successfully. Jun 19 22:33:46 iZm5e727udorfq8cpb5razZ systemd[1]: Finished openvpn.service - OpenVPN service.

##############################################

root@iZm5e727udorfq8cpb5razZ:~# journalctl -r -u systemd-journald Jun 19 23:30:34 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 1953083 messages from [email protected] Jun 19 23:30:04 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 1932599 messages from [email protected] Jun 19 22:41:06 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 484741 messages from [email protected] Jun 19 22:40:35 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 1554774 messages from [email protected] Jun 19 22:26:41 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 438491 messages from [email protected] Jun 19 22:19:13 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 1876027 messages from [email protected] Jun 19 22:18:43 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 764672 messages from [email protected] Jun 19 22:14:31 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 1022343 messages from [email protected] Jun 19 22:14:01 iZm5e727udorfq8cpb5razZ systemd-journald[227]: [🡕] Suppressed 1046527 messages from [email protected] Jun 19 21:52:11 iZm5e727udorfq8cpb5razZ systemd-journald[227]: Received client request to flush runtime journal. Jun 19 21:52:11 iZm5e727udorfq8cpb5razZ systemd-journald[227]: System Journal (/var/log/journal/46a51535db4b4570839e712193dae75c) is 16.0M, max 100.0M, 83.9M> Jun 19 21:52:11 iZm5e727udorfq8cpb5razZ systemd-journald[227]: Time spent on flushing to /var/log/journal/46a51535db4b4570839e712193dae75c is 34.490ms for 63> Jun 19 21:52:11 iZm5e727udorfq8cpb5razZ systemd-journald[227]: Runtime Journal (/run/log/journal/46a51535db4b4570839e712193dae75c) is 2.1M, max 16.8M, 14.7M > Jun 19 21:52:10 iZm5e727udorfq8cpb5razZ systemd-journald[227]: Journal started

[fareign]

Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107) Jun 19 23:41:09 iZm5e727udorfq8cpb5razZ ovpn-tun0[421597]: openmptcprouter/120.228.78.50:1308 read TCPv6_SERVER []: Transport endpoint is not connected (fd=10,code=107)

[fareign]

I think this is the real problem,tooooooooooo many erro log.

[Ysurac]

Yes. You know "120.228.78.50" IP ? if not I have to fix fail2ban because it doesn't seems to block it.

[fareign]

Yes. You know "120.228.78.50" IP ? if not I have to fix fail2ban because it doesn't seems to block it.

is wan IP. I disable TCPV6 in openvpn.conf .then have many tCPV4 LOG. this bug is easy to reproduce. use only one wan,then Unplug the network cable, then plug back.

[fareign]

Overview of changes in 2.6.11 Security fixes CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. (Zeze with TeamT5) CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson) CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client (Reynir Björnsson)

[fareign]

@Ysurac there must be some problem with openvpn on VPS. I set verb to 0. only openVPN use 100%CPU, fail2ban and journalctl is OK.

[fareign]

seems disbaled #duplicate-cn have some effect

[Ysurac]

duplicate-cn is needed only when "Disable OpenVPN multi clients" is unchecked in System->OpenMPTCProuter->advanded settings tab.

[fareign]

so we still need to find out which make lots of log with duplicate-cn on.

[Ysurac]

I don't have this issue on any VPS. duplicate-cn can be disabled if you don't need it. I may enable it only when needed.

[fareign]

I don't have this issue on any VPS. duplicate-cn can be disabled if you don't need it. I may enable it only when needed.

I test kernel 6.12 is the same .

[YcarusHospital]

disabling duplictate-cn it's ok on both kernel 6.6 and 6.12 ?

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days