openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

DCO servers do not handle full --ifconfig-pool gracefully

Open cron2 opened this issue 3 years ago • 1 comments

Describe the bug TCP servers do not properly expire clients, so the pool fills, and when the pool is full, clients can no longer connect and the syslog is full of "DCO errors"

To Reproduce run a TCP server, connect a few 10.000 clients with different usernames (=new IP address assignment per client), disconnect right away

Expected behavior dco-linux needs to inform userland about closed TCP sessions, but until this can be done, userland should log this in a more useful way (see below)

Version information (please complete the following information):

  • OS: Ubuntu 20.04
  • OpenVPN version: master + bandaid patch, as of Dec 22, 2022

Additional context

Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: 2001:608:0:814::f000:21 [gremlin46393] Peer Connection Initiated with [AF_INET6]2001:608:0:814::f000:21:24792
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 MULTI: no free --ifconfig-pool addresses are available
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 MULTI: no dynamic or static remote--ifconfig address is available for gremlin46393/2001:608:0:814::f000:21
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 dco_new_peer: peer-id 0, fd 9, remote addr: [undefined]
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 dco_new_peer: netlink reports error (-7): Invalid input data or parameter: No such file or directory (errno=2)
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 dco_new_peer: failed to send netlink message: Invalid argument (-22)
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 Cannot add peer to DCO for gremlin46393/2001:608:0:814::f000:21: Invalid argument (-22)
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 Delayed exit in 5 seconds

cron2 avatar Dec 22 '22 11:12 cron2

retest this with 2.7 and overflowing pool

cron2 avatar Dec 15 '25 21:12 cron2