| Message ID | Yt2Fdvaom94pVcOQ@benares |
|---|---|
| State | Rejected |
| Headers | show |
| Series | [Openvpn-devel] PUSH_BUNDLE_SIZE is too short | expand |
Hi, On Sun, Jul 24, 2022 at 07:46:30PM +0200, Angel Abad wrote: > Hello, we have problem with a large used openvpn server, our server push to clients > almos 150 routes, we havent problem with windows clients, but with linux clients push > options are cut, and the clients fail to configure beacouse the route commmands are cut. Can you please show a log file that demonstrates the problem? I know that ValdikSS was/is using openvpn with many 1000 routes pushed, and besides "installation takes very long" he did not report problems. gert
Hi,
On Sun, Jul 24, 2022 at 08:59:53PM +0200, Gert Doering wrote:
> Can you please show a log file that demonstrates the problem?
Oh, and "what software is running on the server side"? Long push replys
have to be split, and if there is something non-official which does not
split the to-be-sent records as the official server does, it's not a
client side bug.
gert
Am 24.07.22 um 19:46 schrieb Angel Abad: > Description: PUSH_BUNDLE_SIZE is too short > Author: Angel Abad <angel@debian.org> > --- > > Hello, we have problem with a large used openvpn server, our server push to clients > almos 150 routes, we havent problem with windows clients, but with linux clients push > options are cut, and the clients fail to configure beacouse the route commmands are cut. > > We look code and verify that push bundle size is only 1024, so push options on linux are cut > on this size. We looked openvpn3 too, and there this limit is 2048 > > https://github.com/OpenVPN/openvpn3/blob/e1a35028a82acaf5ae6caeae321d83c36477d27c/openvpn/tun/linux/client/sitnl.hpp#L50 That is the buffer size of the netlink socket. That has absolutely nothing to do with PUSH bundle size. The maximum PUSH bundle size that OpenVPN3 will generate is also 1024: https://github.com/OpenVPN/openvpn3/blob/master/openvpn/options/continuation_fragment.hpp#L42 > > Could you please increase this limit on openvpn2 or provide a configuration option to > increase it? There are a patches from me for master that allow adjusting control channel max size. However, our OpenVPN 2 server code should never send a push message that exceeds the 1024 byte limit. Increasing this size for both client and server will break existing setups. Can you explain your setup and how to reproduce the bug? In the current form this patch is a NAK from me. Arne
Am 24.07.22 um 19:46 schrieb Angel Abad: > Description: PUSH_BUNDLE_SIZE is too short > Author: Angel Abad <angel@debian.org> > --- > > Hello, we have problem with a large used openvpn server, our server push to clients > almos 150 routes, we havent problem with windows clients, but with linux clients push > options are cut, and the clients fail to configure beacouse the route commmands are cut. > > We look code and verify that push bundle size is only 1024, so push options on linux are cut > on this size. We looked openvpn3 too, and there this limit is 2048 > > https://github.com/OpenVPN/openvpn3/blob/e1a35028a82acaf5ae6caeae321d83c36477d27c/openvpn/tun/linux/client/sitnl.hpp#L50 > > Could you please increase this limit on openvpn2 or provide a configuration option to > increase it? I created a bug in Softether for this problem since I believe that this is what you are using: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1639 This should be fixed on their side instead of creating an incomplete/incompatible OpenVPN fix that will break after a few more routes anyway. Arne
Hi, sorry for my late reply! We use on server side managed AWS Clientvpn product[1], but we havent the problem with macosX or windows laptops, only with linux (ubuntu, centos and debian). Bye, [1] https://docs.aws.amazon.com/es_es/vpn/latest/clientvpn-admin/what-is.html El dom, 24 jul 2022 a las 21:12, Gert Doering (<gert@greenie.muc.de>) escribió: > Hi, > > On Sun, Jul 24, 2022 at 08:59:53PM +0200, Gert Doering wrote: > > Can you please show a log file that demonstrates the problem? > > Oh, and "what software is running on the server side"? Long push replys > have to be split, and if there is something non-official which does not > split the to-be-sent records as the official server does, it's not a > client side bug. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > gert@greenie.muc.de >
Hi, On Fri, Aug 05, 2022 at 08:58:05AM +0200, Angel Abad wrote: > Hi, sorry for my late reply! > > We use on server side managed AWS Clientvpn product[1], but we havent the > problem with macosX or windows laptops, only with linux (ubuntu, centos and > debian). Which clients are you using on MacOS and Windows? OpenVPN 2.x should exhibit the same behaviour everywhere. gert
Am 05.08.2022 um 08:58 schrieb Angel Abad: > Hi, sorry for my late reply! > > We use on server side managed AWS Clientvpn product[1], but we > havent the problem with macosX or windows laptops, only with linux > (ubuntu, centos and debian). > OpenVPN Connect which is based on OpenVPN 3.x might be more tolerant which accepting oversized PUSH replys. That however still does not make it a legal packet. You should complain to Amazon. This is a bug on their side that they have to fix. Arne
El vie, 5 ago 2022 a las 9:59, Gert Doering (<gert@greenie.muc.de>) escribió: > Hi, > > On Fri, Aug 05, 2022 at 08:58:05AM +0200, Angel Abad wrote: > > Hi, sorry for my late reply! > > > > We use on server side managed AWS Clientvpn product[1], but we havent the > > problem with macosX or windows laptops, only with linux (ubuntu, centos > and > > debian). > > Which clients are you using on MacOS and Windows? OpenVPN 2.x should > exhibit > the same behaviour everywhere. > > On windows we use: https://openvpn.net/client-connect-vpn-for-windows/ and the official AWS client: https://aws.amazon.com/es/vpn/client-vpn-download/ Thanks for your replys > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > gert@greenie.muc.de >
--- openvpn-2.6.0~git20220518+dco.orig/src/openvpn/common.h +++ openvpn-2.6.0~git20220518+dco/src/openvpn/common.h @@ -72,7 +72,7 @@ typedef unsigned long ptr_type; * This parameter controls the maximum size of a bundle * of pushed options. */ -#define PUSH_BUNDLE_SIZE 1024 +#define PUSH_BUNDLE_SIZE 2048 /* * In how many seconds does client re-send PUSH_REQUEST if we haven't yet received a reply