| Message ID | Yt2Fdvaom94pVcOQ@benares |
|---|---|
| State | Rejected |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id uEJMGMiF3WLYSQAAIUCqbw (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Sun, 24 Jul 2022 13:47:52 -0400 Received: from proxy3.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id CLNFGMiF3WIZBAAAvGGmqA (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Sun, 24 Jul 2022 13:47:52 -0400 Received: from smtp16.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1d.rsapps.net with LMTPS id kLL1F8iF3WL+TAAA7WKfLA (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Sun, 24 Jul 2022 13:47:52 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp16.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=none (p=nil; dis=none) header.from=debian.org X-Suspicious-Flag: YES X-Classification-ID: bcab64ac-0b78-11ed-a495-bc305bf036a4-1-1 Received: from [216.105.38.7] ([216.105.38.7:57836] helo=lists.sourceforge.net) by smtp16.gate.ord1c.rsapps.net (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 70/A5-17756-7C58DD26; Sun, 24 Jul 2022 13:47:51 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) id 1oFfgg-0005aB-Gj; Sun, 24 Jul 2022 17:46:42 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <angelabad@gmail.com>) id 1oFfge-0005a4-EU for openvpn-devel@lists.sourceforge.net; Sun, 24 Jul 2022 17:46:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Message-ID:Subject:To: From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wENt8UQBrmO/T45Yv2lSU/SMbmF7s7rlVfaQkEozA7g=; b=kVlLrvGgQY/aQFxuAVSiF6UL94 lNgrDPAIH/X5TGZIfsmvZgzPwjrz4q5WLHRn6ckxqSgvrGkPLNpYtAKo5kOokSJFBRk4rgHGxEYaB 0z6nxXopnmg5PXzpfIT8aRm6weGFtox9dpUmeJiHRa9zzKU3M9GVH1Bee93X01cQD0L4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=wENt8UQBrmO/T45Yv2lSU/SMbmF7s7rlVfaQkEozA7g=; b=J qIz+drCrS5qursqsHLdkVJ25bjemF46y2+w0o00IPUUIZb/X8oVn+WwqKK2mIjIpWnYrakUFPkYyD c78ObEbZNia8W57bCc/U9kc0XbdsP0dQlzS4CPJNAhGh6bd8JNwhlzK3zXAnj8VZM/phdCNtGdxv0 r4NQ3NSq9HGunZcE=; Received: from mail-wr1-f46.google.com ([209.85.221.46]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1oFfgd-00951z-IF for openvpn-devel@lists.sourceforge.net; Sun, 24 Jul 2022 17:46:40 +0000 Received: by mail-wr1-f46.google.com with SMTP id b26so13049901wrc.2 for <openvpn-devel@lists.sourceforge.net>; Sun, 24 Jul 2022 10:46:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:date:from:to:subject:message-id:mime-version :content-disposition; bh=wENt8UQBrmO/T45Yv2lSU/SMbmF7s7rlVfaQkEozA7g=; b=gGzJJ8iG3c0SetwgGU5wn1Pdxp3eGz9f5Ojm339d8k8joe9o1fWzsBaDu83EP2j/tv IE5xkPszbc2NmocBJXvbsCe64Eb867O/dcj3Enu+Y+HU+ChuMniR2VmOAmWyAk9eLYhq BH/LPhHXK11RdfHo1SPfgDqu//khf2dSvaT1iQqx+MYZlMf5Cw2aPoCOVYb58s9ShGGk L3eV0shNkROU1QcngVdsNjDA6xSNqOg/Ax0FiaoBHI/HjJEL4cuwZ13ZcbjNIlSL+APZ ZUCi6Q6IVC2Va9zikGboB64Le7oom8u1Bt0G4pEerdV7ty6PR0VPTiTXv5BfbqymIxbb aRWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:date:from:to:subject:message-id :mime-version:content-disposition; bh=wENt8UQBrmO/T45Yv2lSU/SMbmF7s7rlVfaQkEozA7g=; b=VggPXLhGn4qU8HEhvgoU2Ou9QDDASCe78XF5rG3dkATVi962I+vZRKCU41v2P4JCq9 nUAcNA/UGE0XKpWT2AzhE63bX83JFa5qRvM6/XVQa2eSsGDOLIgs7kNmE65iNWEAI5oS QMa/U62aMptSoI0mfmonc/hhosuo8uqej+a0lQ8mB20N/wH63RLED5RVbgHu+H0o8mm5 gg8K6mQX7RsQBizXdLuuxPlzneQCCQ7avyKGmdngesxCpJznfvYBtj8DhLnmitOOAsE3 sm+YNJTCOEgPNXVmaXV0N0Q3kZnBdSp6tZdRz67tMaFYjtzRlCFsHn2xShwZL1s04yQU /8pQ== X-Gm-Message-State: AJIora8UrnOixwFK3IGRfQ7ScfooDm6gcvGx+7hRXr0PLYg690RD2dCw eK81h3hHecEqfO7N7TAouSj/y3YE2zicwZYB X-Google-Smtp-Source: AGRyM1ue7gmU77uUjDNTQAY8UljSljLraLA1le4gb+GAnHXg5huf5ERN3tjPdhG9QqsJ+HzCavVR9g== X-Received: by 2002:a05:6000:2aa:b0:21d:ac4f:587c with SMTP id l10-20020a05600002aa00b0021dac4f587cmr5865086wry.675.1658684792799; Sun, 24 Jul 2022 10:46:32 -0700 (PDT) Received: from benares (213.62-99-108.dynamic.clientes.euskaltel.es. [62.99.108.213]) by smtp.gmail.com with ESMTPSA id x3-20020a05600c420300b003a3200bc788sm14912191wmh.33.2022.07.24.10.46.32 for <openvpn-devel@lists.sourceforge.net> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 Jul 2022 10:46:32 -0700 (PDT) Date: Sun, 24 Jul 2022 19:46:30 +0200 From: Angel Abad <angel@debian.org> To: openvpn-devel@lists.sourceforge.net Message-ID: <Yt2Fdvaom94pVcOQ@benares> MIME-Version: 1.0 Content-Disposition: inline X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Description: PUSH_BUNDLE_SIZE is too short Author: Angel Abad <angel@debian.org> --- Hello, we have problem with a large used openvpn server, our server push to clients almos 150 routes, we havent problem with windows clients, but with linux clients push options are cut, and the clien [...] Content analysis details: (0.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [angelabad[at]gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.46 listed in list.dnswl.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.46 listed in wl.mailspike.net] 0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different X-Headers-End: 1oFfgd-00951z-IF Subject: [Openvpn-devel] [PATCH] PUSH_BUNDLE_SIZE is too short X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: <openvpn-devel.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel> List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox |
| Series |
[Openvpn-devel] PUSH_BUNDLE_SIZE is too short
|
|
Commit Message
Angel Abad
July 24, 2022, 7:46 a.m. UTC
Description: PUSH_BUNDLE_SIZE is too short Author: Angel Abad <angel@debian.org> --- Hello, we have problem with a large used openvpn server, our server push to clients almos 150 routes, we havent problem with windows clients, but with linux clients push options are cut, and the clients fail to configure beacouse the route commmands are cut. We look code and verify that push bundle size is only 1024, so push options on linux are cut on this size. We looked openvpn3 too, and there this limit is 2048 https://github.com/OpenVPN/openvpn3/blob/e1a35028a82acaf5ae6caeae321d83c36477d27c/openvpn/tun/linux/client/sitnl.hpp#L50 Could you please increase this limit on openvpn2 or provide a configuration option to increase it? Thanks in advance!
Comments
Hi, On Sun, Jul 24, 2022 at 07:46:30PM +0200, Angel Abad wrote: > Hello, we have problem with a large used openvpn server, our server push to clients > almos 150 routes, we havent problem with windows clients, but with linux clients push > options are cut, and the clients fail to configure beacouse the route commmands are cut. Can you please show a log file that demonstrates the problem? I know that ValdikSS was/is using openvpn with many 1000 routes pushed, and besides "installation takes very long" he did not report problems. gert
Hi,
On Sun, Jul 24, 2022 at 08:59:53PM +0200, Gert Doering wrote:
> Can you please show a log file that demonstrates the problem?
Oh, and "what software is running on the server side"? Long push replys
have to be split, and if there is something non-official which does not
split the to-be-sent records as the official server does, it's not a
client side bug.
gert
Am 24.07.22 um 19:46 schrieb Angel Abad: > Description: PUSH_BUNDLE_SIZE is too short > Author: Angel Abad <angel@debian.org> > --- > > Hello, we have problem with a large used openvpn server, our server push to clients > almos 150 routes, we havent problem with windows clients, but with linux clients push > options are cut, and the clients fail to configure beacouse the route commmands are cut. > > We look code and verify that push bundle size is only 1024, so push options on linux are cut > on this size. We looked openvpn3 too, and there this limit is 2048 > > https://github.com/OpenVPN/openvpn3/blob/e1a35028a82acaf5ae6caeae321d83c36477d27c/openvpn/tun/linux/client/sitnl.hpp#L50 That is the buffer size of the netlink socket. That has absolutely nothing to do with PUSH bundle size. The maximum PUSH bundle size that OpenVPN3 will generate is also 1024: https://github.com/OpenVPN/openvpn3/blob/master/openvpn/options/continuation_fragment.hpp#L42 > > Could you please increase this limit on openvpn2 or provide a configuration option to > increase it? There are a patches from me for master that allow adjusting control channel max size. However, our OpenVPN 2 server code should never send a push message that exceeds the 1024 byte limit. Increasing this size for both client and server will break existing setups. Can you explain your setup and how to reproduce the bug? In the current form this patch is a NAK from me. Arne
Am 24.07.22 um 19:46 schrieb Angel Abad: > Description: PUSH_BUNDLE_SIZE is too short > Author: Angel Abad <angel@debian.org> > --- > > Hello, we have problem with a large used openvpn server, our server push to clients > almos 150 routes, we havent problem with windows clients, but with linux clients push > options are cut, and the clients fail to configure beacouse the route commmands are cut. > > We look code and verify that push bundle size is only 1024, so push options on linux are cut > on this size. We looked openvpn3 too, and there this limit is 2048 > > https://github.com/OpenVPN/openvpn3/blob/e1a35028a82acaf5ae6caeae321d83c36477d27c/openvpn/tun/linux/client/sitnl.hpp#L50 > > Could you please increase this limit on openvpn2 or provide a configuration option to > increase it? I created a bug in Softether for this problem since I believe that this is what you are using: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1639 This should be fixed on their side instead of creating an incomplete/incompatible OpenVPN fix that will break after a few more routes anyway. Arne
Hi, sorry for my late reply! We use on server side managed AWS Clientvpn product[1], but we havent the problem with macosX or windows laptops, only with linux (ubuntu, centos and debian). Bye, [1] https://docs.aws.amazon.com/es_es/vpn/latest/clientvpn-admin/what-is.html El dom, 24 jul 2022 a las 21:12, Gert Doering (<gert@greenie.muc.de>) escribió: > Hi, > > On Sun, Jul 24, 2022 at 08:59:53PM +0200, Gert Doering wrote: > > Can you please show a log file that demonstrates the problem? > > Oh, and "what software is running on the server side"? Long push replys > have to be split, and if there is something non-official which does not > split the to-be-sent records as the official server does, it's not a > client side bug. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > gert@greenie.muc.de >
Hi, On Fri, Aug 05, 2022 at 08:58:05AM +0200, Angel Abad wrote: > Hi, sorry for my late reply! > > We use on server side managed AWS Clientvpn product[1], but we havent the > problem with macosX or windows laptops, only with linux (ubuntu, centos and > debian). Which clients are you using on MacOS and Windows? OpenVPN 2.x should exhibit the same behaviour everywhere. gert
Am 05.08.2022 um 08:58 schrieb Angel Abad: > Hi, sorry for my late reply! > > We use on server side managed AWS Clientvpn product[1], but we > havent the problem with macosX or windows laptops, only with linux > (ubuntu, centos and debian). > OpenVPN Connect which is based on OpenVPN 3.x might be more tolerant which accepting oversized PUSH replys. That however still does not make it a legal packet. You should complain to Amazon. This is a bug on their side that they have to fix. Arne
El vie, 5 ago 2022 a las 9:59, Gert Doering (<gert@greenie.muc.de>) escribió: > Hi, > > On Fri, Aug 05, 2022 at 08:58:05AM +0200, Angel Abad wrote: > > Hi, sorry for my late reply! > > > > We use on server side managed AWS Clientvpn product[1], but we havent the > > problem with macosX or windows laptops, only with linux (ubuntu, centos > and > > debian). > > Which clients are you using on MacOS and Windows? OpenVPN 2.x should > exhibit > the same behaviour everywhere. > > On windows we use: https://openvpn.net/client-connect-vpn-for-windows/ and the official AWS client: https://aws.amazon.com/es/vpn/client-vpn-download/ Thanks for your replys > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > gert@greenie.muc.de >
--- openvpn-2.6.0~git20220518+dco.orig/src/openvpn/common.h +++ openvpn-2.6.0~git20220518+dco/src/openvpn/common.h @@ -72,7 +72,7 @@ typedef unsigned long ptr_type; * This parameter controls the maximum size of a bundle * of pushed options. */ -#define PUSH_BUNDLE_SIZE 1024 +#define PUSH_BUNDLE_SIZE 2048 /* * In how many seconds does client re-send PUSH_REQUEST if we haven't yet received a reply