Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - narfight

#1
17.1 Legacy Series / 100% CPU load by openvpn and syslogd
November 16, 2017, 11:42:35 AM
Hi,

I use an old Watchguard XTM505 with :
  • OPNsense 17.7.6-amd64
  • Intel(R) Celeron(R) CPU 440 @ 2.00GHz (1 cores)
  • 3Go of RAM
I have a problem with the openvpn. My users (4 users connected simultaneously) tell me that the VPN is very slow. When I look to the CPU load, i see this :
last pid: 47564;  load averages:  1.45,  1.54,  1.41    up 6+22:30:52  11:37:19
163 processes: 4 running, 118 sleeping, 41 waiting
CPU: 41.4% user,  0.0% nice, 51.7% system,  6.9% interrupt,  0.0% idle
Mem: 43M Active, 1038M Inact, 320M Wired, 135M Buf, 1523M Free
Swap:

  PID USERNAME        PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
70144 root             87    0  1063M  7468K RUN      9:10  57.62% openvpn
24578 root             48    0  1051M  3016K RUN    206:45  35.85% syslogd
   12 root            -92    -     0K   656K WAIT   203:40   2.37% intr{irq257:
   12 root            -92    -     0K   656K WAIT    89:59   2.18% intr{irq261:
   12 root            -92    -     0K   656K WAIT    26:43   0.73% intr{irq273:
22407 root             20    0 20032K  4092K RUN      0:00   0.27% top
   12 root            -92    -     0K   656K WAIT    33:03   0.21% intr{irq258:
   12 root            -92    -     0K   656K WAIT     8:53   0.20% intr{irq262:
   12 root            -60    -     0K   656K WAIT    10:48   0.15% intr{swi4: c
    7 root            -16    -     0K    16K -       12:49   0.13% rand_harvest
   12 root            -92    -     0K   656K WAIT     1:53   0.08% intr{irq274:
14493 root             20    0  1091M  6804K select   0:00   0.03% sshd
    6 root            -16    -     0K    16K pftm     4:42   0.03% pf purge
   12 root            -92    -     0K   656K WAIT   268:29   0.02% intr{irq277:
90908 root             20    0  1049M  2764K select   2:25   0.02% apinger
   12 root            -72    -     0K   656K WAIT     3:31   0.01% intr{swi1: p
   12 root            -92    -     0K   656K WAIT     0:29   0.01% intr{irq20:
53819 squid            20    0  1067M  4576K select   0:04   0.01% pinger
75491 squid            20    0  1723M   605M kqread 877:05   0.01% squid
40796 dhcpd            20    0  1057M  8292K select   0:47   0.01% dhcpd
37732 squid            20    0  1067M  4572K select   0:18   0.00% pinger
31640 squid            20    0  1067M  4572K select   0:34   0.00% pinger
77885 squid            20    0  1067M  4572K select   0:34   0.00% pinger
(...)


Can you help me to reduce the CPU load ?

Thk in advance
#2
Hello,

For apply rules on some user connected by OpenVPN. I use "Client Specific Overrides" to force IP of client by the field "Common name".

but the field "Common name" has case sensitive unlike samAccountName from LDAP. If the client use login "MyLogin" and not "mylogin", my rules is ignored !!!

In LDAP, we can use "caseExactMatch" to force case sensitive search. If in LDAP server, in field "User naming attribute", in put "samAccountName:caseExactMatch:" the server LDAP return correctely the username with case sensitive. but the returne attribute name is "samAccountName" and not "samAccountName:caseExactMatch:" and Opnsense can't authentifie the connection.

Do you have a solution for this ?
#3
Hello,

I tried to use "memberOf:1.2.840.113556.1.4.1941:=CN..." to get the list of users who are in nested group for my VPN connection.

I use this configuration :
  • Type : LDAP
  • Hostname or IP address : 10.0.0.10
  • Port value : 389
  • Transport : TCP - Standard 
  • Protocol version : 3
  • Bind credentials : User DN: MyCorp\LDAP
  • Search scope : Entire Subtree 
  • Base DN : OU=Macell,DC=MyCorp,DC=org
  • Authentication containers : DC=MyCorp,DC=org
  • Extended Query : &(memberOf:1.2.840.113556.1.4.1941:=CN=TESTGROUP,OU=Remote Login,OU=00 Security Group,OU=Macell,DC=MyCorp,DC=org)
  • User naming attribute : sAMAccountName

the reply are users directly member of TESTGROUP and ... list of groups member of this group.

Can you confirm that it is possible to use "1.2.840.113556.1.4.1941" on OpnSense ?

Thank you
#4
Hello,

I use OPNSense (OPNsense 17.7-amd64/FreeBSD 11.0-RELEASE-p11/OpenSSL 1.0.2l 25 May 2017) on Watchguard XTM505.

When I create a news or update a rules and click to "reaload changes", no error but the changement don't be apply !

filter reload log :
1503639532.2634: Initializing
1503639532.2636: Creating aliases
1503639532.2637: Generating NAT rules
1503639532.2638: Creating 1:1 rules...
1503639532.2639: Creating outbound NAT rules
1503639532.264: Creating automatic outbound rules
1503639532.3072: Creating NAT rule Rediriger le trafic vers le proxy
1503639532.355: Loading filter rules
1503639532.3721: Setting up logging information
1503639532.3722: Setting up SCRUB information
1503639532.3722: Generating rules
1503639532.3867: Creating IPsec rules...
1503639532.3868: Executing packet filter reload
1503639532.4187: Cleanup schedule states
1503639532.4244: Reloading filterdns daemon
1503639532.4245: Flushing schedule state
1503639532.4246: Processing down interface states
1503639532.4247: Done


I need to restart OPNSense to apply correctly .... it's very no frendly use.

My test is very simple. I create à rule to allow ping or not on the interface
IPv4 ICMP * * * * * Easy Rule: Passed from Firewall Log

Can you help me ?

Thk in advance