Bug#968942: openvpn: TCP socket backlog set too low

2020-09-01 Thread Bernhard Schmidt 
Control: fixed -1 2.4.9-1

On Mon, Aug 24, 2020 at 02:12:30PM +0200, Martin Zobel-Helas wrote:

Hi,

> Also the kernel at the exact same times had the following lines:
> 
> # TCP: request_sock_TCP: Possible SYN flooding on port 1194. Dropping 
> request. Check SNMP counters. 
> 
> I digged a little bit around and found, that this seems to be a known
> problem of openvpn below 2.4.8 on machines running kernels newer than
> 4.3.
> 
> This very same issue is described in [1]. The fix for this seems to be
> [2].

Thanks, marking as such. I plan both a stable update and a
buster-backport soon.

Bernhard

Bug#968942: openvpn: TCP socket backlog set too low

2020-08-24 Thread Martin Zobel-Helas 
Package: openvpn
Version: 2.4.7-1
Severity: important
Tags: patch upstream
X-Debbugs-Cc: paul.v...@dg-i.net

Hi,

i recently upgraded an OpenVPN server that is mostly used for VPN over
TCP. The VPN server ran very unstable after the upgrade.

Also the kernel at the exact same times had the following lines:

# TCP: request_sock_TCP: Possible SYN flooding on port 1194. Dropping request. 
Check SNMP counters. 

I digged a little bit around and found, that this seems to be a known
problem of openvpn below 2.4.8 on machines running kernels newer than
4.3.

This very same issue is described in [1]. The fix for this seems to be
[2].

Please consider if this change could be brought into Debian 10 stable
update (e.g. 10.6), or at least provide a backport version in debian
buster backports.

Thanks,
Martin

[1]: https://community.openvpn.net/openvpn/ticket/1208
[2]: 
https://community.openvpn.net/openvpn/changeset/ec0ca68f4ed1e6aa6f08f470b18e0198b7e5a4da/

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  iproute2   5.8.0-1
ii  libc6  2.31-3
ii  liblz4-1   1.9.2-2
ii  liblzo2-2  2.10-2
ii  libpam0g   1.3.1-5
ii  libpkcs11-helper1  1.26-1+b1
ii  libssl1.1  1.1.1g-1
ii  libsystemd0246.2-1
ii  lsb-base   11.1.0

Versions of packages openvpn recommends:
ii  easy-rsa  3.0.6-1

Versions of packages openvpn suggests:
ii  openssl   1.1.1g-1
pn  openvpn-systemd-resolved  
pn  resolvconf

-- debconf information excluded

-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B