OpenVPN - Max VPN Clients Quantity and Connections

Hello everyone,

I’m new at IPFIRE and i have some doubt’s about the OpenVPN limitations running on IPFIRE.

1.- What is the max openvpn users and clients that i can create on the firewall?.
2.- Max OpenVPN Connections in the same time with different userid?.
3.- Max OpenVPN Connections in the same time with the same userid?, for example “ebustos” with 2 ovpn clients in the same time.

Waiting for your early reply,

Best Regards

Enzo Bustos.
Telecom. & Networks Engineer.

Anyone help with this questions pls?.

Hello @ebustos - Welcome to the IPFire Community!

This maybe more of a question for the OpenVPN group. I am guessing this depends more on OpenVPN than IPFire. And it depends on the hardware chosen.

I wanted to let you know that all of the people that respond to IPFire Community posts are volunteers. So questions may take awhile for a response. (I am one of those volunteers.)

Hope that helps explain why immediate response is not available.

EDIT: here is some info about OpenVPN. It may not answer your questions but it might help get you started.
https://wiki.ipfire.org/configuration/services/openvpn

1 Like

Hello @jon
My question is regarding to the openVPN configuration in the advance config max-clients parameter. i reviewed the config by CLI and GUI. From the GUI i cannot configure more than 255 max-clients because the GUI cannot permit more than that value. On the other hand, on the /ipfire/ovpn directory the file “settings” there’s a max-clients value when i configured it to reach 400 max-clients then the GUI displays that value.

So, i have some doubts about the max-clients configuration that the GUI can permit to configure or if the software only permit 255 max-clients to OpenVPN can support…

Waiting for early replys.

Best regards.

I am running some customers with 50+ connections on an 4 core Intel NUC, 8 GB RAM without any problems. In fact the little box is quite sleeping all the time. The only limit is your network bandwidth and the hardware you’re using.

Hello @teejay
I certaninly know that you comment, but my question is about the max-clients that IPFIRE can support in the configuration.

When you go to the advance configuration of OPENVPN by GUI you can see that que max-clients is configured to 100. The max configuration permited is 255, but by CLI in the “settings” file on /ipfire/ovpn/ you can modified max-clients value passing the umbral over 255, but i don’t know if the software can support more than 255 concurrent clients working at the same time.

Best regards

Hi ebustos

That’s because you bypass the range checks implemented in the GUI. Please note that “unsupported” values may work, but are likely to be overwritten or removed when you save settings from the GUI again or during updates.

To the best of my knowledge, most of the advanced options are only passed on to the OpenVPN server software and are not used internally, e.g. to create firewall rules. Which in your case would mean that you should actually only be limited by the the size of the subnet and OpenVPN’s capabilities. But please wait for this to be confirmed by a developer. I think @ummeegge knows best!

In the meantime, have you considered using static IP address pools? These pools allow you to organize clients into groups, and their size is determined by their subnet mask.

Hi all,

exactly, those changes would be overwritten if you change anything, or by simply press the save button in the web UI.

The transportnet will be used (listed) internally by the firewall if you want to use it, otherwise you are to my knowledge normally indeed limited by the bandwidth and hardware capabilities but the ovpnmain.cgi limits the max-clients amount currently to 255 → git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi which might be an historical holdover from the times where only ifconfig-pool-persist exists ?! But am not sure about this.
@ebustos, you can change this parameter via the above linked line but be aware the with an update of ovpnmain.cgi, your changes will then also be overwritten. Therefore, it might be an idea to deliver potential changes (greater value) for max-clients to bugzilla → https://bugzilla.ipfire.org/ or even the development mailinglist → Info | development@lists.ipfire.org - lists.ipfire.org might be also a good address for a talk about.

Best,

Erik

Yes, I would say this was a “sanity check” from older days. I would suggest that someone changes that.

However, for a lot of connections, OpenVPN is not your tool of choice. All connections will be terminated in a single user space process which means that you will sooner or later max out one processor core and that is it. No matter how many you have, that will be your limiting factor - probably after bandwidth.

1 Like

What upper limit would you suggest? I took a quick look at the source code of OpenVPN, there the limit seems to be set at 16777215 for 2.4.9:

Good question.

I am not entirely sure why this is configurable at all. OpenVPN’s default is 1024. Doesn’t sound bad, but what happens when someone exceeds that?

16777215 is probably not realistic :slight_smile:

I would remove the option and set a value of like 2048 or 4096.

–max-clients n
: Limit server to a maximum of n concurrent clients.

New incoming connections are denied if they would exceed this limit.

I can imagine why you want to configure this. For example, if you have to create a large pool of clients, e.g. one for each employee. But don’t want to risk overloading the connection because it is actually designed for only a few concurrent users.

I agree with you that we should increase the limit to a reasonable number.

Hi all,
by a vast amount of clients, the best practice for OpenVPN might be to use multiple servers via --remote-random and an appropriate value for a --server-poll-timeout. As Michael mentioned it already OpenVPN is single-threaded and with a reneg-sec of 3600 (default) it is not that hard to calculate how many rekeyings needed to be pass with let’s 10000 clients (in that case the topic of an appropriate grid for a failover should be in general self-evident in my opinion) , but since you do not mentioned any numbers nor other calculable values this is only science but fiction :slightly_smiling_face: .

Just as another one.

Best,

Erik

Can do this if we come to a, let’s say, conclusion :slightly_smiling_face: .

Best,

Erik

So can we live with 1024? I assume that this is some sort of DoS protection, so we should not aim too high.

May that’s a good way even we do have a DoS or port flooding protection via ‘-- tls-auth’ ?

Yes, but that is still a lot more expensive to do than simply counting how many open connections there are and not to accept any more isn’t it?

Patch has been send --> https://patchwork.ipfire.org/patch/3298/ .

Best,

Erik

1 Like