Openconnect restarts too fast

PetrP · January 19, 2025, 10:44am

I have created Openconnect interface and the server does not authorize me (say, I used wrong password).

The Openconnect script restarts too fast, it seems is DDOSing my server:

Sun Jan 19 13:32:46 2025 daemon.notice netifd: Interface 'df' is setting up now
Sun Jan 19 13:32:46 2025 user.notice openconnect: initializing...
Sun Jan 19 13:32:46 2025 user.notice openconnect: executing 'openconnect 'df' '-i' 'vpn-df' '--non-inter' '--syslog' '--protocol' 'anyconnect' '--reconnect-timeout=300''
Sun Jan 19 13:32:46 2025 daemon.notice netifd: df (21580): POST https://df/
Sun Jan 19 13:32:46 2025 daemon.notice netifd: df (21580): getaddrinfo failed for host 'df': Name does not resolve
Sun Jan 19 13:32:46 2025 daemon.notice netifd: df (21580): Failed to open HTTPS connection to df
Sun Jan 19 13:32:46 2025 daemon.notice netifd: df (21580): Failed to complete authentication
Sun Jan 19 13:32:46 2025 user.notice openconnect: bringing down openconnect
Sun Jan 19 13:32:46 2025 daemon.notice netifd: Interface 'df' is now down
Sun Jan 19 13:32:46 2025 daemon.notice netifd: Interface 'df' is setting up now
Sun Jan 19 13:32:46 2025 user.notice openconnect: initializing...
Sun Jan 19 13:32:46 2025 user.notice openconnect: executing 'openconnect 'df' '-i' 'vpn-df' '--non-inter' '--syslog' '--protocol' 'anyconnect' '--reconnect-timeout=300''
Sun Jan 19 13:32:46 2025 daemon.notice netifd: df (21602): POST https://df/
Sun Jan 19 13:32:46 2025 daemon.notice netifd: df (21602): getaddrinfo failed for host 'df': Name does not resolve

I intentionally used wrong server address to not keep ddosing my work server. Also I cannot stop Openconnect interface, the button is grayed out. Only deleting the interface helps stopping the retries to connect.

Same happens on two devices with OpenWRT: x86 24.10.0-rc4 and Xiaomi Redmi AC2100 23.05.5.

greem · January 19, 2025, 10:59am

I've not got access to my external log server at the moment but I can confirm that I've seen the same behaviour.

Normal interface reconnects can happen for hours or days without a problem, until something forces reauthentication and then things get very messy very quickly. The VPN server I'm connecting to (at work) uses an external MFA agent, and if that times out because I'm asleep then OpenConnect simply retries, endlessly.

Eventually a secondary effect is that the MFA service locks my account and OpenConnect then simply tries, tries and tries again without ever stopping.

I have set
option reconnect_timeout '60'
which doesn't help at all.

It's an irritation more than anything but I suspect it's something to be adjusted in netifd rather than the OpenConnect client itself.

PetrP · January 19, 2025, 11:28am

It seems like these lines are involved:

 6834 root      1348 S    {hotplug-call} /bin/sh /sbin/hotplug-call iface
 6835 root      1508 R    {openconnect.sh} /bin/sh ./openconnect.sh openconnect setup df {"proto":"openco
 6836 root      1188 R    ps
 6840 root      1352 S    {hotplug-call} /bin/sh /sbin/hotplug-call iface

with /lib/netifd/proto/openconnect.sh.

But I have not found solution yet.

Also there's no place to put —no-external-auth in.