Pritunl v1.32.4093.80 has been released. This release fixes CPU usage with WireGuard connections, fixes connection issues with single sign-on, improves web server performance, adds WireGuard ping interval and ping timeout to server settings, improved debugging and fixes DNS routing issues.
WireGuard CPU Usage
The Pritunl WireGuard implementation uses an additional layer of authentication and connection management. This was needed to maintain the security expectations of the multi-factor authentication options available in Pritunl with the connectionless design of WireGuard. This authentication is done using all the available keys in a Pritunl configuration to provide 3 layers of authorization and 1 encryption. Once connected the client sends pings to the Pritunl server every 10 seconds to indicate the client is still active, once these requests stop the server will expire and remove the WireGuard connection. In past releases these ping requests also used all 3 of the methods used for the connection authentication. The 3rd RSA validation done with the Python cryptography library was found to use significantly more CPU resources than the other methods. With enough concurrent WireGuard clients this can consume enough CPU usage on the server to lock up the web server and result in clients disconnecting. This has been fixed by removing this RSA validation from the ping requests which reduces the CPU usage of these requests by around 95%. Additionally the interval has been adjusted to 30 seconds to reduce the frequency of these requests.
- Client SHA512-HMAC Key (Authorization)
- Client/Server NaCl Asymmetric Key (Authorization + Encryption)
- Client RSA-4096 Asymmetric Key (Authorization)
WireGuard Connection Timeouts
The connection management code used stale data when processing the timestamp for WireGuard connections. The client data loaded before a delay calculated by the vpn.client_ttl would result in an old timestamp being checked. For most configurations this would not cause an issue unless the vpn.client_ttl value was increased to be longer than the TTL for the WireGuard connection. If this did occur the WireGuard connection would be disconnected without any indication in the logs. This has been fixed and the logs will now indicate when a TTL disconnection occurs.
Single Sign-On Connection Timeouts
Newer releases of Pritunl added a connection single sign-on check. This would re-verify the status of a single sign-on user every hour to disconnect the user if the single sign-on account was no longer valid. This check was done in a shared thread use to manage connection timeouts. In high load servers the time to process the single sign-on verification could cause enough delay to timeout the connection. This is more likely for WireGuard connections due to stale data issue described above.
Improve Web Server Performance
The threading and tuning options for the web server have been adjusted to allow handling significantly more concurrent requests.
Add WireGuard Ping Interval and Ping Timeout to Server Settings
Options to adjust the WireGuard ping interval and ping timeout have been added to the server settings. Only the latest client release will adjust the ping interval, older client releases have a hard coded 10 second interval.
Fix DNS Routing Issues
Updates to OpenVPN and WireGuard have started to force routes for DNS servers over the VPN connection. This is specifically occurring on newer WireGuard Linux releases. Previously this was optional in Pritunl with the Enable DNS Routing option in the server settings. This option has been removed and the server will always make NAT routes for the DNS servers available to the client. This will allow DNS to work with clients that force DNS routing while minimizing the impact to server configurations where the networking on the server will not allow client outbound traffic to the DNS server. The Block Outside DNS option in the advanced settings will force this option on all VPN clients.
Improved Debugging
Names have been added to all Python threads in the server. These labels provide additional information to Python debugging software. More information on this is available in the process inspection section of the server debugging documentation.