Openvpn tap uses 99% cpu time

Emile Coetzee freebsd-stable at
Wed Oct 3 06:49:59 PDT 2007

Hi Bruce

I hope you can still remember this post from way back when. You can read the
archives here:

Up until now we have been tracking RELENG_6_2 without any issues but I was
forced to look at this again to get a newer NIC working where I needed

So quick recap: A while ago I hit a problem where the openvpn tap service
would kill my machine with 99% CPU usage. I could reproduce this on a number
of machines. I have now produced a way to prevent and reproduce the problem,
so hopefully if someone else can reproduce this we can find a proper fix.

I have been loading my tap device using /boot/loader.conf

So I removed this from the loader. Rebooted and tried to start openvpn
(/usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --config
/usr/local/etc/openvpn/tapsvr.conf) It would not start (obviously as there
was no tap device). 

I then loaded the tap device using kldload (kldload if_tap) and tried again.
This time is started and surprise, surprise no 99% CPU problem. Not wanting
to have to load the device before starting openvpn I then compiled the tap
device into my kernel which did the trick.

So it seems that there is a problem with loading the tap device from
loader.conf on RELENG_6. This works correctly on RELENG_6_2.

Do you want to see if you can reproduce this first or should I open a bug?


-----Original Message-----
From: owner-freebsd-stable at
[mailto:owner-freebsd-stable at] On Behalf Of Emile Coetzee
Posted At: 20 March 2007 14:16 PM
Posted To: freebsd-stable
Conversation: Openvpn tap uses 99% cpu time
Subject: RE: Openvpn tap uses 99% cpu time

Emile Coetzee wrote:
> Okay I finally have a ktrace of the offending process. You can view it
>>Thanks for this. If this is the correct trace, of the correct process, 
then it looks like OpenVPN is hanging immediately on opening the tap

>>One thing that does jump out at me is the use of the persist-tun 
keyword. Can you try removing the use of this keyword? It is something 
I've never had to use with OpenVPN.<<

I did try it without the persist settings and it seemed to work but then I
put it back again and that worked too (i.e. no 100% CPU usage). However
after restarting the box and repeating the tests, both produced the 100% CPU
usage issue. 

What I suspect happened is that somehow the tap device was already present
and thus openvpn did not need to create one. I then tried to use the
cloned_interfaces="tap0" to see if that would create a tap device for me at
boot time. But the server hung similarly to when openvpn uses 100% CPU time
more or less where I would expect it to initialize the NICs. Unfortunately I
did not think to check if the tap device was present before testing it
without the persist setting. So it's a bit of mystery.

I have lost the box I was testing on (off to a client) and will only be able
to setup a new one to do testing on next week. So I will feed back with any
new findings.


freebsd-stable at mailing list
To unsubscribe, send any mail to "freebsd-stable-unsubscribe at"

More information about the freebsd-stable mailing list