misc/117271: OpenVPN TAP uses 99% CPU on releng_6 when if_tap is in /boot/loader.conf

Emile Coetzee emilec at clarotech.co.za
Wed Oct 17 05:50:02 PDT 2007 

>Number:         117271
>Category:       misc
>Synopsis:       OpenVPN TAP uses 99% CPU on releng_6 when if_tap is in /boot/loader.conf
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 17 12:50:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Emile Coetzee
>Release:        RELENG_6
>Organization:
Clarotech Consulting
>Environment:
FreeBSD x 6.2-STABLE FreeBSD 6.2-STABLE #36: Thu Oct 11 02:46:55 SAST 2007     root at x:/usr/obj/usr/src/sys/X  i386
>Description:
Tracking RELENG_6 with if_tap_load="YES" in /boot/loader.conf. When you start openvpn (/usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --config /usr/local/etc/openvpn/tapsvr.conf) top will list openvpn on 99% CPU usage and the system will become non-responsive.

If you remove if_tap_load="YES" from /boot/loader.conf boot the system, run kldload if_tap and start openvpn, the problem does not occur. Compiling tap into the kernel as a pseudo device works correctly as well.

If I track RELENG_6_2 I can load if_tap from loader.conf and start openvpn tap service without experiencing any high CPU usage problems as decribed above. 

So it would seem there is a difference loading the tap device at boot time using loader.conf than loading it from the command line or as part of the kernel in RELENG_6

I first reported this on the mailing lists in March 2007. At that time I did notice some very recent changes for if_tap in the source tree which might be the cause of the problem. 

http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2007-03/msg00445.html 
>How-To-Repeat:
Track RELENG_6
Install openvpn from ports (/usr/ports/security/openvpn)
Configure a VPN server using the tap device (the defaults will do).
set if_tap_load="YES" in /boot/loader.conf
start openvpn: /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --config /usr/local/etc/openvpn/tapsvr.conf
>Fix:
The workaround is to remove if_tap from loader.conf and load it after boot time or compile it into the kernel.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list