Improving OpenVPN Performance

linux vpn performance openvpn performance-tuning
79,384

Solution 1

Short answer: disable comp-lzo.

I realize this is an old post, but I was also suffering from poor OpenVPN performance. I had tried everything, adjusting the MTU, changing the snd and rcv buffers, mss clamping, you name it. CPU load was negligible.

On a whim, I disabled compression (removed comp-lzo from the client and the server) and performance increased 2-4x.

So, with comp-lzo enabled my max performance was around 25-30 Mbit/s, and without it I hit 120 Mbit/s (my internet connection speed).

Server is a Xeon E5-2650, client is Core i5-3320M. Both running OpenVPN 2.3.10, AES-256-CBC, SHA512. My Intel Chromebook also maxed out my internet speed. Performance doubled on my Android clients (14 Mbit/s -> 30 Mbit/s), matching IKEv2 tunnel speed.

Solution 2

TCP is going to be /much/ slower than UDP, caused by the TCP-over-TCP problem. Basically, TCP relies on packet drops/congestion to identify connection parameters, and your TCP-over-OpenVPN connections do not experience either of those. But you've said that's not an option.

You could also try the mtu-disc option to automatically discover the optimal MTU settings for your connection. There are slight mismatches in different places, such as OpenVPN's MTU setting including the size of the Ethernet header. [1]

Your tun-mtu setting is massive, as a 65KB packet is going to have a lot of latency issues going through the internet (IPv4 jumbo packets are around 9000 bytes in size, and mostly work on local networks). Try something under 1460 instead, like 1300, to see if MTU is your issue.

Solution 3

Even though this might be a bit late, you may try what I did:

remove all mss, mtu, etc related options

do a port scan at your institution and selected a UDP port, generally 53 GRE /123 NDP ports should be open:

Add these lines to your server config (ref here)

#possible bandwidth increase
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

I do not fully understand these settings but they surely did help, some say it helps alot, in my experience, it increased my throughput by +/- 30%

Start the server on one of those ports and you should be good to go :P

Hope this helps!

Share:
79,384

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    I've been trying to improve my OpenVPN performance and this is my current setup:

     cat /etc/openvpn/server.conf
port 443 #- port
proto tcp #- protocol
dev tun
#tun-mtu 1500
tun-mtu-extra 32 
#mssfix 1450
tun-mtu 64800
mssfix 1440
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login
#plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-to-client
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

    CLIENT:

    client
dev tun
proto tcp
remote 18.4.26.8 443
resolv-retry infinite
nobind
tun-mtu 64800
tun-mtu-extra 32
mssfix 1440
persist-key
persist-tun
auth-user-pass
comp-lzo
verb 3

    I made some changes to MTU and MSSFIX from what I found on the web.

    Are there any kernel changes I could make? This is a CentOS 6.x box. I found some stuff for BSD based but nothing that worked for Linux.

    I know TCP is slower then UDP but I need to be able to look like SSL traffic to get thru a firewall on the network.

    Other ideas?

    PING to another client on the network which I RDP into.

    Pinging 10.8.0.6 with 32 bytes of data:
Reply from 10.8.0.6: bytes=32 time=152ms TTL=128
Reply from 10.8.0.6: bytes=32 time=565ms TTL=128
Reply from 10.8.0.6: bytes=32 time=152ms TTL=128
Reply from 10.8.0.6: bytes=32 time=782ms TTL=128

Ping statistics for 10.8.0.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 152ms, Maximum = 782ms, Average = 412ms

    Are there any ways to improve performance or drop the ping some?

    EDIT: Would setting the fragmentation setting help some?

    • prateek61
      prateek61 over 10 years
      I know TCP is slower then UDP but I need to be able to look like SSL traffic to get thru a firewall on the network. Why not ask your network administrator to open the openvpn port at work? On a related note, this question as is may violate the terms of the FAQ Licensing, legal advice, and *circumvention of security or policy* I would clarify.
    • Admin
      Admin over 10 years
      Theres nothing illegal about it. It's just the only way to access my own systems remotely. :)
    • prateek61
      prateek61 over 10 years
      I was talking more about bypassing the firewall policy at wherever you are. Why can't you ask the network administrator to open the port? I was not really talking about the legality, more about circumventing security policy.
    • ptman
      ptman over 8 years
      Maybe sshuttle would work better for you for tcp-over-tcp vpn
  • Preexo
    Preexo about 8 years
    -1 for too much vodoo and not understanding what things actually do. I find it irresponsible to recommend something then, honestly.
  • Christian Benke
    Christian Benke almost 8 years
    Thanks, that solved my problem with getting a postgresql-query to work over OpenVPN. It worked when querying over a single column, but not for the whole column. Apparently that was caused by the default MTU-Size of 1500. Setting it to 1300 helped!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?
Resolve names on OpenVPN server side?
How to correct Openvpn with elevated rights while being an ordinary user?
OpenVPN client connects to VPN server, but no internet connection
Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04
How do I connect to SSH over an existing OpenVPN connection?
OpenVPN not starting tun0
iptables - how to keep source IP after forwarding?
How to optimize Linux Mint performance
How to bridge tap to eth0 on raspberry pi?