OpenVPN Server PacketLoss
You need to set correct MTU for your VPN link. You can determine the value with ping
command. Start pinging server from client with
ping -M do -s 1500 -c 1 10.8.0.1
It will probably say ping: local error: Message too long, mtu=1500
Decrease the 1500 value by 10 each time, until the ping succeeds. Once the ping succeeds, the value used is the MTU you should use. OpenVPN requires a value called the MSS to be set. The MSS is the value for the MTU minus 40.
Eg. If your MTU is 1460, your MSS is 1420
MSS = MTU - 40
MSS = 1460 - 40
MSS = 1420
To set the MSS for OpenVPN, add the following server configuration line (replacing 1420 with the appropriate value).
mssfix 1420
You can also turn on MSS auto-discovery by using the following config directives:
tun-mtu 1460
mtu-disc yes
Related videos on Youtube
George
Updated on September 18, 2022Comments
-
George over 1 year
I have an OpenVPN server with
Debian 8
andOpenVPN 2.3.14 x86_64-pc-linux-gnu
. Today I have realised packet loss. My server is on TCP port 443.Ping statistics for 144.76.41.103: Packets: Sent = 1135, Received = 1121, Lost = 14 (1% loss), Approximate round trip times in milli-seconds: Minimum = 29ms, Maximum = 961ms, Average = 51ms
Other stat:
Ping statistics for 144.76.41.103: Packets: Sent = 1135, Received = 1121, Lost = 70 (5% loss), Approximate round trip times in milli-seconds: Minimum = 29ms, Maximum = 961ms, Average = 51ms
Server config:
port 443 float proto tcp dev tun2 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/1.crt key /etc/openvpn/keys/1.key dh /etc/openvpn/keys/dh2048.pem tls-auth /etc/openvpn/keys/ta.key 0 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" script-security 3 auth-user-pass-verify "/etc/openvpn/auth.sh" via-env keepalive 20 100 cipher BF-CBC max-clients 100 persist-key persist-tun username-as-common-name log logs/443tcp.log log-append logs/443app.log status status/443tcp_status.log 60 verb 2 mute 15 inactive 1200 comp-lzo reneg-sec 86400 up /etc/openvpn/up.sh
Because of this, I ofter receives lag (jut freeze for a sec) in my applications, SSH consoles and of course on online game.
Any ideas what could cause this?
-
iwaseatenbyagrue about 7 yearsThis seems like a better fit for SuperUser. I am not sure a couple of ping tests are really enough to see the issue as such - do you possible have some stats (e.g. tcp retransmit count, error count), and could you run iperf between VPN endpoints to give a better view of your issue?
-
-
bjd2385 over 5 years
for i in {1500..900..-10}; do ping -M do -c 1 10.8.0.1 -s "$i"; done
- I just stop it when I see the pings succeed. -
Anubioz over 5 years@bd1251252 nice one indeed, can be somwhat improved:
for i in {1500..900..-2}; do ping -M do -c 1 10.8.0.1 -s "$i" 2>&1 | grep -q '1 received' && break; done; echo $i