[PATCH] openvpn: Actually apply configured parameters

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7078 bytes --]

OpenVPN is an absolute mess. The behaviour of configuration
parameters has been changed over the time; default values have been
changed over time; and it looks like nobody is actually testing
anything any more.

I have been spending hours today on figuring out why OpenVPN
is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance
it achieves about 100 MBit/s in the default configuration when
"openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s.

Changing any of the cryptography parameters does not change
anything. Throughput remains around 100 MBit/s.

I finally set "cipher none" and "auth none" which disables
encryption and authentication altogether but does not increase
throughput. From here on it was absolutely clear that it was
not a crypto issue.

OpenVPN tries to be smart here and does its own fragmentation.
This is the worst idea I have heard of all day, because that job
is normally done best by the OS.

Various settings which allow the user to "tune" this are grossly
ineffective - let alone it isn't even clear what I am supposed
to configure anywhere. Setting "fragment 1500" weirdly still
does not convince openvpn to generate a packet that is longer
than 1400 bytes. Who'd a thunk?

There is a number of other parameters to set the MTU or which
are related to it (tun-mtu, link-mtu, fragment, mssfix).

On top of all of this we have two "bugs" in ovpnmain.cgi which
are being fixed in this patch:

1) mssfix can be configured by the user. However, we always
   enable it in openvpn. The default is on, we only add "mssfix"
   which simply turns it on.
   It is now being disabled when the user has chosen so in the
   web UI. I do not know if this is backwards-compatible.

2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being
   used. So it becomes pointless that the user can this and the
   user is not being made aware of this when they hit the save
   button.
   This was added when we added path MTU discovery. Since that
   did not work and was removed, we can remove this now, too.

I archived a solid 500-600 MBit/s of goodput with these settings:

* Disable mssfix
* Set "fragment" to 0
* Set MTU to 9000

I am sure the MTU could be further increased to have bigger packets,
but I did not test how badly this will affect latency of the tunnel.

OpenVPN seems to only be able to handle a certain amount of packets
a second - no matter what. With larger packets, the throughput of
the tunnel increases, but latency might as well.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Cc: Erik Kapfer <erik.kapfer(a)ipfire.org>
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index e7bc505e7..e5bc45c1c 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -280,14 +280,7 @@ sub writeserverconf {
     print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
     #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
 
-    # Check if we are using mssfix, fragment and set the corretct mtu of 1500.
-    # If we doesn't use one of them, we can use the configured mtu value.
-    if ($sovpnsettings{'MSSFIX'} eq 'on') 
-	{ print CONF "tun-mtu 1500\n"; }
-    elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') 
-	{ print CONF "tun-mtu 1500\n"; }
-    else 
-	{ print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; }
+    print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
 
     if ($vpnsettings{'ROUTES_PUSH'} ne '') {
 		@temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
@@ -320,6 +313,8 @@ sub writeserverconf {
     }
     if ($sovpnsettings{MSSFIX} eq 'on') {
 		print CONF "mssfix\n";
+    } else {
+		print CONF "mssfix 0\n";
     }
     if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
 		print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
@@ -975,7 +970,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
   print SERVERCONF "tun-mtu $tunmtu\n";
   if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";} 
-  if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; 
+  if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" };
   }
 
   print SERVERCONF "# Auth. Server\n"; 
@@ -1074,7 +1069,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
   print CLIENTCONF "tun-mtu $tunmtu\n";
   if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
-  if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; 
+  if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" };
   }
 
   # Check host certificate if X509 is RFC3280 compliant.
@@ -2204,7 +2199,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
    if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
    print CLIENTCONF "tun-mtu $tunmtu\n";
    if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
-   if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
+   if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
    }
    # Check host certificate if X509 is RFC3280 compliant.
    # If not, old --ns-cert-type directive will be used.
@@ -2285,15 +2280,7 @@ else
     print CLIENTCONF "nobind\r\n";
     print CLIENTCONF "dev tun\r\n";
     print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
-
-    # Check if we are using fragment, mssfix and set MTU to 1500
-    # or use configured value.
-    if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
-	{ print CLIENTCONF "tun-mtu 1500\r\n"; }
-    elsif ($vpnsettings{MSSFIX} eq 'on')
-	{ print CLIENTCONF "tun-mtu 1500\r\n"; }
-    else
-	{ print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; }
+    print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
 
     if ( $vpnsettings{'ENABLED'} eq 'on'){
     	print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
@@ -2383,6 +2370,8 @@ else
     print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
     if ($vpnsettings{MSSFIX} eq 'on') {
 	print CLIENTCONF "mssfix\r\n";
+    } else {
+	print CLIENTCONF "mssfix 0\r\n";
     }
     if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
 	print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
-- 
2.20.1