Re: [PATCH] openvpn: Actually apply configured parameters

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 9581 bytes --]

Hi Michael,

Am Mittwoch, den 25.11.2020, 19:56 +0000 schrieb Michael Tremer:
> Hello,
> 
> I didn’t merge this yet, because I did not get any testing feedback
> (with a Tested-by tag).
Have tested it here and in the worst case there was only a warning in
the log and server/client negotiate via OPTIONS IMPORT the best result
out. The advantage in my opinion might be to have a chance to raise the
values (Jumbo frames ?!) and get more controll over the package size.

> 
> Since nobody has anything to complain, I will merge it then.
Great.

> 
> Best,
> -Michael

Best,

Erik

> 
> > On 24 Nov 2020, at 15:19, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi Michael,
> > wanted to warm this up alittle :-) do you want to deliver this
> > patch ?
> > 
> > Best,
> > 
> > Erik
> > 
> > Am Dienstag, den 20.10.2020, 13:28 +0000 schrieb Michael Tremer:
> > > OpenVPN is an absolute mess. The behaviour of configuration
> > > parameters has been changed over the time; default values have
> > > been
> > > changed over time; and it looks like nobody is actually testing
> > > anything any more.
> > > 
> > > I have been spending hours today on figuring out why OpenVPN
> > > is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance
> > > it achieves about 100 MBit/s in the default configuration when
> > > "openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s.
> > > 
> > > Changing any of the cryptography parameters does not change
> > > anything. Throughput remains around 100 MBit/s.
> > > 
> > > I finally set "cipher none" and "auth none" which disables
> > > encryption and authentication altogether but does not increase
> > > throughput. From here on it was absolutely clear that it was
> > > not a crypto issue.
> > > 
> > > OpenVPN tries to be smart here and does its own fragmentation.
> > > This is the worst idea I have heard of all day, because that job
> > > is normally done best by the OS.
> > > 
> > > Various settings which allow the user to "tune" this are grossly
> > > ineffective - let alone it isn't even clear what I am supposed
> > > to configure anywhere. Setting "fragment 1500" weirdly still
> > > does not convince openvpn to generate a packet that is longer
> > > than 1400 bytes. Who'd a thunk?
> > > 
> > > There is a number of other parameters to set the MTU or which
> > > are related to it (tun-mtu, link-mtu, fragment, mssfix).
> > > 
> > > On top of all of this we have two "bugs" in ovpnmain.cgi which
> > > are being fixed in this patch:
> > > 
> > > 1) mssfix can be configured by the user. However, we always
> > >    enable it in openvpn. The default is on, we only add "mssfix"
> > >    which simply turns it on.
> > >    It is now being disabled when the user has chosen so in the
> > >    web UI. I do not know if this is backwards-compatible.
> > > 
> > > 2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being
> > >    used. So it becomes pointless that the user can this and the
> > >    user is not being made aware of this when they hit the save
> > >    button.
> > >    This was added when we added path MTU discovery. Since that
> > >    did not work and was removed, we can remove this now, too.
> > > 
> > > I archived a solid 500-600 MBit/s of goodput with these settings:
> > > 
> > > * Disable mssfix
> > > * Set "fragment" to 0
> > > * Set MTU to 9000
> > > 
> > > I am sure the MTU could be further increased to have bigger
> > > packets,
> > > but I did not test how badly this will affect latency of the
> > > tunnel.
> > > 
> > > OpenVPN seems to only be able to handle a certain amount of
> > > packets
> > > a second - no matter what. With larger packets, the throughput of
> > > the tunnel increases, but latency might as well.
> > > 
> > > Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> > > Cc: Erik Kapfer <erik.kapfer(a)ipfire.org>
> > > Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > > ---
> > >  html/cgi-bin/ovpnmain.cgi | 29 +++++++++--------------------
> > >  1 file changed, 9 insertions(+), 20 deletions(-)
> > > 
> > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-
> > > bin/ovpnmain.cgi
> > > index e7bc505e7..e5bc45c1c 100644
> > > --- a/html/cgi-bin/ovpnmain.cgi
> > > +++ b/html/cgi-bin/ovpnmain.cgi
> > > @@ -280,14 +280,7 @@ sub writeserverconf {
> > >      print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
> > >      #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'}
> > > $netsettings{'GREEN_NETMASK'}\"\n";
> > >  
> > > -    # Check if we are using mssfix, fragment and set the
> > > corretct
> > > mtu of 1500.
> > > -    # If we doesn't use one of them, we can use the configured
> > > mtu
> > > value.
> > > -    if ($sovpnsettings{'MSSFIX'} eq 'on') 
> > > -       { print CONF "tun-mtu 1500\n"; }
> > > -    elsif ($sovpnsettings{'FRAGMENT'} ne '' &&
> > > $sovpnsettings{'DPROTOCOL'} ne 'tcp') 
> > > -       { print CONF "tun-mtu 1500\n"; }
> > > -    else 
> > > -       { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; }
> > > +    print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
> > >  
> > >      if ($vpnsettings{'ROUTES_PUSH'} ne '') {
> > >                 @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
> > > @@ -320,6 +313,8 @@ sub writeserverconf {
> > >      }
> > >      if ($sovpnsettings{MSSFIX} eq 'on') {
> > >                 print CONF "mssfix\n";
> > > +    } else {
> > > +               print CONF "mssfix 0\n";
> > >      }
> > >      if ($sovpnsettings{FRAGMENT} ne '' &&
> > > $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
> > >                 print CONF "fragment
> > > $sovpnsettings{'FRAGMENT'}\n";
> > > @@ -975,7 +970,7 @@ unless(-d
> > > "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir
> > > "${General
> > >    if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu
> > > =
> > > $cgiparams{'MTU'}};
> > >    print SERVERCONF "tun-mtu $tunmtu\n";
> > >    if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment
> > > $cgiparams{'FRAGMENT'}\n";} 
> > > -  if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF
> > > "mssfix\n"; };
> > > +  if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF
> > > "mssfix\n"; }
> > > else { print SERVERCONF "mssfix 0\n" };
> > >    }
> > >  
> > >    print SERVERCONF "# Auth. Server\n"; 
> > > @@ -1074,7 +1069,7 @@ unless(-d
> > > "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir
> > > "${General
> > >    if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu
> > > =
> > > $cgiparams{'MTU'}};
> > >    print CLIENTCONF "tun-mtu $tunmtu\n";
> > >    if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment
> > > $cgiparams{'FRAGMENT'}\n";}
> > > -  if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF
> > > "mssfix\n"; };
> > > +  if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF
> > > "mssfix\n"; }
> > > else { print CLIENTCONF "mssfix 0\n" };
> > >    }
> > >  
> > >    # Check host certificate if X509 is RFC3280 compliant.
> > > @@ -2204,7 +2199,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq
> > > 'net'){
> > >     if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu =
> > > '1500'}
> > > else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
> > >     print CLIENTCONF "tun-mtu $tunmtu\n";
> > >     if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print
> > > CLIENTCONF
> > > "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
> > > -   if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print
> > > CLIENTCONF
> > > "mssfix\n";}
> > > +   if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print
> > > CLIENTCONF
> > > "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
> > >     }
> > >     # Check host certificate if X509 is RFC3280 compliant.
> > >     # If not, old --ns-cert-type directive will be used.
> > > @@ -2285,15 +2280,7 @@ else
> > >      print CLIENTCONF "nobind\r\n";
> > >      print CLIENTCONF "dev tun\r\n";
> > >      print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
> > > -
> > > -    # Check if we are using fragment, mssfix and set MTU to 1500
> > > -    # or use configured value.
> > > -    if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL}
> > > ne
> > > 'tcp' )
> > > -       { print CLIENTCONF "tun-mtu 1500\r\n"; }
> > > -    elsif ($vpnsettings{MSSFIX} eq 'on')
> > > -       { print CLIENTCONF "tun-mtu 1500\r\n"; }
> > > -    else
> > > -       { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; }
> > > +    print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
> > >  
> > >      if ( $vpnsettings{'ENABLED'} eq 'on'){
> > >         print CLIENTCONF "remote $vpnsettings{'VPN_IP'}
> > > $vpnsettings{'DDEST_PORT'}\r\n";
> > > @@ -2383,6 +2370,8 @@ else
> > >      print CLIENTCONF "verify-x509-name
> > > $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
> > >      if ($vpnsettings{MSSFIX} eq 'on') {
> > >         print CLIENTCONF "mssfix\r\n";
> > > +    } else {
> > > +       print CLIENTCONF "mssfix 0\r\n";
> > >      }
> > >      if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL}
> > > ne
> > > 'tcp' ) {
> > >         print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
> > 
> > 
>