From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH] openvpn: Actually apply configured parameters Date: Wed, 25 Nov 2020 21:44:49 +0100 Message-ID: <5c71ae0ed2520b290cfe076c8620ed429a97dd1a.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4428178507293879622==" List-Id: --===============4428178507293879622== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, Am Mittwoch, den 25.11.2020, 19:56 +0000 schrieb Michael Tremer: > Hello, >=20 > I didn=E2=80=99t merge this yet, because I did not get any testing feedback > (with a Tested-by tag). Have tested it here and in the worst case there was only a warning in the log and server/client negotiate via OPTIONS IMPORT the best result out. The advantage in my opinion might be to have a chance to raise the values (Jumbo frames ?!) and get more controll over the package size. >=20 > Since nobody has anything to complain, I will merge it then. Great. >=20 > Best, > -Michael Best, Erik >=20 > > On 24 Nov 2020, at 15:19, ummeegge wrote: > >=20 > > Hi Michael, > > wanted to warm this up alittle :-) do you want to deliver this > > patch ? > >=20 > > Best, > >=20 > > Erik > >=20 > > Am Dienstag, den 20.10.2020, 13:28 +0000 schrieb Michael Tremer: > > > OpenVPN is an absolute mess. The behaviour of configuration > > > parameters has been changed over the time; default values have > > > been > > > changed over time; and it looks like nobody is actually testing > > > anything any more. > > >=20 > > > I have been spending hours today on figuring out why OpenVPN > > > is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance > > > it achieves about 100 MBit/s in the default configuration when > > > "openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s. > > >=20 > > > Changing any of the cryptography parameters does not change > > > anything. Throughput remains around 100 MBit/s. > > >=20 > > > I finally set "cipher none" and "auth none" which disables > > > encryption and authentication altogether but does not increase > > > throughput. From here on it was absolutely clear that it was > > > not a crypto issue. > > >=20 > > > OpenVPN tries to be smart here and does its own fragmentation. > > > This is the worst idea I have heard of all day, because that job > > > is normally done best by the OS. > > >=20 > > > Various settings which allow the user to "tune" this are grossly > > > ineffective - let alone it isn't even clear what I am supposed > > > to configure anywhere. Setting "fragment 1500" weirdly still > > > does not convince openvpn to generate a packet that is longer > > > than 1400 bytes. Who'd a thunk? > > >=20 > > > There is a number of other parameters to set the MTU or which > > > are related to it (tun-mtu, link-mtu, fragment, mssfix). > > >=20 > > > On top of all of this we have two "bugs" in ovpnmain.cgi which > > > are being fixed in this patch: > > >=20 > > > 1) mssfix can be configured by the user. However, we always > > > =C2=A0=C2=A0 enable it in openvpn. The default is on, we only add "mssf= ix" > > > =C2=A0=C2=A0 which simply turns it on. > > > =C2=A0=C2=A0 It is now being disabled when the user has chosen so in the > > > =C2=A0=C2=A0 web UI. I do not know if this is backwards-compatible. > > >=20 > > > 2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being > > > =C2=A0=C2=A0 used. So it becomes pointless that the user can this and t= he > > > =C2=A0=C2=A0 user is not being made aware of this when they hit the save > > > =C2=A0=C2=A0 button. > > > =C2=A0=C2=A0 This was added when we added path MTU discovery. Since that > > > =C2=A0=C2=A0 did not work and was removed, we can remove this now, too. > > >=20 > > > I archived a solid 500-600 MBit/s of goodput with these settings: > > >=20 > > > * Disable mssfix > > > * Set "fragment" to 0 > > > * Set MTU to 9000 > > >=20 > > > I am sure the MTU could be further increased to have bigger > > > packets, > > > but I did not test how badly this will affect latency of the > > > tunnel. > > >=20 > > > OpenVPN seems to only be able to handle a certain amount of > > > packets > > > a second - no matter what. With larger packets, the throughput of > > > the tunnel increases, but latency might as well. > > >=20 > > > Signed-off-by: Michael Tremer > > > Cc: Erik Kapfer > > > Cc: Stefan Schantl > > > --- > > > =C2=A0html/cgi-bin/ovpnmain.cgi | 29 +++++++++-------------------- > > > =C2=A01 file changed, 9 insertions(+), 20 deletions(-) > > >=20 > > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi- > > > bin/ovpnmain.cgi > > > index e7bc505e7..e5bc45c1c 100644 > > > --- a/html/cgi-bin/ovpnmain.cgi > > > +++ b/html/cgi-bin/ovpnmain.cgi > > > @@ -280,14 +280,7 @@ sub writeserverconf { > > > =C2=A0=C2=A0=C2=A0=C2=A0 print CONF "server $tempovpnsubnet[0] $tempovp= nsubnet[1]\n"; > > > =C2=A0=C2=A0=C2=A0=C2=A0 #print CONF "push \"route $netsettings{'GREEN_= NETADDRESS'} > > > $netsettings{'GREEN_NETMASK'}\"\n"; > > > =C2=A0 > > > -=C2=A0=C2=A0=C2=A0 # Check if we are using mssfix, fragment and set the > > > corretct > > > mtu of 1500. > > > -=C2=A0=C2=A0=C2=A0 # If we doesn't use one of them, we can use the con= figured > > > mtu > > > value. > > > -=C2=A0=C2=A0=C2=A0 if ($sovpnsettings{'MSSFIX'} eq 'on')=20 > > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 { print CONF "tun-mtu 1500\n"; } > > > -=C2=A0=C2=A0=C2=A0 elsif ($sovpnsettings{'FRAGMENT'} ne '' && > > > $sovpnsettings{'DPROTOCOL'} ne 'tcp')=20 > > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 { print CONF "tun-mtu 1500\n"; } > > > -=C2=A0=C2=A0=C2=A0 else=20 > > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 { print CONF "tun-mtu $sovpnsetti= ngs{'DMTU'}\n"; } > > > +=C2=A0=C2=A0=C2=A0 print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; > > > =C2=A0 > > > =C2=A0=C2=A0=C2=A0=C2=A0 if ($vpnsettings{'ROUTES_PUSH'} ne '') { > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 @temp =3D split(/\n/,$vpnsettings{'ROUTES_PUSH'}); > > > @@ -320,6 +313,8 @@ sub writeserverconf { > > > =C2=A0=C2=A0=C2=A0=C2=A0 } > > > =C2=A0=C2=A0=C2=A0=C2=A0 if ($sovpnsettings{MSSFIX} eq 'on') { > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 print CONF "mssfix\n"; > > > +=C2=A0=C2=A0=C2=A0 } else { > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 print CONF "mssfix 0\n"; > > > =C2=A0=C2=A0=C2=A0=C2=A0 } > > > =C2=A0=C2=A0=C2=A0=C2=A0 if ($sovpnsettings{FRAGMENT} ne '' && > > > $sovpnsettings{'DPROTOCOL'} ne 'tcp') { > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 print CONF "fragment > > > $sovpnsettings{'FRAGMENT'}\n"; > > > @@ -975,7 +970,7 @@ unless(-d > > > "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir > > > "${General > > > =C2=A0=C2=A0 if ($cgiparams{'MTU'} eq '') {$tunmtu =3D '1500'} else {$t= unmtu > > > =3D > > > $cgiparams{'MTU'}}; > > > =C2=A0=C2=A0 print SERVERCONF "tun-mtu $tunmtu\n"; > > > =C2=A0=C2=A0 if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragm= ent > > > $cgiparams{'FRAGMENT'}\n";}=20 > > > -=C2=A0 if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF > > > "mssfix\n"; }; > > > +=C2=A0 if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF > > > "mssfix\n"; } > > > else { print SERVERCONF "mssfix 0\n" }; > > > =C2=A0=C2=A0 } > > > =C2=A0 > > > =C2=A0=C2=A0 print SERVERCONF "# Auth. Server\n";=20 > > > @@ -1074,7 +1069,7 @@ unless(-d > > > "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir > > > "${General > > > =C2=A0=C2=A0 if ($cgiparams{'MTU'} eq '') {$tunmtu =3D '1500'} else {$t= unmtu > > > =3D > > > $cgiparams{'MTU'}}; > > > =C2=A0=C2=A0 print CLIENTCONF "tun-mtu $tunmtu\n"; > > > =C2=A0=C2=A0 if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragm= ent > > > $cgiparams{'FRAGMENT'}\n";} > > > -=C2=A0 if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF > > > "mssfix\n"; }; > > > +=C2=A0 if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF > > > "mssfix\n"; } > > > else { print CLIENTCONF "mssfix 0\n" }; > > > =C2=A0=C2=A0 } > > > =C2=A0 > > > =C2=A0=C2=A0 # Check host certificate if X509 is RFC3280 compliant. > > > @@ -2204,7 +2199,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq > > > 'net'){ > > > =C2=A0=C2=A0=C2=A0 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunm= tu =3D > > > '1500'} > > > else {$tunmtu =3D $confighash{$cgiparams{'KEY'}}[31]}; > > > =C2=A0=C2=A0=C2=A0 print CLIENTCONF "tun-mtu $tunmtu\n"; > > > =C2=A0=C2=A0=C2=A0 if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print > > > CLIENTCONF > > > "fragment $confighash{$cgiparams{'KEY'}}[24]\n";} > > > -=C2=A0=C2=A0 if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print > > > CLIENTCONF > > > "mssfix\n";} > > > +=C2=A0=C2=A0 if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print > > > CLIENTCONF > > > "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; } > > > =C2=A0=C2=A0=C2=A0 } > > > =C2=A0=C2=A0=C2=A0 # Check host certificate if X509 is RFC3280 complian= t. > > > =C2=A0=C2=A0=C2=A0 # If not, old --ns-cert-type directive will be used. > > > @@ -2285,15 +2280,7 @@ else > > > =C2=A0=C2=A0=C2=A0=C2=A0 print CLIENTCONF "nobind\r\n"; > > > =C2=A0=C2=A0=C2=A0=C2=A0 print CLIENTCONF "dev tun\r\n"; > > > =C2=A0=C2=A0=C2=A0=C2=A0 print CLIENTCONF "proto $vpnsettings{'DPROTOCO= L'}\r\n"; > > > - > > > -=C2=A0=C2=A0=C2=A0 # Check if we are using fragment, mssfix and set MT= U to 1500 > > > -=C2=A0=C2=A0=C2=A0 # or use configured value. > > > -=C2=A0=C2=A0=C2=A0 if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DP= ROTOCOL} > > > ne > > > 'tcp' ) > > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 { print CLIENTCONF "tun-mtu 1500\= r\n"; } > > > -=C2=A0=C2=A0=C2=A0 elsif ($vpnsettings{MSSFIX} eq 'on') > > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 { print CLIENTCONF "tun-mtu 1500\= r\n"; } > > > -=C2=A0=C2=A0=C2=A0 else > > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 { print CLIENTCONF "tun-mtu $vpns= ettings{'DMTU'}\r\n"; } > > > +=C2=A0=C2=A0=C2=A0 print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; > > > =C2=A0 > > > =C2=A0=C2=A0=C2=A0=C2=A0 if ( $vpnsettings{'ENABLED'} eq 'on'){ > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 print CLIENTCONF "remote $vp= nsettings{'VPN_IP'} > > > $vpnsettings{'DDEST_PORT'}\r\n"; > > > @@ -2383,6 +2370,8 @@ else > > > =C2=A0=C2=A0=C2=A0=C2=A0 print CLIENTCONF "verify-x509-name > > > $vpnsettings{ROOTCERT_HOSTNAME} name\r\n"; > > > =C2=A0=C2=A0=C2=A0=C2=A0 if ($vpnsettings{MSSFIX} eq 'on') { > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 print CLIENTCONF "mssfix\r\n= "; > > > +=C2=A0=C2=A0=C2=A0 } else { > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 print CLIENTCONF "mssfix 0\r\n"; > > > =C2=A0=C2=A0=C2=A0=C2=A0 } > > > =C2=A0=C2=A0=C2=A0=C2=A0 if ($vpnsettings{FRAGMENT} ne '' && $vpnsettin= gs{DPROTOCOL} > > > ne > > > 'tcp' ) { > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 print CLIENTCONF "fragment $= vpnsettings{'FRAGMENT'}\r\n"; > >=20 > >=20 >=20 --===============4428178507293879622==--