Hi Michael, Am Dienstag, den 20.10.2020, 13:28 +0000 schrieb Michael Tremer: > OpenVPN is an absolute mess. The behaviour of configuration > parameters has been changed over the time; default values have been > changed over time; and it looks like nobody is actually testing > anything any more. > > I have been spending hours today on figuring out why OpenVPN > is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance > it achieves about 100 MBit/s in the default configuration when > "openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s. > > Changing any of the cryptography parameters does not change > anything. Throughput remains around 100 MBit/s. > > I finally set "cipher none" and "auth none" which disables > encryption and authentication altogether but does not increase > throughput. From here on it was absolutely clear that it was > not a crypto issue. > > OpenVPN tries to be smart here and does its own fragmentation. > This is the worst idea I have heard of all day, because that job > is normally done best by the OS. > > Various settings which allow the user to "tune" this are grossly > ineffective - let alone it isn't even clear what I am supposed > to configure anywhere. Setting "fragment 1500" weirdly still > does not convince openvpn to generate a packet that is longer > than 1400 bytes. Who'd a thunk? > > There is a number of other parameters to set the MTU or which > are related to it (tun-mtu, link-mtu, fragment, mssfix). > > On top of all of this we have two "bugs" in ovpnmain.cgi which > are being fixed in this patch: > > 1) mssfix can be configured by the user. However, we always > enable it in openvpn. The default is on, we only add "mssfix" > which simply turns it on. > It is now being disabled when the user has chosen so in the > web UI. I do not know if this is backwards-compatible. > > 2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being > used. So it becomes pointless that the user can this and the > user is not being made aware of this when they hit the save > button. > This was added when we added path MTU discovery. Since that > did not work and was removed, we can remove this now, too. > > I archived a solid 500-600 MBit/s of goodput with these settings: > > * Disable mssfix > * Set "fragment" to 0 > * Set MTU to 9000 We have had a discussion about that longer time ago --> https://bugzilla.ipfire.org/show_bug.cgi?id=11364#c18 . Did not know that a MTU of 9000 is possible, sounds like jumbo frames. > > I am sure the MTU could be further increased to have bigger packets, > but I did not test how badly this will affect latency of the tunnel. > > OpenVPN seems to only be able to handle a certain amount of packets > a second - no matter what. With larger packets, the throughput of > the tunnel increases, but latency might as well. > > Signed-off-by: Michael Tremer > Cc: Erik Kapfer > Cc: Stefan Schantl > --- > html/cgi-bin/ovpnmain.cgi | 29 +++++++++-------------------- > 1 file changed, 9 insertions(+), 20 deletions(-) > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index e7bc505e7..e5bc45c1c 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -280,14 +280,7 @@ sub writeserverconf { > print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; > #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} > $netsettings{'GREEN_NETMASK'}\"\n"; > > - # Check if we are using mssfix, fragment and set the corretct > mtu of 1500. > - # If we doesn't use one of them, we can use the configured mtu > value. > - if ($sovpnsettings{'MSSFIX'} eq 'on') > - { print CONF "tun-mtu 1500\n"; } > - elsif ($sovpnsettings{'FRAGMENT'} ne '' && > $sovpnsettings{'DPROTOCOL'} ne 'tcp') > - { print CONF "tun-mtu 1500\n"; } > - else > - { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } > + print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; > > if ($vpnsettings{'ROUTES_PUSH'} ne '') { > @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'}); > @@ -320,6 +313,8 @@ sub writeserverconf { > } > if ($sovpnsettings{MSSFIX} eq 'on') { > print CONF "mssfix\n"; > + } else { > + print CONF "mssfix 0\n"; > } > if ($sovpnsettings{FRAGMENT} ne '' && > $sovpnsettings{'DPROTOCOL'} ne 'tcp') { > print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; > @@ -975,7 +970,7 @@ unless(-d > "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir > "${General > if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = > $cgiparams{'MTU'}}; > print SERVERCONF "tun-mtu $tunmtu\n"; > if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment > $cgiparams{'FRAGMENT'}\n";} > - if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; > }; > + if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } > else { print SERVERCONF "mssfix 0\n" }; > } > > print SERVERCONF "# Auth. Server\n"; > @@ -1074,7 +1069,7 @@ unless(-d > "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir > "${General > if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = > $cgiparams{'MTU'}}; > print CLIENTCONF "tun-mtu $tunmtu\n"; > if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment > $cgiparams{'FRAGMENT'}\n";} > - if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; > }; > + if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } > else { print CLIENTCONF "mssfix 0\n" }; > } > > # Check host certificate if X509 is RFC3280 compliant. > @@ -2204,7 +2199,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq > 'net'){ > if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} > else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; > print CLIENTCONF "tun-mtu $tunmtu\n"; > if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF > "fragment $confighash{$cgiparams{'KEY'}}[24]\n";} > - if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF > "mssfix\n";} > + if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF > "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; } > } > # Check host certificate if X509 is RFC3280 compliant. > # If not, old --ns-cert-type directive will be used. > @@ -2285,15 +2280,7 @@ else > print CLIENTCONF "nobind\r\n"; > print CLIENTCONF "dev tun\r\n"; > print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; > - > - # Check if we are using fragment, mssfix and set MTU to 1500 > - # or use configured value. > - if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne > 'tcp' ) > - { print CLIENTCONF "tun-mtu 1500\r\n"; } > - elsif ($vpnsettings{MSSFIX} eq 'on') > - { print CLIENTCONF "tun-mtu 1500\r\n"; } > - else > - { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; } > + print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; > > if ( $vpnsettings{'ENABLED'} eq 'on'){ > print CLIENTCONF "remote $vpnsettings{'VPN_IP'} > $vpnsettings{'DDEST_PORT'}\r\n"; > @@ -2383,6 +2370,8 @@ else > print CLIENTCONF "verify-x509-name > $vpnsettings{ROOTCERT_HOSTNAME} name\r\n"; > if ($vpnsettings{MSSFIX} eq 'on') { > print CLIENTCONF "mssfix\r\n"; > + } else { > + print CLIENTCONF "mssfix 0\r\n"; > } > if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne > 'tcp' ) { > print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";