From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] openvpn: Actually apply configured parameters Date: Wed, 25 Nov 2020 19:56:08 +0000 Message-ID: In-Reply-To: <5b6f69b49ab121c153e26c46449371dfeb583991.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0112635412587488143==" List-Id: --===============0112635412587488143== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, I didn=E2=80=99t merge this yet, because I did not get any testing feedback (= with a Tested-by tag). Since nobody has anything to complain, I will merge it then. Best, -Michael > On 24 Nov 2020, at 15:19, ummeegge wrote: >=20 > Hi Michael, > wanted to warm this up alittle :-) do you want to deliver this patch ? >=20 > Best, >=20 > Erik >=20 > Am Dienstag, den 20.10.2020, 13:28 +0000 schrieb Michael Tremer: >> OpenVPN is an absolute mess. The behaviour of configuration >> parameters has been changed over the time; default values have been >> changed over time; and it looks like nobody is actually testing >> anything any more. >>=20 >> I have been spending hours today on figuring out why OpenVPN >> is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance >> it achieves about 100 MBit/s in the default configuration when >> "openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s. >>=20 >> Changing any of the cryptography parameters does not change >> anything. Throughput remains around 100 MBit/s. >>=20 >> I finally set "cipher none" and "auth none" which disables >> encryption and authentication altogether but does not increase >> throughput. From here on it was absolutely clear that it was >> not a crypto issue. >>=20 >> OpenVPN tries to be smart here and does its own fragmentation. >> This is the worst idea I have heard of all day, because that job >> is normally done best by the OS. >>=20 >> Various settings which allow the user to "tune" this are grossly >> ineffective - let alone it isn't even clear what I am supposed >> to configure anywhere. Setting "fragment 1500" weirdly still >> does not convince openvpn to generate a packet that is longer >> than 1400 bytes. Who'd a thunk? >>=20 >> There is a number of other parameters to set the MTU or which >> are related to it (tun-mtu, link-mtu, fragment, mssfix). >>=20 >> On top of all of this we have two "bugs" in ovpnmain.cgi which >> are being fixed in this patch: >>=20 >> 1) mssfix can be configured by the user. However, we always >> enable it in openvpn. The default is on, we only add "mssfix" >> which simply turns it on. >> It is now being disabled when the user has chosen so in the >> web UI. I do not know if this is backwards-compatible. >>=20 >> 2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being >> used. So it becomes pointless that the user can this and the >> user is not being made aware of this when they hit the save >> button. >> This was added when we added path MTU discovery. Since that >> did not work and was removed, we can remove this now, too. >>=20 >> I archived a solid 500-600 MBit/s of goodput with these settings: >>=20 >> * Disable mssfix >> * Set "fragment" to 0 >> * Set MTU to 9000 >>=20 >> I am sure the MTU could be further increased to have bigger packets, >> but I did not test how badly this will affect latency of the tunnel. >>=20 >> OpenVPN seems to only be able to handle a certain amount of packets >> a second - no matter what. With larger packets, the throughput of >> the tunnel increases, but latency might as well. >>=20 >> Signed-off-by: Michael Tremer >> Cc: Erik Kapfer >> Cc: Stefan Schantl >> --- >> html/cgi-bin/ovpnmain.cgi | 29 +++++++++-------------------- >> 1 file changed, 9 insertions(+), 20 deletions(-) >>=20 >> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >> index e7bc505e7..e5bc45c1c 100644 >> --- a/html/cgi-bin/ovpnmain.cgi >> +++ b/html/cgi-bin/ovpnmain.cgi >> @@ -280,14 +280,7 @@ sub writeserverconf { >> print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; >> #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} >> $netsettings{'GREEN_NETMASK'}\"\n"; >> =20 >> - # Check if we are using mssfix, fragment and set the corretct >> mtu of 1500. >> - # If we doesn't use one of them, we can use the configured mtu >> value. >> - if ($sovpnsettings{'MSSFIX'} eq 'on')=20 >> - { print CONF "tun-mtu 1500\n"; } >> - elsif ($sovpnsettings{'FRAGMENT'} ne '' && >> $sovpnsettings{'DPROTOCOL'} ne 'tcp')=20 >> - { print CONF "tun-mtu 1500\n"; } >> - else=20 >> - { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } >> + print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; >> =20 >> if ($vpnsettings{'ROUTES_PUSH'} ne '') { >> @temp =3D split(/\n/,$vpnsettings{'ROUTES_PUSH'}); >> @@ -320,6 +313,8 @@ sub writeserverconf { >> } >> if ($sovpnsettings{MSSFIX} eq 'on') { >> print CONF "mssfix\n"; >> + } else { >> + print CONF "mssfix 0\n"; >> } >> if ($sovpnsettings{FRAGMENT} ne '' && >> $sovpnsettings{'DPROTOCOL'} ne 'tcp') { >> print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; >> @@ -975,7 +970,7 @@ unless(-d >> "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir >> "${General >> if ($cgiparams{'MTU'} eq '') {$tunmtu =3D '1500'} else {$tunmtu =3D >> $cgiparams{'MTU'}}; >> print SERVERCONF "tun-mtu $tunmtu\n"; >> if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment >> $cgiparams{'FRAGMENT'}\n";}=20 >> - if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; >> + if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } >> else { print SERVERCONF "mssfix 0\n" }; >> } >> =20 >> print SERVERCONF "# Auth. Server\n";=20 >> @@ -1074,7 +1069,7 @@ unless(-d >> "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir >> "${General >> if ($cgiparams{'MTU'} eq '') {$tunmtu =3D '1500'} else {$tunmtu =3D >> $cgiparams{'MTU'}}; >> print CLIENTCONF "tun-mtu $tunmtu\n"; >> if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment >> $cgiparams{'FRAGMENT'}\n";} >> - if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; >> + if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } >> else { print CLIENTCONF "mssfix 0\n" }; >> } >> =20 >> # Check host certificate if X509 is RFC3280 compliant. >> @@ -2204,7 +2199,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq >> 'net'){ >> if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu =3D '1500'} >> else {$tunmtu =3D $confighash{$cgiparams{'KEY'}}[31]}; >> print CLIENTCONF "tun-mtu $tunmtu\n"; >> if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF >> "fragment $confighash{$cgiparams{'KEY'}}[24]\n";} >> - if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF >> "mssfix\n";} >> + if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF >> "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; } >> } >> # Check host certificate if X509 is RFC3280 compliant. >> # If not, old --ns-cert-type directive will be used. >> @@ -2285,15 +2280,7 @@ else >> print CLIENTCONF "nobind\r\n"; >> print CLIENTCONF "dev tun\r\n"; >> print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; >> - >> - # Check if we are using fragment, mssfix and set MTU to 1500 >> - # or use configured value. >> - if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne >> 'tcp' ) >> - { print CLIENTCONF "tun-mtu 1500\r\n"; } >> - elsif ($vpnsettings{MSSFIX} eq 'on') >> - { print CLIENTCONF "tun-mtu 1500\r\n"; } >> - else >> - { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; } >> + print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; >> =20 >> if ( $vpnsettings{'ENABLED'} eq 'on'){ >> print CLIENTCONF "remote $vpnsettings{'VPN_IP'} >> $vpnsettings{'DDEST_PORT'}\r\n"; >> @@ -2383,6 +2370,8 @@ else >> print CLIENTCONF "verify-x509-name >> $vpnsettings{ROOTCERT_HOSTNAME} name\r\n"; >> if ($vpnsettings{MSSFIX} eq 'on') { >> print CLIENTCONF "mssfix\r\n"; >> + } else { >> + print CLIENTCONF "mssfix 0\r\n"; >> } >> if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne >> 'tcp' ) { >> print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; >=20 >=20 --===============0112635412587488143==--