From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] openvpn: Actually apply configured parameters
Date: Fri, 23 Oct 2020 11:18:18 +0100
Message-ID: <D3CDFC97-702D-44AC-A507-819421554483@ipfire.org>
In-Reply-To: <60a08ee938283155f3f551e89113e10d24788820.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1160298545910066322=="
List-Id: <development.lists.ipfire.org>

--===============1160298545910066322==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Erik,

Thank you for your prompt reply.

Interesting that we have talked about this that long ago. I totally forgot ab=
out that conversation, and I could not derive any actionable items from it.

I guess I have now implemented the option to actually disable mssfix.

The last post refers to this:

  https://sourceforge.net/p/openvpn/mailman/message/13218191/

A post from 2004 which simply says what has to be done - ideally. The problem=
 with that only is that it is incredibly slow - presumably because of impleme=
ntation issues.

If VPNs are slow, people tend to stop using them. That will of course expose =
them to loads of security issues.

So what can we do here? I have no idea apart from adding this patch, so that =
the user has at least some kind of choice.

Do you think this will be backwards-compatible, or are we going to break inst=
allations if we were to accept the patch?

Best,
-Michael

> On 21 Oct 2020, at 17:22, ummeegge <ummeegge(a)ipfire.org> wrote:
>=20
> Hi Michael,
>=20
> Am Dienstag, den 20.10.2020, 13:28 +0000 schrieb Michael Tremer:
>> OpenVPN is an absolute mess. The behaviour of configuration
>> parameters has been changed over the time; default values have been
>> changed over time; and it looks like nobody is actually testing
>> anything any more.
>>=20
>> I have been spending hours today on figuring out why OpenVPN
>> is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance
>> it achieves about 100 MBit/s in the default configuration when
>> "openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s.
>>=20
>> Changing any of the cryptography parameters does not change
>> anything. Throughput remains around 100 MBit/s.
>>=20
>> I finally set "cipher none" and "auth none" which disables
>> encryption and authentication altogether but does not increase
>> throughput. From here on it was absolutely clear that it was
>> not a crypto issue.
>>=20
>> OpenVPN tries to be smart here and does its own fragmentation.
>> This is the worst idea I have heard of all day, because that job
>> is normally done best by the OS.
>>=20
>> Various settings which allow the user to "tune" this are grossly
>> ineffective - let alone it isn't even clear what I am supposed
>> to configure anywhere. Setting "fragment 1500" weirdly still
>> does not convince openvpn to generate a packet that is longer
>> than 1400 bytes. Who'd a thunk?
>>=20
>> There is a number of other parameters to set the MTU or which
>> are related to it (tun-mtu, link-mtu, fragment, mssfix).
>>=20
>> On top of all of this we have two "bugs" in ovpnmain.cgi which
>> are being fixed in this patch:
>>=20
>> 1) mssfix can be configured by the user. However, we always
>>   enable it in openvpn. The default is on, we only add "mssfix"
>>   which simply turns it on.
>>   It is now being disabled when the user has chosen so in the
>>   web UI. I do not know if this is backwards-compatible.
>>=20
>> 2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being
>>   used. So it becomes pointless that the user can this and the
>>   user is not being made aware of this when they hit the save
>>   button.
>>   This was added when we added path MTU discovery. Since that
>>   did not work and was removed, we can remove this now, too.
>>=20
>> I archived a solid 500-600 MBit/s of goodput with these settings:
>>=20
>> * Disable mssfix
>> * Set "fragment" to 0
>> * Set MTU to 9000
> We have had a discussion about that longer time ago -->
> https://bugzilla.ipfire.org/show_bug.cgi?id=3D11364#c18
> . Did not know that a MTU of 9000 is possible, sounds like jumbo
> frames.
>=20
>>=20
>> I am sure the MTU could be further increased to have bigger packets,
>> but I did not test how badly this will affect latency of the tunnel.
>>=20
>> OpenVPN seems to only be able to handle a certain amount of packets
>> a second - no matter what. With larger packets, the throughput of
>> the tunnel increases, but latency might as well.
>>=20
>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> Cc: Erik Kapfer <erik.kapfer(a)ipfire.org>
>> Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
>> ---
>> html/cgi-bin/ovpnmain.cgi | 29 +++++++++--------------------
>> 1 file changed, 9 insertions(+), 20 deletions(-)
>>=20
>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>> index e7bc505e7..e5bc45c1c 100644
>> --- a/html/cgi-bin/ovpnmain.cgi
>> +++ b/html/cgi-bin/ovpnmain.cgi
>> @@ -280,14 +280,7 @@ sub writeserverconf {
>>     print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
>>     #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'}
>> $netsettings{'GREEN_NETMASK'}\"\n";
>>=20
>> -    # Check if we are using mssfix, fragment and set the corretct
>> mtu of 1500.
>> -    # If we doesn't use one of them, we can use the configured mtu
>> value.
>> -    if ($sovpnsettings{'MSSFIX'} eq 'on')=20
>> -	{ print CONF "tun-mtu 1500\n"; }
>> -    elsif ($sovpnsettings{'FRAGMENT'} ne '' &&
>> $sovpnsettings{'DPROTOCOL'} ne 'tcp')=20
>> -	{ print CONF "tun-mtu 1500\n"; }
>> -    else=20
>> -	{ print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; }
>> +    print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
>>=20
>>     if ($vpnsettings{'ROUTES_PUSH'} ne '') {
>> 		@temp =3D split(/\n/,$vpnsettings{'ROUTES_PUSH'});
>> @@ -320,6 +313,8 @@ sub writeserverconf {
>>     }
>>     if ($sovpnsettings{MSSFIX} eq 'on') {
>> 		print CONF "mssfix\n";
>> +    } else {
>> +		print CONF "mssfix 0\n";
>>     }
>>     if ($sovpnsettings{FRAGMENT} ne '' &&
>> $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
>> 		print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
>> @@ -975,7 +970,7 @@ unless(-d
>> "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir
>> "${General
>>   if ($cgiparams{'MTU'} eq '') {$tunmtu =3D '1500'} else {$tunmtu =3D
>> $cgiparams{'MTU'}};
>>   print SERVERCONF "tun-mtu $tunmtu\n";
>>   if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment
>> $cgiparams{'FRAGMENT'}\n";}=20
>> -  if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n";
>> };=20
>> +  if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }
>> else { print SERVERCONF "mssfix 0\n" };
>>   }
>>=20
>>   print SERVERCONF "# Auth. Server\n";=20
>> @@ -1074,7 +1069,7 @@ unless(-d
>> "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir
>> "${General
>>   if ($cgiparams{'MTU'} eq '') {$tunmtu =3D '1500'} else {$tunmtu =3D
>> $cgiparams{'MTU'}};
>>   print CLIENTCONF "tun-mtu $tunmtu\n";
>>   if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment
>> $cgiparams{'FRAGMENT'}\n";}
>> -  if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n";
>> };=20
>> +  if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }
>> else { print CLIENTCONF "mssfix 0\n" };
>>   }
>>=20
>>   # Check host certificate if X509 is RFC3280 compliant.
>> @@ -2204,7 +2199,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq
>> 'net'){
>>    if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu =3D '1500'}
>> else {$tunmtu =3D $confighash{$cgiparams{'KEY'}}[31]};
>>    print CLIENTCONF "tun-mtu $tunmtu\n";
>>    if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF
>> "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
>> -   if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF
>> "mssfix\n";}
>> +   if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF
>> "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
>>    }
>>    # Check host certificate if X509 is RFC3280 compliant.
>>    # If not, old --ns-cert-type directive will be used.
>> @@ -2285,15 +2280,7 @@ else
>>     print CLIENTCONF "nobind\r\n";
>>     print CLIENTCONF "dev tun\r\n";
>>     print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
>> -
>> -    # Check if we are using fragment, mssfix and set MTU to 1500
>> -    # or use configured value.
>> -    if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne
>> 'tcp' )
>> -	{ print CLIENTCONF "tun-mtu 1500\r\n"; }
>> -    elsif ($vpnsettings{MSSFIX} eq 'on')
>> -	{ print CLIENTCONF "tun-mtu 1500\r\n"; }
>> -    else
>> -	{ print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; }
>> +    print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
>>=20
>>     if ( $vpnsettings{'ENABLED'} eq 'on'){
>>     	print CLIENTCONF "remote $vpnsettings{'VPN_IP'}
>> $vpnsettings{'DDEST_PORT'}\r\n";
>> @@ -2383,6 +2370,8 @@ else
>>     print CLIENTCONF "verify-x509-name
>> $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
>>     if ($vpnsettings{MSSFIX} eq 'on') {
>> 	print CLIENTCONF "mssfix\r\n";
>> +    } else {
>> +	print CLIENTCONF "mssfix 0\r\n";
>>     }
>>     if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne
>> 'tcp' ) {
>> 	print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";


--===============1160298545910066322==--