From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: Extremely poor OpenVPN performance, help wanted Date: Tue, 24 Sep 2019 10:04:37 -0700 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1079874376908715868==" List-Id: --===============1079874376908715868== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Peter, Is the issue reproducible on different OS and different OpenVPN clients? Ther= e=E2=80=99s a chance that the issue lies with FreeBSD or how you are configur= ing the VMs at different locations. Tom > On Sep 24, 2019, at 9:23 AM, wrote: >=20 > Hello list, >=20 > as mentioned several times before, I am experiencing OpenVPN performance > problems. Since I am out of ideas by now, asking here to help seemed to > make sense to me, as I am not sure whether it can be traced to a bug or not. >=20 > Test setup is as follows: > (a) IPFire is freshly installed on a testing machine with Core Update 135 (= x86_64). > The machine is connected to the internet via DSL (link has 100 Mbit/sec > down capacity with MTU set to 1492) and runs dial-in by itself. No > cascading router or NAT in place here. > (b) The remote part is a VM hosted at a big German hosting company, with > FreeBSD 12 installed (OpenVPN 2.4.7). Uplink is 1 Gbit/sec with MTU =3D > 1492. > (c) Both systems are able to submit ICMP packets up to 1492 bits, so MTU > is set correctly on both interfaces. > (d) The VM is establishing an OpenVPN roadwarrior connection to the IPFire > machine, which can be set up successfully and uses AES-256-GCM (SHA 512) > for data channel. Tunnel MTU is set to 1400 bytes. >=20 > Downloading a test file via SCP from the VM using the OpenVPN connection > takes ages and results in throughput between 400 and 700 kB/sec. While > normal ICMP latency through the tunnel is around 35 ms, it fluctuates betwe= en > 40 and 500 ms while download is running. >=20 > Needless to say, a bandwidth of 700 kB/sec is unacceptable. Disabling > Suricata speeds up to ~ 1.2 MB/sec, disabling Quality of Service (QoS) > does not have any big effects. >=20 > Since there are some clients using OpenVPN in restricted environments, > TCP and port 443 is more or less fixed. Switching to UDP causes a small > improvement (~ 800 kB/sec), but does not seem to cure the root cause. >=20 > This effect is reproducible with multiple VMs at multiple locations, > so I do not think it is related to network outages at one certain hoster. >=20 > What am I doing wrong? Is anyone experiencing the same problem? >=20 > As mentioned in the Subject line, any help is appreciated. >=20 > Thanks, and best regards, > Peter M=C3=BCller --===============1079874376908715868==--