Periodic packet loss through VPN

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
NadJ
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 14, 2021 7:59 pm

Periodic packet loss through VPN

Post by NadJ » Wed Sep 15, 2021 6:11 am

Hi all,

A picture says a thousand words: https://pasteboard.co/TSqy8WxHmXmZ.png

A quick description of my set up:

-Latest version of OpenVPN AS running as virtual machine on Hyper-V running on a Windows Server 2016 box.
-1.5GB RAM, 1 vCPU
-2 NIC for the VM, one used for admin, one VPN connections
-Internal network (LAN) is 192.168.0.0/24
-NAT enabled

Generally no issues with connecting or name resolution. I have LDAP integrated authentication and Google Authenticator enabled.

The issue: I have packet loss through the VPN in a very cyclic and periodic manner to a server on the internal LAN (I also get the same packet loss to the 172.27 gateway from the VPN client, so it's not that particular server). After a reboot or making other parameter changes (e.g. mssifx 1430), things some times get better but then it goes back to misbehaving after a while. Pinging the public IP of my company router and pinging from the Windows Server (as well as as the OpenVPN Linux machine) to the internet reveals no problems. This is purely a VPN tunnel thing. Happens with just one user connected and no other traffic load. That is to say the server and connection is idle at the time I tested (out of hours). This is for a small company of 15 people.

Things I have tried:
-Converted HyperV virtual NIC from standard type to 'Legacy' type
-Set mssfix 1430
-v2 clients as well as v3

uname:

Code: Select all

root@openvpnas2:/usr/local/openvpn_as/scripts# uname -a
Linux openvpnas2 4.15.0-109-generic #110-Ubuntu SMP Tue Jun 23 02:39:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Config:

Code: Select all

root@openvpnas2:/usr/local/openvpn_as/scripts# ./sacli ConfigQuery
{
  "admin_ui.https.ip_address": "eth1",
  "admin_ui.https.port": "7943",
  "aui.eula_version": "2",
  "auth.ldap.0.add_req": "memberOf=CN=OPENVPN_USERS, CN=Users, DC=***, DC=local",
  "auth.ldap.0.bind_dn": "OPENVPN_USR",
  "auth.ldap.0.bind_pw": "***",
  "auth.ldap.0.case_sensitive": "false",
  "auth.ldap.0.name": "My LDAP servers",
  "auth.ldap.0.server.0.host": "192.168.0.45",
  "auth.ldap.0.ssl_verify": "internal",
  "auth.ldap.0.timeout": "4",
  "auth.ldap.0.uname_attr": "sAMAccountName",
  "auth.ldap.0.use_ssl": "never",
  "auth.ldap.0.users_base_dn": "DC=***, DC=local",
  "auth.module.type": "ldap",
  "auth.pam.0.service": "openvpnas",
  "auth.radius.0.acct_enable": "false",
  "auth.radius.0.name": "My Radius servers",
  "cs.cws_proto_v2": "true",
  "cs.https.ip_address": "eth1",
  "cs.https.port": "7943",
  "cs.prof_sign_web": "true",
  "cs.ssl_method": "SSLv3",
  "cs.tls_version_min": "1.1",
  "host.name": "***",
  "sa.initial_run_groups.0": "web_group",
  "sa.initial_run_groups.1": "openvpn_group",
  "subscription.bundle": "=",
  "subscription.saved_state": "SUBSCRIPTION_OK,***",
  "vpn.client.basic": "false",
  "vpn.client.cipher": "AES-256-CBC",
  "vpn.client.config_text": "dhcp-option DNS 192.168.0.45",
  "vpn.client.routing.inter_client": "false",
  "vpn.client.routing.reroute_dns": "custom",
  "vpn.client.routing.reroute_gw": "false",
  "vpn.client.routing.superuser_c2c_access": "false",
  "vpn.daemon.0.client.netmask_bits": "20",
  "vpn.daemon.0.client.network": "172.27.224.0",
  "vpn.daemon.0.listen.ip_address": "eth0",
  "vpn.daemon.0.listen.port": "7443",
  "vpn.daemon.0.listen.protocol": "tcp",
  "vpn.daemon.0.server.ip_address": "eth0",
  "vpn.general.osi_layer": "3",
  "vpn.server.cipher": "AES-256-CBC",
  "vpn.server.config_text": "push \"dhcp-option DNS 192.168.0.45\"\nmssfix 1430",
  "vpn.server.daemon.enable": "true",
  "vpn.server.daemon.ovpndco": "false",
  "vpn.server.daemon.protocols": "both",
  "vpn.server.daemon.tcp.n_daemons": "1",
  "vpn.server.daemon.tcp.port": "443",
  "vpn.server.daemon.udp.n_daemons": "1",
  "vpn.server.daemon.udp.port": "1194",
  "vpn.server.dhcp_option.adapter_domain_suffix": "***.local",
  "vpn.server.dhcp_option.dns.0": "192.168.0.45",
  "vpn.server.duplicate_cn": "true",
  "vpn.server.foreign_bridge": "",
  "vpn.server.google_auth.enable": "true",
  "vpn.server.group_pool.0": "172.27.240.0/20",
  "vpn.server.lockout_policy.reset_time": "2",
  "vpn.server.port_share.enable": "true",
  "vpn.server.port_share.ip_address": "1.2.3.4",
  "vpn.server.port_share.port": "1234",
  "vpn.server.port_share.service": "client",
  "vpn.server.routing.gateway_access": "true",
  "vpn.server.routing.private_access": "nat",
  "vpn.server.routing.private_network.0": "192.168.0.0/24",
  "vpn.server.tls_auth": "true",
  "vpn.server.tls_version_min": "1.2",
  "vpn.tls_refresh.do_reauth": "true",
  "vpn.tls_refresh.interval": "360"
}
ifconfig:

Code: Select all

root@openvpnas2:/usr/local/openvpn_as/scripts# ifconfig
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.27.224.1  netmask 255.255.248.0  destination 172.27.224.1
        inet6 fe80::5270:fbb:18a1:8c7  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20  bytes 960 (960.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.27.232.1  netmask 255.255.248.0  destination 172.27.232.1
        inet6 fe80::5aa3:a39f:a077:aaab  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 8709  bytes 673774 (673.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4162  bytes 333221 (333.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.47  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::215:5dff:fe00:2d05  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:00:2d:05  txqueuelen 1000  (Ethernet)
        RX packets 29736  bytes 2104645 (2.1 MB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 37667  bytes 3162577 (3.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.48  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::215:5dff:fe00:2d06  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:00:2d:06  txqueuelen 1000  (Ethernet)
        RX packets 152249  bytes 130410367 (130.4 MB)
        RX errors 0  dropped 4226  overruns 0  frame 0
        TX packets 85719  bytes 90139233 (90.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 3645  bytes 72945929 (72.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3645  bytes 72945929 (72.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

pr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::c88b:b0ff:feb9:57e  prefixlen 64  scopeid 0x20<link>
        ether ca:8b:b0:b9:05:7e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 25  bytes 1846 (1.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Post Reply