issues with UDP streams inside openvpn

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
paolomera
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 29, 2018 1:18 pm

issues with UDP streams inside openvpn

Post by paolomera » Fri Jun 29, 2018 1:34 pm

Hi, I have strange bandwidth issues:

testing with iperf on a 75mbit simmetric WAN connection between server and client I get

70-75 mbit/s throughput with TCP, off from openvpn
60-65 mbit/s throughput with UDP, off from openvpn

but inside openvpn UDP or TCP tunnel i got
50-55 mbit/s opening TCP connections
10-15 mbit/s opening UDP streams

Why am I loosing all of this bandwidth?

here my server config:

Code: Select all

##protocol port
port 22222
proto udp
dev tun0

##ip server client
topology subnet
server 10.0.1.0 255.255.255.128

##key
ca /etc/openvpn/VPN/ca.crt
cert /etc/openvpn/VPN/server.crt
key /etc/openvpn/VPN/server.key
dh /etc/openvpn/VPN/dh2048.pem

##option
persist-key
persist-tun
keepalive 10 60
reneg-sec 432000

##option auth.
comp-lzo
user openvpn
username-as-common-name
auth-user-pass-verify /etc/openvpn/scripts/login.sh via-env
client-config-dir /etc/openvpn/VPN/ccd/

##push to client
max-clients 50
push "persist-key"
push "persist-tun"

##DNS-Server
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

##script connect-disconnect
client-connect "/etc/openvpn/scripts/connect.sh '/etc/openvpn/VPN/ccd/'"
client-disconnect "/etc/openvpn/scripts/disconnect.sh '/etc/openvpn/VPN/ccd/'"

##log-status
status /etc/openvpn/VPN/log/status.log
log-append /etc/openvpn/VPN/log/openvpn.log
verb 4

#cipher
cipher AES-256-CBC

#fragmentation / MTU tuning
tun-mtu 1440
mtu-disc yes
fragment 0
mssfix 0
sndbuf 0
rcvbuf 0
fast-io

here my client config

Code: Select all

client
remote hostname 22222
ca '/VPN/ca.crt'
cert '/VPN/client.crt'
key '/VPN/client.key'
reneg-sec 432000
cipher AES-256-CBC
comp-lzo adaptive
float
dev tun10
proto udp
remote-cert-tls server
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn
txqueuelen 1000
sndbuf 0
rcvbuf 0
fragment 0
mssfix 0
tun-mtu 1440
fast-io
Last edited by paolomera on Fri Jun 29, 2018 1:47 pm, edited 1 time in total.

paolomera
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 29, 2018 1:18 pm

Re: issues with UDP streams inside openvpn

Post by paolomera » Fri Jun 29, 2018 1:41 pm

the "server" config is inside an LXC container with openvpn over debian jessie (openvpn 2.3.4), the client config is on debian buster 10 and openvpn 2.4.5. Trying with cipher none and ncp-disable doesn't make any difference.

The cpu of the server is a poor amd a4 3300, the cpu of the client is a celeron n3450.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4631
Joined: Fri Jun 03, 2016 1:17 pm

Re: issues with UDP streams inside openvpn

Post by TinCanTech » Fri Jun 29, 2018 2:03 pm

paolomera wrote:
Fri Jun 29, 2018 1:34 pm

Code: Select all

#fragmentation / MTU tuning 
tun-mtu 1440 
mtu-disc yes 
fragment 0 
mssfix 0 
sndbuf 0 
rcvbuf 0 
fast-io
This does not look like tuning to me .. do you understand what any of that does ?
There are defaults which have been carefully chosen by the developers ..
paolomera wrote:
Fri Jun 29, 2018 1:41 pm
the "server" config is inside an LXC container
This will have an impact on performance.
paolomera wrote:
Fri Jun 29, 2018 1:41 pm
The cpu of the server is a poor amd a4 3300, the cpu of the client is a celeron n3450
These will both have an impact on performance.
paolomera wrote:
Fri Jun 29, 2018 1:34 pm
dh /etc/openvpn/VPN/dh2048.pem
You could try with an Elliptic curve PKI (See Easyrsa3)
Then use --ecdh-curve secp256r1
paolomera wrote:
Fri Jun 29, 2018 1:41 pm
Trying with cipher none and ncp-disable doesn't make any difference.
Then I expect you are actually bound by the fact that your systems are a bit weak .. do they have AESNI on chip support ?

paolomera
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 29, 2018 1:18 pm

Re: issues with UDP streams inside openvpn

Post by paolomera » Wed Jul 04, 2018 10:45 am

TinCanTech wrote:
Fri Jun 29, 2018 2:03 pm
paolomera wrote:
Fri Jun 29, 2018 1:34 pm

Code: Select all

#fragmentation / MTU tuning 
tun-mtu 1440 
mtu-disc yes 
fragment 0 
mssfix 0 
sndbuf 0 
rcvbuf 0 
fast-io
This does not look like tuning to me .. do you understand what any of that does ?
There are defaults which have been carefully chosen by the developers ..
Yeah, with or without each one of these settings I don't see any difference with the issue I opened. To be clear, for first I tried a lot with these settings, and then when I saw no effects, I wrote this post.
paolomera wrote:
Fri Jun 29, 2018 1:41 pm
the "server" config is inside an LXC container
This will have an impact on performance.
yeah, but why only for UDP and not for TCP streams?
paolomera wrote:
Fri Jun 29, 2018 1:41 pm
The cpu of the server is a poor amd a4 3300, the cpu of the client is a celeron n3450
These will both have an impact on performance.
yeah, but why only for UDP and not for TCP streams?
paolomera wrote:
Fri Jun 29, 2018 1:34 pm
dh /etc/openvpn/VPN/dh2048.pem
You could try with an Elliptic curve PKI (See Easyrsa3)
Then use --ecdh-curve secp256r1
I'll try ASAP, but do you think it would cause big differences between tcp and udp inside the vpn? It seems strange
paolomera wrote:
Fri Jun 29, 2018 1:41 pm
Trying with cipher none and ncp-disable doesn't make any difference.
Then I expect you are actually bound by the fact that your systems are a bit weak .. do they have AESNI on chip support ?
[/quote]

Wait: Doesn't make differences: so I got same problems in terms of bandwidth... Why this thing could be related to AESNI if with no encryption enabled I continuously get 10 mbit/sec over UDP and 50 mbit /sec via tcp?

The systems are indeed with low performances, but I cannot realize why I have this big gap between udp and tcp... and surprisingly udp gave me the worst results

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4631
Joined: Fri Jun 03, 2016 1:17 pm

Re: issues with UDP streams inside openvpn

Post by TinCanTech » Wed Jul 04, 2018 12:50 pm

paolomera wrote:
Fri Jun 29, 2018 1:34 pm
testing with iperf on a 75mbit simmetric WAN connection between server and client I get

70-75 mbit/s throughput with TCP, off from openvpn
60-65 mbit/s throughput with UDP, off from openvpn

but inside openvpn UDP or TCP tunnel i got
50-55 mbit/s opening TCP connections
10-15 mbit/s opening UDP streams

Why am I loosing all of this bandwidth?
There are ongoing discussions about openvpn performance within the developer community. One fact which has emerged is that badly configured devices, not necessarily yours but those of the operators between your server and client, have a huge effect on the OpenVPN UDP protocol .. unfortunately, getting those operators to co-operate is virtually impossible.

With that in mind and if you find the time, try setting up a test server and client on your own network, where you control every step of the VPN and see what results you get. Then post your results here 8-)

spotify web player
OpenVpn Newbie
Posts: 1
Joined: Thu Jul 05, 2018 6:19 am

Re: issues with UDP streams inside openvpn

Post by spotify web player » Thu Jul 05, 2018 6:21 am

The information above is very good to me, thanks for sharing! -[url=https://spotify-webplayer.com]spotify web player[/url]

Post Reply