issues with UDP streams inside openvpn

[paolomera]

Hi, I have strange bandwidth issues:

testing with iperf on a 75mbit simmetric WAN connection between server and client I get

70-75 mbit/s throughput with TCP, off from openvpn
60-65 mbit/s throughput with UDP, off from openvpn

but inside openvpn UDP or TCP tunnel i got
50-55 mbit/s opening TCP connections
10-15 mbit/s opening UDP streams

Why am I loosing all of this bandwidth?

here my server config:

Code: Select all

##protocol port
port 22222
proto udp
dev tun0

##ip server client
topology subnet
server 10.0.1.0 255.255.255.128

##key
ca /etc/openvpn/VPN/ca.crt
cert /etc/openvpn/VPN/server.crt
key /etc/openvpn/VPN/server.key
dh /etc/openvpn/VPN/dh2048.pem

##option
persist-key
persist-tun
keepalive 10 60
reneg-sec 432000

##option auth.
comp-lzo
user openvpn
username-as-common-name
auth-user-pass-verify /etc/openvpn/scripts/login.sh via-env
client-config-dir /etc/openvpn/VPN/ccd/

##push to client
max-clients 50
push "persist-key"
push "persist-tun"

##DNS-Server
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

##script connect-disconnect
client-connect "/etc/openvpn/scripts/connect.sh '/etc/openvpn/VPN/ccd/'"
client-disconnect "/etc/openvpn/scripts/disconnect.sh '/etc/openvpn/VPN/ccd/'"

##log-status
status /etc/openvpn/VPN/log/status.log
log-append /etc/openvpn/VPN/log/openvpn.log
verb 4

#cipher
cipher AES-256-CBC

#fragmentation / MTU tuning
tun-mtu 1440
mtu-disc yes
fragment 0
mssfix 0
sndbuf 0
rcvbuf 0
fast-io

here my client config

Code: Select all

client
remote hostname 22222
ca '/VPN/ca.crt'
cert '/VPN/client.crt'
key '/VPN/client.key'
reneg-sec 432000
cipher AES-256-CBC
comp-lzo adaptive
float
dev tun10
proto udp
remote-cert-tls server
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn
txqueuelen 1000
sndbuf 0
rcvbuf 0
fragment 0
mssfix 0
tun-mtu 1440
fast-io

[paolomera]

the "server" config is inside an LXC container with openvpn over debian jessie (openvpn 2.3.4), the client config is on debian buster 10 and openvpn 2.4.5. Trying with cipher none and ncp-disable doesn't make any difference.

The cpu of the server is a poor amd a4 3300, the cpu of the client is a celeron n3450.

[TinCanTech]

Code: Select all

#fragmentation / MTU tuning 
tun-mtu 1440 
mtu-disc yes 
fragment 0 
mssfix 0 
sndbuf 0 
rcvbuf 0 
fast-io

This does not look like tuning to me .. do you understand what any of that does ?
There are defaults which have been carefully chosen by the developers ..

the "server" config is inside an LXC container

This will have an impact on performance.

The cpu of the server is a poor amd a4 3300, the cpu of the client is a celeron n3450

These will both have an impact on performance.

dh /etc/openvpn/VPN/dh2048.pem

You could try with an Elliptic curve PKI (See Easyrsa3)
Then use --ecdh-curve secp256r1

Trying with cipher none and ncp-disable doesn't make any difference.

Then I expect you are actually bound by the fact that your systems are a bit weak .. do they have AESNI on chip support ?

[paolomera]

Code: Select all

#fragmentation / MTU tuning 
tun-mtu 1440 
mtu-disc yes 
fragment 0 
mssfix 0 
sndbuf 0 
rcvbuf 0 
fast-io

This does not look like tuning to me .. do you understand what any of that does ?
There are defaults which have been carefully chosen by the developers ..

Yeah, with or without each one of these settings I don't see any difference with the issue I opened. To be clear, for first I tried a lot with these settings, and then when I saw no effects, I wrote this post.

the "server" config is inside an LXC container

This will have an impact on performance.

yeah, but why only for UDP and not for TCP streams?

The cpu of the server is a poor amd a4 3300, the cpu of the client is a celeron n3450

These will both have an impact on performance.

yeah, but why only for UDP and not for TCP streams?

dh /etc/openvpn/VPN/dh2048.pem

You could try with an Elliptic curve PKI (See Easyrsa3)
Then use --ecdh-curve secp256r1

I'll try ASAP, but do you think it would cause big differences between tcp and udp inside the vpn? It seems strange

Trying with cipher none and ncp-disable doesn't make any difference.

Then I expect you are actually bound by the fact that your systems are a bit weak .. do they have AESNI on chip support ?
[/quote]

Wait: Doesn't make differences: so I got same problems in terms of bandwidth... Why this thing could be related to AESNI if with no encryption enabled I continuously get 10 mbit/sec over UDP and 50 mbit /sec via tcp?

The systems are indeed with low performances, but I cannot realize why I have this big gap between udp and tcp... and surprisingly udp gave me the worst results

[TinCanTech]

testing with iperf on a 75mbit simmetric WAN connection between server and client I get

70-75 mbit/s throughput with TCP, off from openvpn
60-65 mbit/s throughput with UDP, off from openvpn

but inside openvpn UDP or TCP tunnel i got
50-55 mbit/s opening TCP connections
10-15 mbit/s opening UDP streams

Why am I loosing all of this bandwidth?

There are ongoing discussions about openvpn performance within the developer community. One fact which has emerged is that badly configured devices, not necessarily yours but those of the operators between your server and client, have a huge effect on the OpenVPN UDP protocol .. unfortunately, getting those operators to co-operate is virtually impossible.

With that in mind and if you find the time, try setting up a test server and client on your own network, where you control every step of the VPN and see what results you get. Then post your results here

[spotify web player]

The information above is very good to me, thanks for sharing! -[url=https://spotify-webplayer.com]spotify web player[/url]