[SOLVED] Unstable and slow connection

[kk2628]

HI,

I have just installed OpenVPN on my Ubuntu 10.04 as server and using TunnelBlick on my MBP as client to connect. The connection is established but the speed is terribly slow and also frequent disconnection although the vpn seems connected. Not sure which part causing these problems, can someone please help ?

I observed that when I did a ping from Ubuntu to google or other internet hosts, the ping will stop after 8 pings (like below), the same problem goes when I ping from MBP to Ubuntu.

Following was the result of ping from MBP to Ubuntu server :

Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11
Request timeout for icmp_seq 12
Request timeout for icmp_seq 13
Request timeout for icmp_seq 14
Request timeout for icmp_seq 15
Request timeout for icmp_seq 16
Request timeout for icmp_seq 17
Request timeout for icmp_seq 18
Request timeout for icmp_seq 19
Request timeout for icmp_seq 20
Request timeout for icmp_seq 21
Request timeout for icmp_seq 22
Request timeout for icmp_seq 23
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=24 ttl=64 time=137.990 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=25 ttl=64 time=117.641 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=26 ttl=64 time=218.006 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=27 ttl=64 time=117.540 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=28 ttl=64 time=137.387 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=29 ttl=64 time=137.994 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=30 ttl=64 time=127.679 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=31 ttl=64 time=137.088 ms
Request timeout for icmp_seq 32
Request timeout for icmp_seq 33
Request timeout for icmp_seq 34
Request timeout for icmp_seq 35
Request timeout for icmp_seq 36
Request timeout for icmp_seq 37
Request timeout for icmp_seq 38
Request timeout for icmp_seq 39
Request timeout for icmp_seq 40
Request timeout for icmp_seq 41

[Mimiko]

Hello.

Will gladly help if you will explain the things not related to OpenVPN more detailed and don't use shortcuts:
MBP - this is Mackbook Pro?

I don't use mac's so I have trouble understanding you.

For TunnelBlick (OpenVPN GUI for Mac) you can searc official site: http://code.google.com/p/tunnelblick/#D ... n_and_Help

I observed that when I did a ping from Ubuntu to google or other internet hosts, the ping will stop after 8 pings (like below), the same problem goes when I ping from MBP to Ubuntu.

Start with resolving connection stability on Ubuntu, before searching the problem with the client.

[kk2628]

Dear Mimiko,

Thank you for your response.

Without installing OpenVPN, the ping response from Ubuntu to some internet hosts like www.google.com, www.yahoo.com will get very fast and stable response. However, once I install the OpenVPN server on the Ubuntu, the ping to these hosts has become very slow and unstable. That is the reason I believe some network configuration problems have happened after installing OpenVPN.

I was following this excellent guide to install the OpenVPN server http://madisonlinux.org/InstallingOpenV ... ubuntu.pdf

And I am new to OpenVPN, the only log I look at is from the Tunnelblick (the client). How to troubleshoot the server OpenVPN ?

MBP = Macbook Pro, sorry for not putting into detail earlier as this was my habit when posting in MacForum.

[Mimiko]

Does internet instability on server apears when you the OpenVPN is started or not? Or may be when a client is connected.

Enter to your server with SSH and post /etc/network/interfaces, /etc/openvpn/*, /var/openvpn.log content of this files. Find where are them and show the OpenVPN config file you used and log from server. Also show routing table before and after starting OpenVPN.

[janjust]

I was following this excellent guide to install the OpenVPN server http://madisonlinux.org/InstallingOpenV ... ubuntu.pdf

it's great that you follow this guide, but they're making you use a bridged setup for OpenVPN; this means that you'll get hit by the bridge performancy penalty, plus most likely all traffic is forwarded via the VPN : I'm not surprised that your ping time get erratic.

Before setting up any VPN you have to think about what kind of traffic you want to tunnel; if the VPN is required only for web browsing (TCP traffic) then a bridged setup is overkill. A bridged setup is almost never necessary, unless you want to run some older games in LAN mode.

[kk2628]

I can confirm that after putting in the vpn interfaces file, the ping get "systematic erratic" result as below :

***************************** With VPN ************************************************
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.xxx.0 * 255.255.255.0 U 0 0 0 br0
192.168.xxx.0 * 255.255.255.0 U 2 0 0 wlan0
link-local * 255.255.0.0 U 1000 0 0 br0
default 192.168.xxx.1 0.0.0.0 UG 0 0 0 wlan0
default 192.168.xxx.1 0.0.0.0 UG 100 0 0 br0



PING www.l.google.com (209.85.175.105) 56(84) bytes of data.
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=1 ttl=56 time=6.64 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=2 ttl=56 time=4.86 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=3 ttl=56 time=7.72 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=4 ttl=56 time=6.31 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=5 ttl=56 time=9.70 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=6 ttl=56 time=6.30 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=7 ttl=56 time=7.84 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=8 ttl=56 time=6.92 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=32 ttl=56 time=6.41 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=33 ttl=56 time=5.65 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=34 ttl=56 time=5.98 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=35 ttl=56 time=8.29 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=36 ttl=56 time=6.24 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=37 ttl=56 time=10.9 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=38 ttl=56 time=6.36 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=39 ttl=56 time=5.85 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=63 ttl=56 time=6.75 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=64 ttl=56 time=7.28 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=65 ttl=56 time=10.0 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=66 ttl=56 time=7.26 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=67 ttl=56 time=6.86 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=68 ttl=56 time=7.36 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=69 ttl=56 time=6.86 ms
64 bytes from nx-in-f105.1e100.net (209.85.175.105): icmp_seq=70 ttl=56 time=51.4 ms
^C
--- www.l.google.com ping statistics ---
81 packets transmitted, 24 received, 70% packet loss, time 80470ms
rtt min/avg/max/mdev = 4.867/8.996/51.424/8.955 ms


When I changed back to the original interfaces file, the ping become normal again :

**************************** NO VPN ******************************************************
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.xxx.0 * 255.255.255.0 U 1 0 0 eth0
192.168.xxx.0 * 255.255.255.0 U 2 0 0 wlan0
link-local * 255.255.0.0 U 1000 0 0 eth0
default 192.168.xxx.1 0.0.0.0 UG 0 0 0 eth0


PING www.l.google.com (209.85.175.99) 56(84) bytes of data.
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=1 ttl=56 time=11.9 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=2 ttl=56 time=11.8 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=3 ttl=56 time=8.64 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=4 ttl=56 time=15.7 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=5 ttl=56 time=13.6 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=6 ttl=56 time=11.0 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=7 ttl=56 time=11.2 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=8 ttl=56 time=8.99 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=9 ttl=56 time=14.0 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=10 ttl=56 time=10.7 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=11 ttl=56 time=23.6 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=12 ttl=56 time=9.19 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=13 ttl=56 time=8.71 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=14 ttl=56 time=12.7 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=15 ttl=56 time=11.1 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=16 ttl=56 time=8.64 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=17 ttl=56 time=12.6 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=18 ttl=56 time=11.4 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=19 ttl=56 time=7.99 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=20 ttl=56 time=11.3 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=21 ttl=56 time=7.33 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=22 ttl=56 time=8.60 ms
64 bytes from nx-in-f99.1e100.net (209.85.175.99): icmp_seq=23 ttl=56 time=15.1 ms
^C
--- www.l.google.com ping statistics ---
23 packets transmitted, 23 received, 0% packet loss, time 22034ms
rtt min/avg/max/mdev = 7.334/11.586/23.649/3.410 ms

original interfaces file
auto lo
iface lo inet loopback


**** vpn interfaces file ****

auto br0
iface br0 inet static
address 192.168.xxx.11
netmask 255.255.255.0
gateway 192.168.xxx.1
bridge_ports eth0

iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

I cannot find log under /var/log

[kk2628]

Basically my usage will be using VNC and some web surfing, and may be file copy from time to time. So, what is the appropriate config I should use ?

[janjust]

don't use a bridge, don't put any interface in promiscuous mode.
Try a simple setup such as

Code: Select all

proto udp
port 1194
dev tun
server 10.8.0.0 255.255.255.0
ca       ca.crt
cert     server.crt
key     server.key
dh       dh1024.pem
tls-auth ta.key 0
persist-key
persist-tun
keepalive 10 60
user  nobody
group nobody

the basic OpenVPN HOWTO's will explain this in detail.

[kk2628]

Hi Janjust,

Thank you for your response.

I think this is the server config file, what about the /etc/network/interfaces file in Ubuntu 10.04 ?

Is there a sample /etc/network/interfaces file that I can refer to ? routed setup ? Better a documentation like the above, step-by-step.

Thanks

[janjust]

no clue here - I've never used the wicked Debian/Ubuntu interfaces file and I'm glad they dropped it in their latest version.
My guess would be that OpenVPN can start just fine without it being mentioned in the interfaces file. That file would be needed only to set up a bridge at system startup.

OpenVPN can come up by itself using the appropriate /etc/init.d/openvpn script.

[kk2628]

I have taken out the bridge config from the interfaces file and did some modification on the server.conf by changing tap to tun, by uncommenting server 10.8.0.0 255.255.255.0, comment off server-bridge, and the two script for up.sh and down.sh.

Should I change the 10.8.0.0 address to my server LAN ip ? i.e. 192.168.xxx.xxx ?

However, when I tried to connect, the following error display on my client : (ip address replaced by xxx)

2011-08-11 09:12:27 TCP/UDP: Incoming packet rejected from xxx.xxx.xxx.xxx:1024[2], expected peer address: xxx.xxx.xxx.xxx:1194 (allow this incoming source address/port by removing --remote or adding --float)

On the server side, I got the [ECONNREFUSED] : Connection refused (code=111) message


Obviously there are some routing problems, but I have no clue where and what need to configure.

[kk2628]

OK, I managed to connect the VPN after adding "float" in the client config file. However, I am not sure about if this will create security concern.

Thank you everyone responded to this thread.

[tgiclas92]

I have the exact same problem here! I lost ping a lot, so rdp session is not ussable. It keeps reconecting all the time, I turned off lz compression, and now it's a little bit better. But I reconnecting session very often. Has anyone solved this?