MTU / MSSFix / Fragment questions and help.

[Ryeuu]

Hello everyone,

Been having this issue for a while, but due to my low usage of the VPN, I have bared with it until now.
I use a VPN to route game traffic through my OpenVPN server, which then is sent to the game server. I believe the issue I am having has to do with fragmentation of packets. If I send a certain amount of data/packets (i.e spamming the attack key in a game) it will have stable latency and a solid connection. If I was to do multiple things (i.e jumping, moving and attacking at the same time), my ping will steadily rise at about 20 per second and the game then feels choppy and unstable. This eventually caps at a certain latency/ping, which tends to be close to 1.5x or 2x the normal latency. I can easily push 90/5 Mbits through this VPN while barely affecting latency, so I don't think bandwidth is an issue.

Here are my configs:

View OriginalServer Config

port 1194

proto udp

dev tun

ca ca.crt
cert server.crt
key server.key

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

user nobody
group nogroup

cipher none

auth none

persist-key
persist-tun

sndbuf 393216
rcvbuf 393216

View OriginalClient Config

client

dev tun

proto udp

remote 210.16.121.6 1194

route 119.206.199.30
route 210.68.144.8
route 203.70.18.60
route 203.70.18.62
route 210.64.136.126
route 203.67.68.227
route 203.70.17.33
route 210.68.144.12

dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4

resolv-retry infinite

nobind

persist-key
persist-tun

ns-cert-type server

cipher none

auth none

sndbuf 393216
rcvbuf 393216

My WAN/Network (At home and at the server) MTU is 1492. Any more and it will fragment normally. I have tried multiple values of mssfix, fragment, link-mtu, tun-mtu. I have tried values based off mtu-test. I have also tried using "mtu-disc yes" but it appears to not be compatible on the client end, which is Windows 7 x64. I have also tried to use TCP, but my latency just rises dramatically (even while stable) and doesn't fix the issue. I've even tried using different ports for each protocol, but to no success.

Any help will be appreciated, especially in understanding the matter. If any more information is required, please let me know and I will provide it! Thank you everyone (:

EDIT: I would like to mention that I know a friend who's cousin overseas hosts OpenVPN servers similar to I do to route game traffic. He doesn't encounter the same issue (or at least he's fixed it), but as English isn't his native language, it was very hard to ask him about it. Definitely something to do with my end of things!

[TinCanTech]

I can easily push 90/5 Mbits through this VPN

please explain.

Also, diagram of your network might be interesting.

[Ryeuu]

I can easily push 90/5 Mbits through this VPN

please explain.

Also, diagram of your network might be interesting.

Of course!

With the current configs, if I was to "redirect-gateway" and push all internet traffic through it, I can get ~90 Down and ~5 Up (in megabits). Tested using multiple speedtest sites on the internet. If I was to add more compression or encryption, this drops down dramatically though.

I'm not too sure on to how to create the diagram (what it looks like) but I hope this is correct.



Client --(Game Traffic)--> OpenVPN Server --(Game Traffic)--> Internet --(Game Traffic)--> Game Server
Client --(Non-Game Traffic)--> Internet.

Thank you for replying (:

[Ryeuu]

I can no longer edit the original post so I will post extra information here:

The latency that is shown to be rising is IN-GAME (the in-game latency meter/display). If I was to manually ping all 4 IP's used by the game, the latency is stable no matter what I do. But in-game, it shows it isn't and definitely doesn't feel stable when using multiple inputs.

[Ryeuu]

I've been searching more and more on google, but can't find any extra results or help regarding MTU configuration. Or if it even is related to fragmenting for that matter. Would using TAP over TUN be better here? I've set up TAP VPN's for LAN gaming before due to the requirement of layer 2 broadcasting, but I didn't think that online games would require it. Any insight here?

[TinCanTech]

Would using TAP over TUN be better here?

Definitely not .. tun is more efficient than tap. Same with --proto UDP vs TCP, UDP is much faster.

if I was to "redirect-gateway" and push all internet traffic through it, I can get ~90 Down and ~5 Up (in megabits). Tested using multiple speedtest sites on the internet. If I was to add more compression or encryption, this drops down dramatically though

OK. 5mb up is crucial to your setup, all you can do is pay for more bandwidth. A LAN game would probably expect 100mbit but I think your game is designed to use the internet.

WRT all MTU settings (Also --mssfix & --fragment), unless you know what you are doing I would allow Openvpn to work this out itself. I doubt you have the sort of problem which can be effected by these settings.

WRT Performance,

• --nice may help, although it does not throw an error, I am not sure this makes any difference to windows. You can always use Windows Task manager to set high priority and/or CPU affinity.
• --mlock may help, again no error in windows, my test suggest it may make a tiny difference
• --fast-io may help but can only be used on *nix
• --verb 0 to limit log output to only fatal errors
• --sndbuf / --rcvbuf and --txqueuelen may help .. you will have to experiment
• --comp-lzo no and --comp-noadapt may help

Other ideas:
Static key and go even further by removing the static key (If security is of zero concern).

If your router supports openvpn then offload the VPN process to the router .. that is just a suggestion, I have no data to backup if it would work any faster.

[Ryeuu]

Thank you for the response, TinCanTech!

Would using TAP over TUN be better here?

Definitely not .. tun is more efficient than tap. Same with --proto UDP vs TCP, UDP is much faster.

Ah, I thought so. Yep, definitely keeping that UDP for gaming.

OK. 5mb up is crucial to your setup, all you can do is pay for more bandwidth. A LAN game would probably expect 100mbit but I think your game is designed to use the internet.

Oh, no no. I can push 5mb UP because my own/home internet is only 100/5 in speed. Using their server speed test, I'm able to get ~50Mbit UP, so I don't think that's an issue. Yep! The game is an online/internet game and not LAN.

WRT all MTU settings (Also --mssfix & --fragment), unless you know what you are doing I would allow Openvpn to work this out itself. I doubt you have the sort of problem which can be effected by these settings.

I see.. does OpenVPN work everything out without any extra commands like --mtu-test? Removing all MTU settings makes my issue even worse :/ If my problem isn't affected by MTU, I don't know what could possibly be affecting it.

WRT Performance,

• --nice may help, although it does not throw an error, I am not sure this makes any difference to windows. You can always use Windows Task manager to set high priority and/or CPU affinity.
• --mlock may help, again no error in windows, my test suggest it may make a tiny difference
• --fast-io may help but can only be used on *nix
• --verb 0 to limit log output to only fatal errors
• --sndbuf / --rcvbuf and --txqueuelen may help .. you will have to experiment
• --comp-lzo no and --comp-noadapt may help

I've tried/worked with affinity and priority before. Didn't seem to make a difference. CPU Usage on the OpenVPN Server didn't seem high either when in use. I'll give --fast-io a shot though. Everything else I've used already (sndbuf, rcvbuf, txqueuelen, comp-lzo, comp-noadapt).

Other ideas:
Static key and go even further by removing the static key (If security is of zero concern).

It definitely isn't, so I might give this a shot. I don't think I need anymore speed on the VPN, as it can forward so much data (90/50 mbit).

If your router supports openvpn then offload the VPN process to the router .. that is just a suggestion, I have no data to backup if it would work any faster.

Yes, actually! I flashed DD-WRT a while ago on my R7000. I was thinking about using my router as the OpenVPN Client instead, but as this VPN is not only for me (and my friend doesn't have an OpenVPN compatible router), I would prefer not to use it.

I also should've provided this information before, but was unable to edit and didn't want to spam the thread. My home client is in Perth and the OpenVPN Server is hosted on a VPS in Singapore. The game server is in Taiwan.

[TinCanTech]

My home client is in Perth and the OpenVPN Server is hosted on a VPS in Singapore. The game server is in Taiwan.

You realise how much of your problem is way beyond the scope of this Forum to help ..

[Ryeuu]

My home client is in Perth and the OpenVPN Server is hosted on a VPS in Singapore. The game server is in Taiwan.

You realise how much of your problem is way beyond the scope of this Forum to help ..

Hmm.. I don't quite get what you mean. Why is it way beyond the scope of this forum? I believe the issue only lies within my OpenVPN config. If I use an OpenVPN Server hosted by the same VPS company but with their own config, I don't get this issue. If I don't use OpenVPN (take whatever route my ISP gives me) this issue doesn't occur either, but the latency is higher (400ms compared to 100ms through OpenVPN). If throughput on the OpenVPN Server is high enough, what else could it be?

Sorry if I sound aggressive here, I'm just confused as to what the problem is, and the way you put it, it doesn't sound like it has to do with OpenVPN.

[TinCanTech]

I have been helping to support Openvpn for a number of years now and my experience of it is :-
Openvpn gives the maximum speed it can based on all the "parts" which are involved.

Do you have any idea of the number of "parts" there are between you and the game server ?

A very high level conservative abstracted guestimate:

• Your home network - minimum 3 parts
• Your ISP network - best guess 6 parts
• International links - best guess 6 parts
• Your remote VPN Service - best guess 7 parts
• International links - best guess 6 parts
• Game service - best guess 7 parts

But let's be honest that is a totally abstracted guestimate, in reality there are thousands of possible parts, none of which you have any knowledge of or influence over ..

I would like to mention that I know a friend who's cousin overseas hosts OpenVPN servers similar to I do to route game traffic. He doesn't encounter the same issue (or at least he's fixed it), but as English isn't his native language, it was very hard to ask him about it. Definitely something to do with my end of things!

That it works for your friend does not mean that it will work for you.

Sorry if I sound aggressive here, I'm just confused as to what the problem is, and the way you put it, it doesn't sound like it has to do with OpenVPN.

Exactly ..

I even overlook your alleged aggression as simple frustration .. the problem you have is that you only have limited (even insufficient) tools to achieve an extremely complex task.

I have provided all the options I can think of which Openvpn provides, the rest are beyond my scope.

[Ryeuu]

Ah, ohkay. That makes more sense now. Perhaps it was just frustration

Thank you for all the help. TinCanTech, I really appreciate it ^^.

[Ryeuu]

Sorry if I sound aggressive here, I'm just confused as to what the problem is, and the way you put it, it doesn't sound like it has to do with OpenVPN.

Exactly ..

Hey TinCanTech, sorry to bring up the thread again. I just tried tunneling my game traffic through the an SSH tunnel (tried SOCKS5 too) and the issue disappears. This is through the exact same VPS which has the OpenVPN Server on it. Does this mean that my problem is probably related to my OpenVPN configuration, or do all those parts still play a role? If it's too long of an explanation, a simple yes or no will do plenty! ^^

Thank you again,

[Ryeuu]

Alright, I think and hope I've narrowed it down some more. If I use different programs to tunnel my game traffic through the SSH tunnel, I get different results. For example: FreeCap and SocksCap produce the same problem that I get with OpenVPN. WideCap, ProxyCap and Proxifier do not. I've tested it through direct SSH tunnel + SOCKS5, PuTTy SSH Tunnel + SOCKS 5, Cygwin SSH Tunnel + SOCKS5 and just direct SSH tunnel by itself.

The only issue is I don't know what the difference is between these programs and the way they send their data.

TL;DR I still believe configuration is what is causing my OpenVPN issues.

[TinCanTech]

I just tried tunneling my game traffic through the an SSH tunnel (tried SOCKS5 too) and the issue disappears

An SSH Tunnel is not the same as a VPN.

This may give you a better picture:
https://community.openvpn.net/openvpn/w ... orks_Linux

[Ryeuu]

I just tried tunneling my game traffic through the an SSH tunnel (tried SOCKS5 too) and the issue disappears

An SSH Tunnel is not the same as a VPN.

This may give you a better picture:
https://community.openvpn.net/openvpn/w ... orks_Linux

Ah, I've seen this documentation before. It was how I fixed my long-time-ago issue of having really low throughput over OpenVPN. Yep, I definitely see the difference between an SSH tunnel and OpenVPN. So much more OpenVPN has to go through. Although, because I'm using --cipher none and --auth none, doesn't that remove the whole signing and encryption process, leaving only fragmenting related processes left?

I had another thought: Could it be possible that my game data is routing through the VPN to the gameserver, but the return data is going through the direct/normal connection? I'm not sure if having "route" on the client end also tells the return data to come through the VPN.

Thank you again for the response.

[TinCanTech]

Could it be possible that my game data is routing through the VPN to the gameserver, but the return data is going through the direct/normal connection?

No.

If SSH tunnel works then just use that .. stunnel is a very well maintained application.

[Ryeuu]

Could it be possible that my game data is routing through the VPN to the gameserver, but the return data is going through the direct/normal connection?

No.

If SSH tunnel works then just use that .. stunnel is a very well maintained application.

Alright, Thank you! I guess I'll stick with SSH tunnel and work with stunnel then. ^^. I'm using a SOCKS5 Proxy for now, but it seems slower than basic ssh tunneling so I'll give stunnel a try first. Thank you again for all your time and insight into my problem! ^^.