OpenVPN really slow with udp (tcp is ok)

[irvine]

Hello,

I use OpenVPN 2.4 (issue was there with older versions too) and speed over 'udp' is really slow.
Since 'tcp' adds unnecessary overhead, it would be nice to have 'udp' working.

Client: Windows 7 computer, OpenVPN 2.4 alpha2

View OriginalClient config

client
redirect-gateway def1
dev tun
remote <hidden>

proto tcp (or udp)

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
ns-cert-type server
cipher AES-256-GCM

Server: Debian SID box, OpenVPN 2.4 alpha2

View OriginalServer config

ca ca.crt
key server.key
cert server.crt
dh dh.pem

keepalive 10 60
persist-key
persist-tun
push "dhcp-option DNS <hidden>"
duplicate-cn
server <hidden>

proto tcp (or udp)
port <hidden>

dev tun0
persist-tun
cipher AES-256-GCM

Setup A: (speeds are without VPN)
Client <--8Mpbs--> Internet <--200Mpbs--> Server

Setup B:
Client <--1Gpbs--> Internet <--200Mpbs--> Server

OpenVPN speed benchmark:

• Setup A, udp: 2Mpbs
• Setup A, tcp: 6-7Mpbs
• Setup B, udp: 20Mpbs
• Setup B, tcp: 110Mpbs*

*I am very far from gigabit, but server CPU is at 80% (I might change to AES128). I guess cpu load + tcp is the limit in this case.

Any idea what I could try to have 'udp' work at reasonable speeds?

Thank you!

[TinCanTech]

You could try --mtu-test in the UDP client config .. post the results and your sanitized log at --verb 4 please.

[irvine]

Here are a few logfiles:

Setup A, Client, UDP, --mtu-test:

Code: Select all

NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1524,1424] remote->local=[1521,1424]
NOTE: This connection is unable to accommodate a UDP packet size of 1524. Consider using --fragment or --mssfix options as a workaround.

I read the man about fragment and mssfix but I think I did not understand how to use it properly.
I added the following on both Client and Server config:

Code: Select all

fragment 1300
mssfix 1300

It actually makes things worse: speed (tcp download) is even slower than before.

--

Logfiles from my first config. No fragment or mssfix.

Setup A, Server, UDP:

Code: Select all

us=145214 Current Parameter Settings:
us=145297   config = 'xxx.conf'
us=145323   mode = 1
us=145346   persist_config = DISABLED
us=145369   persist_mode = 1
us=145391   show_ciphers = DISABLED
us=145414   show_digests = DISABLED
us=145436   show_engines = DISABLED
us=145458   genkey = DISABLED
us=145481   key_pass_file = '[UNDEF]'
us=145503   show_tls_ciphers = DISABLED
us=145526   connect_retry_max = 0
us=145549 Connection profiles [0]:
us=145572   proto = udp
us=145595   local = '[UNDEF]'
us=145618   local_port = 'xxx'
us=145640   remote = '[UNDEF]'
us=145663   remote_port = 'xxx'
us=145685   remote_float = DISABLED
us=145708   bind_defined = DISABLED
us=145793   bind_local = ENABLED
us=145816   bind_ipv6_only = DISABLED
us=145839   connect_retry_seconds = 5
us=145861   connect_timeout = 120
us=145884   socks_proxy_server = '[UNDEF]'
us=145906   socks_proxy_port = '[UNDEF]'
us=145928   tun_mtu = 1500
us=145951   tun_mtu_defined = ENABLED
us=145973   link_mtu = 1500
us=145996   link_mtu_defined = DISABLED
us=146018   tun_mtu_extra = 0
us=146040   tun_mtu_extra_defined = DISABLED
us=146063   mtu_discover_type = -1
us=146085   fragment = 0
us=146108   mssfix = 1450
us=146152   explicit_exit_notification = 0
us=146175 Connection profiles END
us=146198   remote_random = DISABLED
us=146220   ipchange = '[UNDEF]'
us=146242   dev = 'xxx'
us=146265   dev_type = '[UNDEF]'
us=146288   dev_node = '[UNDEF]'
us=146310   lladdr = '[UNDEF]'
us=146333   topology = 1
us=146356   ifconfig_local = 'xxx'
us=146379   ifconfig_remote_netmask = 'xxx'
us=146401   ifconfig_noexec = DISABLED
us=146423   ifconfig_nowarn = DISABLED
us=146446   ifconfig_ipv6_local = '[UNDEF]'
us=146468   ifconfig_ipv6_netbits = 0
us=146490   ifconfig_ipv6_remote = '[UNDEF]'
us=146513   shaper = 0
us=146535   mtu_test = 0
us=146558   mlock = DISABLED
us=146580   keepalive_ping = 10
us=146603   keepalive_timeout = 60
us=146625   inactivity_timeout = 0
us=146648   ping_send_timeout = 10
us=146670   ping_rec_timeout = 120
us=146693   ping_rec_timeout_action = 2
us=146741   ping_timer_remote = DISABLED
us=146765   remap_sigusr1 = 0
us=146787   persist_tun = ENABLED
us=146810   persist_local_ip = DISABLED
us=146832   persist_remote_ip = DISABLED
us=146855   persist_key = ENABLED
us=146877   passtos = DISABLED
us=146900   resolve_retry_seconds = 1000000000
us=146922   resolve_in_advance = DISABLED
us=146954   username = '[UNDEF]'
us=146977   groupname = '[UNDEF]'
us=147000   chroot_dir = '[UNDEF]'
us=147023   cd_dir = '[UNDEF]'
us=147045   writepid = '[UNDEF]'
us=147067   up_script = '[UNDEF]'
us=147090   down_script = '[UNDEF]'
us=147112   down_pre = DISABLED
us=147134   up_restart = DISABLED
us=147156   up_delay = DISABLED
us=147178   daemon = DISABLED
us=147201   inetd = 0
us=147223   log = ENABLED
us=147246   suppress_timestamps = DISABLED
us=147268   machine_readable_output = DISABLED
us=147291   nice = 0
us=147314   verbosity = 4
us=147336   mute = 0
us=147382   gremlin = 0
us=147406   status_file = 'xxx'
us=147433   status_file_version = 1
us=147456   status_file_update_freq = 60
us=147479   occ = ENABLED
us=147501   rcvbuf = 0
us=147524   sndbuf = 0
us=147547   mark = 0
us=147569   sockflags = 0
us=147592   fast_io = DISABLED
us=147623   comp.alg = 0
us=147646   comp.flags = 0
us=147668   route_script = '[UNDEF]'
us=147691   route_default_gateway = '[UNDEF]'
us=147714   route_default_metric = 0
us=147736   route_noexec = DISABLED
us=147759   route_delay = 0
us=147781   route_delay_window = 30
us=147804   route_delay_defined = DISABLED
us=147826   route_nopull = DISABLED
us=147849   route_gateway_via_dhcp = DISABLED
us=147871   allow_pull_fqdn = DISABLED
us=147895   route xxx/xxx/default (not set)/default (not set)
us=147918   management_addr = '[UNDEF]'
us=147941   management_port = '[UNDEF]'
us=147964   management_user_pass = '[UNDEF]'
us=147987   management_log_history_cache = 250
us=148010   management_echo_buffer_size = 100
us=148033   management_write_peer_info_file = '[UNDEF]'
us=148055   management_client_user = '[UNDEF]'
us=148078   management_client_group = '[UNDEF]'
us=148100   management_flags = 0
us=148123   shared_secret_file = '[UNDEF]'
us=148146   key_direction = 0
us=148169   ciphername = 'AES-256-GCM'
us=148191   authname = 'SHA1'
us=148214   prng_hash = 'SHA1'
us=148236   prng_nonce_secret_len = 16
us=148259   keysize = 0
us=148282   engine = DISABLED
us=148304   replay = ENABLED
us=148327   mute_replay_warnings = DISABLED
us=148350   replay_window = 64
us=148372   replay_time = 15
us=148395   packet_id_file = '[UNDEF]'
us=148418   use_iv = ENABLED
us=148440   test_crypto = DISABLED
us=148462   tls_server = ENABLED
us=148484   tls_client = DISABLED
us=148518   key_method = 2
us=148541   ca_file = 'ca.crt'
us=148563   ca_path = '[UNDEF]'
us=148586   dh_file = 'dh.pem'
us=148608   cert_file = 'server.crt'
us=148631   extra_certs_file = '[UNDEF]'
us=148653   priv_key_file = 'server.key'
us=148676   pkcs12_file = '[UNDEF]'
us=148698   cipher_list = '[UNDEF]'
us=148721   tls_verify = '[UNDEF]'
us=148743   tls_export_cert = '[UNDEF]'
us=148766   verify_x509_type = 0
us=148788   verify_x509_name = '[UNDEF]'
us=148811   crl_file = '[UNDEF]'
us=148833   ns_cert_type = 0
us=148856   remote_cert_ku[i] = 0
us=148879   remote_cert_ku[i] = 0
us=148901   remote_cert_ku[i] = 0
us=148924   remote_cert_ku[i] = 0
us=148946   remote_cert_ku[i] = 0
us=148969   remote_cert_ku[i] = 0
us=148991   remote_cert_ku[i] = 0
us=149014   remote_cert_ku[i] = 0
us=149037   remote_cert_ku[i] = 0
us=149060   remote_cert_ku[i] = 0
us=149083   remote_cert_ku[i] = 0
us=149183   remote_cert_ku[i] = 0
us=149210   remote_cert_ku[i] = 0
us=149233   remote_cert_ku[i] = 0
us=149255   remote_cert_ku[i] = 0
us=149278   remote_cert_ku[i] = 0
us=149301   remote_cert_eku = '[UNDEF]'
us=149323   ssl_flags = 0
us=149346   tls_timeout = 2
us=149369   renegotiate_bytes = 0
us=149391   renegotiate_packets = 0
us=149413   renegotiate_seconds = 3600
us=149435   handshake_window = 60
us=149458   transition_window = 3600
us=149480   single_session = DISABLED
us=149503   push_peer_info = DISABLED
us=149525   tls_exit = DISABLED
us=149548   tls_auth_file = '[UNDEF]'
us=149572   server_network = xxx
us=149597   server_netmask = xxx
us=149621   server_network_ipv6 = ::
us=149644   server_netbits_ipv6 = 0
us=149668   server_bridge_ip = 0.0.0.0
us=149692   server_bridge_netmask = 0.0.0.0
us=149717   server_bridge_pool_start = 0.0.0.0
us=149741   server_bridge_pool_end = 0.0.0.0
us=149763   push_entry = 'dhcp-option DNS xxx'
us=149786   push_entry = 'dhcp-option DNS xxx'
us=149808   push_entry = 'route xxx'
us=149831   push_entry = 'topology net30'
us=149853   push_entry = 'ping 10'
us=149876   push_entry = 'ping-restart 60'
us=149898   ifconfig_pool_defined = ENABLED
us=149923   ifconfig_pool_start = xxx
us=149947   ifconfig_pool_end = xxx
us=149970   ifconfig_pool_netmask = 0.0.0.0
us=149993   ifconfig_pool_persist_filename = '[UNDEF]'
us=150016   ifconfig_pool_persist_refresh_freq = 600
us=150039   ifconfig_ipv6_pool_defined = DISABLED
us=150062   ifconfig_ipv6_pool_base = ::
us=150095   ifconfig_ipv6_pool_netbits = 0
us=150118   n_bcast_buf = 256
us=150141   tcp_queue_limit = 64
us=150164   real_hash_size = 256
us=150187   virtual_hash_size = 256
us=150209   client_connect_script = '[UNDEF]'
us=150232   learn_address_script = '[UNDEF]'
us=150254   client_disconnect_script = '[UNDEF]'
us=150277   client_config_dir = '[UNDEF]'
us=150300   ccd_exclusive = DISABLED
us=150323   tmp_dir = '/tmp'
us=150345   push_ifconfig_defined = DISABLED
us=150369   push_ifconfig_local = 0.0.0.0
us=150394   push_ifconfig_remote_netmask = 0.0.0.0
us=150417   push_ifconfig_ipv6_defined = DISABLED
us=150441   push_ifconfig_ipv6_local = ::/0
us=150465   push_ifconfig_ipv6_remote = ::
us=150487   enable_c2c = DISABLED
us=150510   duplicate_cn = ENABLED
us=150533   cf_max = 0
us=150556   cf_per = 0
us=150590   max_clients = 1024
us=150613   max_routes_per_client = 256
us=150636   auth_user_pass_verify_script = '[UNDEF]'
us=150659   auth_user_pass_verify_script_via_file = DISABLED
us=150682   port_share_host = '[UNDEF]'
us=150720   port_share_port = '[UNDEF]'
us=150744   client = DISABLED
us=150767   pull = DISABLED
us=150790   auth_user_pass_file = '[UNDEF]'
us=150815 OpenVPN 2.4_alpha2 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [IPv6] built on xxx
us=150857 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
us=151510 Diffie-Hellman initialized with 2048 bit key
us=152323 TLS-Auth MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
us=152634 ROUTE_GATEWAY xxx/xxx IFACE=xxx HWADDR=xxx
us=153103 TUN/TAP device xxx opened
us=153165 TUN/TAP TX queue length set to 100
us=153200 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
us=153243 /sbin/ifconfig xxx xxx pointopoint xxx mtu 1500
us=155748 /sbin/route add -net xxx netmask xxx gw xxx
us=156821 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
us=156885 Could not determine IPv4/IPv6 protocol. Using AF_INET
us=156922 Socket Buffers: R=[212992->212992] S=[212992->212992]
us=156957 UDPv4 link local (bound): [AF_INET][undef]:xxx
us=156980 UDPv4 link remote: [AF_UNSPEC]
us=157009 MULTI: multi_init called, r=256 v=256
us=157077 IFCONFIG POOL: base=xxx size=30, ipv6=0
us=157136 Initialization Sequence Completed
us=83409 MULTI: multi_create_instance called
us=83556 xxx:xxx Re-using SSL/TLS context
us=83732 xxx:xxx Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
us=83785 xxx:xxx Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
us=83851 xxx:xxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
us=83890 xxx:xxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
us=83984 xxx:xxx TLS: Initial packet from [AF_INET]xxx:xxx, sid=dc9e67ba 6f034555
us=252154 xxx:xxx VERIFY OK: xxx
us=253119 xxx:xxx VERIFY OK: xxx
us=290404 xxx:xxx peer info: IV_VER=2.4_alpha2
us=290478 xxx:xxx peer info: IV_PLAT=win
us=290504 xxx:xxx peer info: IV_PROTO=2
us=290528 xxx:xxx peer info: IV_NCP=2
us=290551 xxx:xxx peer info: IV_LZ4=1
us=290575 xxx:xxx peer info: IV_LZ4v2=1
us=290598 xxx:xxx peer info: IV_LZO=1
us=290622 xxx:xxx peer info: IV_COMP_STUB=1
us=290645 xxx:xxx peer info: IV_COMP_STUBv2=1
us=290669 xxx:xxx peer info: IV_TCPNL=1
us=290692 xxx:xxx peer info: IV_RGI6=1
us=290762 xxx:xxx peer info: IV_GUI_VER=OpenVPN_GUI_11
us=313785 xxx:xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
us=313879 xxx:xxx [client] Peer Connection Initiated with [AF_INET]xxx
us=313932 client/xxx:xxx MULTI_sva: pool returned IPv4=xxx, IPv6=(Not enabled)
us=314020 client/xxx:xxx MULTI: Learn: xxx -> client/xxx
us=314047 client/xxx:xxx MULTI: primary virtual IP for client/xxx: xxx
us=548256 client/xxx:xxx PUSH: Received control message: 'PUSH_REQUEST'
us=548860 client/xxx:xxx send_push_reply(): safe_cap=940
us=549467 client/xxx:xxx SENT CONTROL [client]: 'PUSH_REPLY,dhcp-option DNS xxx,dhcp-option DNS xxx,route xxx,topology net30,ping 10,ping-restart 60,ifconfig xxx xxx,peer-id 0,cipher AES-256-GCM' (status=1)
us=549537 client/xxx:xxx Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
us=549692 client/xxx:xxx Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
us=549724 client/xxx:xxx Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
us=667132 client/xxx:xxx MULTI: bad source address from client [::], packet dropped
us=218274 event_wait : Interrupted system call (code=4)
us=218742 TCP/UDP: Closing socket
us=218851 /sbin/route del -net xxx netmask xxx
us=220264 Closing TUN/TAP interface
us=220346 /sbin/ifconfig xxx 0.0.0.0
us=252899 SIGINT[hard,] received, process exiting

Setup A, Client, UDP:

Code: Select all

us=486219 Current Parameter Settings:
us=487219   config = 'xxx'
us=487219   mode = 0
us=487219   show_ciphers = DISABLED
us=487219   show_digests = DISABLED
us=487219   show_engines = DISABLED
us=487219   genkey = DISABLED
us=487219   key_pass_file = '[UNDEF]'
us=487219   show_tls_ciphers = DISABLED
us=487219   connect_retry_max = 0
us=487219 Connection profiles [0]:
us=487219   proto = udp
us=487219   local = '[UNDEF]'
us=487219   local_port = '[UNDEF]'
us=487219   remote = 'xxx'
us=487219   remote_port = 'xxx'
us=487219   remote_float = DISABLED
us=487219   bind_defined = DISABLED
us=487219   bind_local = DISABLED
us=487219   bind_ipv6_only = DISABLED
us=487219   connect_retry_seconds = 5
us=487219   connect_timeout = 120
us=487219   socks_proxy_server = '[UNDEF]'
us=487219   socks_proxy_port = '[UNDEF]'
us=487219   tun_mtu = 1500
us=487219   tun_mtu_defined = ENABLED
us=487219   link_mtu = 1500
us=487219   link_mtu_defined = DISABLED
us=487219   tun_mtu_extra = 0
us=487219   tun_mtu_extra_defined = DISABLED
us=487219   mtu_discover_type = -1
us=487219   fragment = 0
us=487219   mssfix = 1450
us=487219   explicit_exit_notification = 0
us=487219 Connection profiles END
us=487219   remote_random = DISABLED
us=487219   ipchange = '[UNDEF]'
us=487219   dev = 'tun'
us=488219   dev_type = '[UNDEF]'
us=488219   dev_node = '[UNDEF]'
us=488219   lladdr = '[UNDEF]'
us=488219   topology = 1
us=488219   ifconfig_local = '[UNDEF]'
us=488219   ifconfig_remote_netmask = '[UNDEF]'
us=488219   ifconfig_noexec = DISABLED
us=488219   ifconfig_nowarn = DISABLED
us=488219   ifconfig_ipv6_local = '[UNDEF]'
us=488219   ifconfig_ipv6_netbits = 0
us=488219   ifconfig_ipv6_remote = '[UNDEF]'
us=488219   shaper = 0
us=488219   mtu_test = 0
us=488219   mlock = DISABLED
us=488219   keepalive_ping = 0
us=488219   keepalive_timeout = 0
us=488219   inactivity_timeout = 0
us=488219   ping_send_timeout = 0
us=488219   ping_rec_timeout = 0
us=488219   ping_rec_timeout_action = 0
us=488219   ping_timer_remote = DISABLED
us=488219   remap_sigusr1 = 0
us=488219   persist_tun = ENABLED
us=488219   persist_local_ip = DISABLED
us=488219   persist_remote_ip = DISABLED
us=488219   persist_key = ENABLED
us=488219   passtos = DISABLED
us=488219   resolve_retry_seconds = 1000000000
us=488219   resolve_in_advance = DISABLED
us=488219   username = '[UNDEF]'
us=488219   groupname = '[UNDEF]'
us=488219   chroot_dir = '[UNDEF]'
us=488219   cd_dir = '[UNDEF]'
us=488219   writepid = '[UNDEF]'
us=488219   up_script = '[UNDEF]'
us=488219   down_script = '[UNDEF]'
us=488219   down_pre = DISABLED
us=488219   up_restart = DISABLED
us=488219   up_delay = DISABLED
us=488219   daemon = DISABLED
us=488219   inetd = 0
us=488219   log = ENABLED
us=488219   suppress_timestamps = DISABLED
us=488219   machine_readable_output = DISABLED
us=488219   nice = 0
us=488219   verbosity = 4
us=488219   mute = 0
us=488219   gremlin = 0
us=488219   status_file = '[UNDEF]'
us=488219   status_file_version = 1
us=488219   status_file_update_freq = 60
us=488219   occ = ENABLED
us=488219   rcvbuf = 0
us=488219   sndbuf = 0
us=488219   sockflags = 0
us=488219   fast_io = DISABLED
us=488219   comp.alg = 0
us=488219   comp.flags = 0
us=488219   route_script = '[UNDEF]'
us=488219   route_default_gateway = '[UNDEF]'
us=488219   route_default_metric = 0
us=488219   route_noexec = DISABLED
us=488219   route_delay = 5
us=488219   route_delay_window = 30
us=488219   route_delay_defined = ENABLED
us=488219   route_nopull = DISABLED
us=488219   route_gateway_via_dhcp = DISABLED
us=488219   allow_pull_fqdn = DISABLED
us=488219   [redirect_default_gateway local=0]
us=488219   management_addr = 'xxx'
us=488219   management_port = 'xxx'
us=488219   management_user_pass = 'stdin'
us=488219   management_log_history_cache = 250
us=488219   management_echo_buffer_size = 100
us=488219   management_write_peer_info_file = '[UNDEF]'
us=488219   management_client_user = '[UNDEF]'
us=488219   management_client_group = '[UNDEF]'
us=488219   management_flags = 6
us=488219   shared_secret_file = '[UNDEF]'
us=488219   key_direction = 0
us=488219   ciphername = 'AES-256-GCM'
us=488219   authname = 'SHA1'
us=488219   prng_hash = 'SHA1'
us=488219   prng_nonce_secret_len = 16
us=488219   keysize = 0
us=488219   engine = DISABLED
us=488219   replay = ENABLED
us=488219   mute_replay_warnings = DISABLED
us=488219   replay_window = 64
us=488219   replay_time = 15
us=488219   packet_id_file = '[UNDEF]'
us=488219   use_iv = ENABLED
us=488219   test_crypto = DISABLED
us=488219   tls_server = DISABLED
us=488219   tls_client = ENABLED
us=488219   key_method = 2
us=488219   ca_file = 'ca.crt'
us=488219   ca_path = '[UNDEF]'
us=488219   dh_file = '[UNDEF]'
us=488219   cert_file = 'client.crt'
us=488219   extra_certs_file = '[UNDEF]'
us=488219   priv_key_file = 'client.key'
us=488219   pkcs12_file = '[UNDEF]'
us=488219   cryptoapi_cert = '[UNDEF]'
us=488219   cipher_list = '[UNDEF]'
us=488219   tls_verify = '[UNDEF]'
us=488219   tls_export_cert = '[UNDEF]'
us=488219   verify_x509_type = 0
us=488219   verify_x509_name = '[UNDEF]'
us=488219   crl_file = '[UNDEF]'
us=488219   ns_cert_type = 1
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_ku[i] = 0
us=488219   remote_cert_eku = '[UNDEF]'
us=488219   ssl_flags = 0
us=488219   tls_timeout = 2
us=488219   renegotiate_bytes = 0
us=488219   renegotiate_packets = 0
us=488219   renegotiate_seconds = 3600
us=488219   handshake_window = 60
us=488219   transition_window = 3600
us=488219   single_session = DISABLED
us=488219   push_peer_info = DISABLED
us=488219   tls_exit = DISABLED
us=488219   tls_auth_file = '[UNDEF]'
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_protected_authentication = DISABLED
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_private_mode = 00000000
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_cert_private = DISABLED
us=488219   pkcs11_pin_cache_period = -1
us=488219   pkcs11_id = '[UNDEF]'
us=488219   pkcs11_id_management = DISABLED
us=488219   server_network = 0.0.0.0
us=488219   server_netmask = 0.0.0.0
us=488219   server_network_ipv6 = ::
us=488219   server_netbits_ipv6 = 0
us=488219   server_bridge_ip = 0.0.0.0
us=488219   server_bridge_netmask = 0.0.0.0
us=489219   server_bridge_pool_start = 0.0.0.0
us=489219   server_bridge_pool_end = 0.0.0.0
us=489219   ifconfig_pool_defined = DISABLED
us=489219   ifconfig_pool_start = 0.0.0.0
us=489219   ifconfig_pool_end = 0.0.0.0
us=489219   ifconfig_pool_netmask = 0.0.0.0
us=489219   ifconfig_pool_persist_filename = '[UNDEF]'
us=489219   ifconfig_pool_persist_refresh_freq = 600
us=489219   ifconfig_ipv6_pool_defined = DISABLED
us=489219   ifconfig_ipv6_pool_base = ::
us=489219   ifconfig_ipv6_pool_netbits = 0
us=489219   n_bcast_buf = 256
us=489219   tcp_queue_limit = 64
us=489219   real_hash_size = 256
us=489219   virtual_hash_size = 256
us=489219   client_connect_script = '[UNDEF]'
us=489219   learn_address_script = '[UNDEF]'
us=489219   client_disconnect_script = '[UNDEF]'
us=489219   client_config_dir = '[UNDEF]'
us=489219   ccd_exclusive = DISABLED
us=489219   tmp_dir = 'xxx'
us=489219   push_ifconfig_defined = DISABLED
us=489219   push_ifconfig_local = 0.0.0.0
us=489219   push_ifconfig_remote_netmask = 0.0.0.0
us=489219   push_ifconfig_ipv6_defined = DISABLED
us=489219   push_ifconfig_ipv6_local = ::/0
us=489219   push_ifconfig_ipv6_remote = ::
us=489219   enable_c2c = DISABLED
us=489219   duplicate_cn = DISABLED
us=489219   cf_max = 0
us=489219   cf_per = 0
us=489219   max_clients = 1024
us=489219   max_routes_per_client = 256
us=489219   auth_user_pass_verify_script = '[UNDEF]'
us=489219   auth_user_pass_verify_script_via_file = DISABLED
us=489219   client = ENABLED
us=489219   pull = ENABLED
us=489219   auth_user_pass_file = '[UNDEF]'
us=489219   show_net_up = DISABLED
us=489219   route_method = 3
us=489219   block_outside_dns = DISABLED
us=489219   ip_win32_defined = DISABLED
us=489219   ip_win32_type = 3
us=489219   dhcp_masq_offset = 0
us=489219   dhcp_lease_time = 31536000
us=489219   tap_sleep = 0
us=489219   dhcp_options = DISABLED
us=489219   dhcp_renew = DISABLED
us=489219   dhcp_pre_release = DISABLED
us=489219   dhcp_release = DISABLED
us=489219   domain = '[UNDEF]'
us=489219   netbios_scope = '[UNDEF]'
us=489219   netbios_node_type = 0
us=489219   disable_nbt = DISABLED
us=489219 OpenVPN 2.4_alpha2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [IPv6] built on Oct 20 2016
us=489219 Windows version 6.1 (Windows 7) 64bit
us=489219 library versions: OpenSSL 1.0.1u  22 Sep 2016, LZO 2.09
:
us=489219 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:xxx
us=489219 Need hold release from management interface, waiting...
us=961246 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:xxx
us=63252 MANAGEMENT: CMD 'state on'
us=63252 MANAGEMENT: CMD 'log all on'
us=149257 MANAGEMENT: CMD 'hold off'
us=150257 MANAGEMENT: CMD 'hold release'
us=253263 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
us=253263 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
us=253263 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
us=253263 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
us=253263 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx
us=253263 Socket Buffers: R=[8192->8192] S=[8192->8192]
us=253263 UDP link local: (not bound)
us=253263 UDP link remote: [AF_INET]xxx
us=253263 MANAGEMENT: >STATE:1477850917,WAIT,,,,,,
us=277264 MANAGEMENT: >STATE:1477850917,AUTH,,,,,,
us=277264 TLS: Initial packet from [AF_INET]xxx, sid=69989cf4 1c59e53c
us=357269 VERIFY OK: xxx
us=358269 VERIFY OK: nsCertType=SERVER
us=358269 VERIFY OK: xxx
us=483276 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
us=483276 [server] Peer Connection Initiated with [AF_INET]xxx
us=718347 MANAGEMENT: >STATE:1477850918,GET_CONFIG,,,,,,
us=718347 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
us=742348 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS xxx,dhcp-option DNS xxx,route xxx,topology net30,ping 10,ping-restart 60,ifconfig xxx xxx,peer-id 0,cipher AES-256-GCM'
us=743348 OPTIONS IMPORT: timers and/or timeouts modified
us=743348 OPTIONS IMPORT: --ifconfig/up options modified
us=743348 OPTIONS IMPORT: route options modified
us=743348 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
us=743348 OPTIONS IMPORT: peer-id set
us=743348 OPTIONS IMPORT: adjusting link_mtu to 1624
us=743348 OPTIONS IMPORT: data channel crypto options modified
us=743348 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
us=743348 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
us=743348 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
us=743348 interactive service msg_channel=360
us=747348 ROUTE_GATEWAY xxx/xxx I=11 HWADDR=xxx
us=772350 open_tun
us=772350 TAP-WIN32 device [xxx] opened: \\.\Global\{xxx}.tap
us=773350 TAP-Windows Driver Version 9.21 
us=773350 TAP-Windows MTU=1500
us=774350 Notified TAP-Windows driver to set a DHCP IP/netmask of xxx/xxx2 on interface {xxx} [DHCP-serv: xxx, lease-time: 31536000]
us=774350 DHCP option string: xxx
us=774350 Successful ARP Flush on interface [19] {xxx}
us=784351 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
us=784351 MANAGEMENT: >STATE:1477850918,ASSIGN_IP,,xxx,,,,
us=75653 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
us=75653 C:\Windows\system32\route.exe ADD xxx MASK xxx xxx
us=79653 Route addition via service succeeded
us=80653 C:\Windows\system32\route.exe ADD xxx MASK xxx xxx
us=84654 Route addition via service succeeded
us=85654 C:\Windows\system32\route.exe ADD xxx MASK xxx xxx
us=89654 Route addition via service succeeded
us=89654 MANAGEMENT: >STATE:1477850924,ADD_ROUTES,,,,,,
us=89654 C:\Windows\system32\route.exe ADD xxx MASK xxx xxx
us=93654 Route addition via service succeeded
us=93654 Initialization Sequence Completed
us=93654 MANAGEMENT: >STATE:1477850924,CONNECTED,SUCCESS,xxx,xxx,xxx,,
us=939446 TCP/UDP: Closing socket
us=939446 C:\Windows\system32\route.exe DELETE xxx MASK xxx xxx
us=941446 Route deletion via service succeeded
us=941446 C:\Windows\system32\route.exe DELETE xxx MASK xxx xxx
us=943446 Route deletion via service succeeded
us=943446 C:\Windows\system32\route.exe DELETE xxx MASK xxx xxx
us=946447 Route deletion via service succeeded
us=946447 C:\Windows\system32\route.exe DELETE xxx MASK xxx xxx
us=947447 Route deletion via service succeeded
us=948447 Closing TUN/TAP interface
us=948447 SIGTERM[hard,] received, process exiting
us=948447 MANAGEMENT: >STATE:1477850937,EXITING,SIGTERM,,,,,

[irvine]

Here are a few logfiles:

Setup A, Client, UDP, --mtu-test:

Code: Select all

NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1524,1424] remote->local=[1521,1424]
NOTE: This connection is unable to accommodate a UDP packet size of 1524. Consider using --fragment or --mssfix options as a workaround.

I read the man about fragment and mssfix but I think I did not understand how to use it properly.
I added the following on both Client and Server config:

Code: Select all

fragment 1300
mssfix 1300

It actually makes things worse: speed (tcp download) is even slower than before.

======

Logfiles from my first config. No fragment or mssfix.
On pastebin because forum thinks it is spam: http://pastebin.com/Uzy3k1sT

[TinCanTech]

It looks like you have a network problem .. check that your devices are correctly configured.
Also, make sure they are up to date with firmware and not broken.

[irvine]

Without OpenVPN I have no network issues.
The speed I gave in setup A and B are actual speeds (tested with udp&tcp iperf).

I started to play with sndbuf and rcvbuf. udp speeds are better with:

Code: Select all

sndbuf 393216;
rcvbuf 393216;
push "sndbuf 393216";
push "rcvbuf 393216";

Is there a script/switch to automatically tune these numbers?

[iswearimnotalurker]

Code: Select all

sndbuf 393216;
rcvbuf 393216;
push "sndbuf 393216";
push "rcvbuf 393216";

This actually made my stuff work, EVEN IF MY PROBLEMATIC CASE WAS ON TCP.
I owe a little OpenVPN server running on a Raspberry PI3 and now I get 71 Mbps downlink and 16Mbps uplink. Download is limited due the CPU's capacity. Right now, my configuration is the following:

Code: Select all

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
#cipher AES-256-CBC <<<---- lowers the speed to around 50Mbps, still not bad tho
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
tun-mtu 9000

It feels so weird that such a problem about the default configuration of a buffer still exists.

OpenVPN 2.4.0 arm-unknown-linux-gnueabihf with OpenSSL 1.0.2l

[TinCanTech]

The default buffer size is set by the operating system not openvpn ..