Please help on following issue.
I am facing issues of frequent disconnection of realtime traffics such as voice, video, more specifically WhatsApp videocalls, and low throughput for some clients.
Scenario: Users (all are android users) traffic is NATted and routed through the OpenVPN server.
- User Internet connection has sufficient bandwidth and no congestion
- Server Internet Connection has Enough bandwidth and no congestion
- No Packet loss, no high latencies between user and server
- Most users who have this complaint are at mobile data network (4G/LTE)
- Users on Wifi (backend wired speed) complain less about this issue.
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1549'
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
The one thing I noticed is TX dropped packets at tun interface of server
Server Config
port 7897
proto udp4
sndbuf 0
rcvbuf 0
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.253.192.0 255.255.192.0
ifconfig-pool-persist ipp.txt
# push "redirect-gateway def1 bypass-dhcp"
# push "dhcp-option DNS 46.166.139.84"
push "redirect-gateway def1 block-local"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
txqueuelen 1000
keepalive 10 40
cipher AES-256-CBC
;max-clients 100
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
script-security 3
explicit-exit-notify 1
verify-client-cert none
mute-replay-warnings
username-as-common-name
auth-user-pass-verify some-script
client-connect some-script
client-disconnect some-script
up some-script
down some-script
proto udp4
sndbuf 0
rcvbuf 0
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.253.192.0 255.255.192.0
ifconfig-pool-persist ipp.txt
# push "redirect-gateway def1 bypass-dhcp"
# push "dhcp-option DNS 46.166.139.84"
push "redirect-gateway def1 block-local"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
txqueuelen 1000
keepalive 10 40
cipher AES-256-CBC
;max-clients 100
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
script-security 3
explicit-exit-notify 1
verify-client-cert none
mute-replay-warnings
username-as-common-name
auth-user-pass-verify some-script
client-connect some-script
client-disconnect some-script
up some-script
down some-script
Client Config
client
dev tun
proto udp4
sndbuf 0
rcvbuf 0
remote serverIP serverPORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
redirect-gateway def1 block-local
auth-user-pass auth.cfg
verb 3
explicit-exit-notify 1
keepalive 10 40
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>