Periodic packet loss through VPN
Posted: Wed Sep 15, 2021 6:11 am
Hi all,
A picture says a thousand words: https://pasteboard.co/TSqy8WxHmXmZ.png
A quick description of my set up:
-Latest version of OpenVPN AS running as virtual machine on Hyper-V running on a Windows Server 2016 box.
-1.5GB RAM, 1 vCPU
-2 NIC for the VM, one used for admin, one VPN connections
-Internal network (LAN) is 192.168.0.0/24
-NAT enabled
Generally no issues with connecting or name resolution. I have LDAP integrated authentication and Google Authenticator enabled.
The issue: I have packet loss through the VPN in a very cyclic and periodic manner to a server on the internal LAN (I also get the same packet loss to the 172.27 gateway from the VPN client, so it's not that particular server). After a reboot or making other parameter changes (e.g. mssifx 1430), things some times get better but then it goes back to misbehaving after a while. Pinging the public IP of my company router and pinging from the Windows Server (as well as as the OpenVPN Linux machine) to the internet reveals no problems. This is purely a VPN tunnel thing. Happens with just one user connected and no other traffic load. That is to say the server and connection is idle at the time I tested (out of hours). This is for a small company of 15 people.
Things I have tried:
-Converted HyperV virtual NIC from standard type to 'Legacy' type
-Set mssfix 1430
-v2 clients as well as v3
uname:
Config:
ifconfig:
A picture says a thousand words: https://pasteboard.co/TSqy8WxHmXmZ.png
A quick description of my set up:
-Latest version of OpenVPN AS running as virtual machine on Hyper-V running on a Windows Server 2016 box.
-1.5GB RAM, 1 vCPU
-2 NIC for the VM, one used for admin, one VPN connections
-Internal network (LAN) is 192.168.0.0/24
-NAT enabled
Generally no issues with connecting or name resolution. I have LDAP integrated authentication and Google Authenticator enabled.
The issue: I have packet loss through the VPN in a very cyclic and periodic manner to a server on the internal LAN (I also get the same packet loss to the 172.27 gateway from the VPN client, so it's not that particular server). After a reboot or making other parameter changes (e.g. mssifx 1430), things some times get better but then it goes back to misbehaving after a while. Pinging the public IP of my company router and pinging from the Windows Server (as well as as the OpenVPN Linux machine) to the internet reveals no problems. This is purely a VPN tunnel thing. Happens with just one user connected and no other traffic load. That is to say the server and connection is idle at the time I tested (out of hours). This is for a small company of 15 people.
Things I have tried:
-Converted HyperV virtual NIC from standard type to 'Legacy' type
-Set mssfix 1430
-v2 clients as well as v3
uname:
Code: Select all
root@openvpnas2:/usr/local/openvpn_as/scripts# uname -a
Linux openvpnas2 4.15.0-109-generic #110-Ubuntu SMP Tue Jun 23 02:39:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Code: Select all
root@openvpnas2:/usr/local/openvpn_as/scripts# ./sacli ConfigQuery
{
"admin_ui.https.ip_address": "eth1",
"admin_ui.https.port": "7943",
"aui.eula_version": "2",
"auth.ldap.0.add_req": "memberOf=CN=OPENVPN_USERS, CN=Users, DC=***, DC=local",
"auth.ldap.0.bind_dn": "OPENVPN_USR",
"auth.ldap.0.bind_pw": "***",
"auth.ldap.0.case_sensitive": "false",
"auth.ldap.0.name": "My LDAP servers",
"auth.ldap.0.server.0.host": "192.168.0.45",
"auth.ldap.0.ssl_verify": "internal",
"auth.ldap.0.timeout": "4",
"auth.ldap.0.uname_attr": "sAMAccountName",
"auth.ldap.0.use_ssl": "never",
"auth.ldap.0.users_base_dn": "DC=***, DC=local",
"auth.module.type": "ldap",
"auth.pam.0.service": "openvpnas",
"auth.radius.0.acct_enable": "false",
"auth.radius.0.name": "My Radius servers",
"cs.cws_proto_v2": "true",
"cs.https.ip_address": "eth1",
"cs.https.port": "7943",
"cs.prof_sign_web": "true",
"cs.ssl_method": "SSLv3",
"cs.tls_version_min": "1.1",
"host.name": "***",
"sa.initial_run_groups.0": "web_group",
"sa.initial_run_groups.1": "openvpn_group",
"subscription.bundle": "=",
"subscription.saved_state": "SUBSCRIPTION_OK,***",
"vpn.client.basic": "false",
"vpn.client.cipher": "AES-256-CBC",
"vpn.client.config_text": "dhcp-option DNS 192.168.0.45",
"vpn.client.routing.inter_client": "false",
"vpn.client.routing.reroute_dns": "custom",
"vpn.client.routing.reroute_gw": "false",
"vpn.client.routing.superuser_c2c_access": "false",
"vpn.daemon.0.client.netmask_bits": "20",
"vpn.daemon.0.client.network": "172.27.224.0",
"vpn.daemon.0.listen.ip_address": "eth0",
"vpn.daemon.0.listen.port": "7443",
"vpn.daemon.0.listen.protocol": "tcp",
"vpn.daemon.0.server.ip_address": "eth0",
"vpn.general.osi_layer": "3",
"vpn.server.cipher": "AES-256-CBC",
"vpn.server.config_text": "push \"dhcp-option DNS 192.168.0.45\"\nmssfix 1430",
"vpn.server.daemon.enable": "true",
"vpn.server.daemon.ovpndco": "false",
"vpn.server.daemon.protocols": "both",
"vpn.server.daemon.tcp.n_daemons": "1",
"vpn.server.daemon.tcp.port": "443",
"vpn.server.daemon.udp.n_daemons": "1",
"vpn.server.daemon.udp.port": "1194",
"vpn.server.dhcp_option.adapter_domain_suffix": "***.local",
"vpn.server.dhcp_option.dns.0": "192.168.0.45",
"vpn.server.duplicate_cn": "true",
"vpn.server.foreign_bridge": "",
"vpn.server.google_auth.enable": "true",
"vpn.server.group_pool.0": "172.27.240.0/20",
"vpn.server.lockout_policy.reset_time": "2",
"vpn.server.port_share.enable": "true",
"vpn.server.port_share.ip_address": "1.2.3.4",
"vpn.server.port_share.port": "1234",
"vpn.server.port_share.service": "client",
"vpn.server.routing.gateway_access": "true",
"vpn.server.routing.private_access": "nat",
"vpn.server.routing.private_network.0": "192.168.0.0/24",
"vpn.server.tls_auth": "true",
"vpn.server.tls_version_min": "1.2",
"vpn.tls_refresh.do_reauth": "true",
"vpn.tls_refresh.interval": "360"
}
Code: Select all
root@openvpnas2:/usr/local/openvpn_as/scripts# ifconfig
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.27.224.1 netmask 255.255.248.0 destination 172.27.224.1
inet6 fe80::5270:fbb:18a1:8c7 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 960 (960.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.27.232.1 netmask 255.255.248.0 destination 172.27.232.1
inet6 fe80::5aa3:a39f:a077:aaab prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 8709 bytes 673774 (673.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4162 bytes 333221 (333.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.47 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::215:5dff:fe00:2d05 prefixlen 64 scopeid 0x20<link>
ether 00:15:5d:00:2d:05 txqueuelen 1000 (Ethernet)
RX packets 29736 bytes 2104645 (2.1 MB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 37667 bytes 3162577 (3.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.48 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::215:5dff:fe00:2d06 prefixlen 64 scopeid 0x20<link>
ether 00:15:5d:00:2d:06 txqueuelen 1000 (Ethernet)
RX packets 152249 bytes 130410367 (130.4 MB)
RX errors 0 dropped 4226 overruns 0 frame 0
TX packets 85719 bytes 90139233 (90.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3645 bytes 72945929 (72.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3645 bytes 72945929 (72.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
pr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::c88b:b0ff:feb9:57e prefixlen 64 scopeid 0x20<link>
ether ca:8b:b0:b9:05:7e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 1846 (1.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0