[SOLVED] Unable to send large amounts of data over VPN (RDP disconnects, copy/past files, etc)

[code54]

Hi,

We are using OpenVPN (from a Synology NAS) and Window clients for years now at multiple clients. It works well except for a problem that we can't pinpoint. When sending larger (e.g. 5 or 10 MB) amounts of data the VPN seems to time-out.

For example when we copy/paste files through a Remote Desktop connection (RDP) the files start to copy and then fail. The same thing happens when we scroll through a PDF or image on the remote pc. The complete RDP-sessions disconnects and you have to reconnect.

It's not just RDP. When we upload a file to a NAS on the remote end, we got the same problems. The file transfer stops after e.g. 5 MB and then continues. A PING over the VPN meanwhile shows time-outs. Without doing anything the data transfer struggles and slowly completes.

We have tested with different MTU-sizes, and OpenVPN over UDP or TCP, but nothing seems to help. We also experience this for years now at several different internet-connections and software versions.

There are some warnings in the OpenVPN log but nothing that relates to this (like INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32, WARNING: this configuration may cache passwords in memory).

I also tried to capture the problem in Wireshark but I can't find any cause. I see the RDP disconnects and retry's but I can't figure out what causes them.

Is this a known issue? How could I start troubleshooting this?
Thanks for all help.

Robert

[TinCanTech]

viewtopic.php?f=30&t=22603

[code54]

Server: Synology VPN Server: Package version: 1.3.14-2782 - https://www.synology.com/en-global/rele ... el=NVR1218
Client: Windows 11 OpenVPN GUI v11.25.0.0
Log:

Code: Select all

Thu Feb 17 14:37:44 2022 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Thu Feb 17 14:37:44 2022 DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Thu Feb 17 14:37:44 2022 OpenVPN 2.5.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 20 2021
Thu Feb 17 14:37:44 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Thu Feb 17 14:37:44 2022 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Thu Feb 17 14:37:45 2022 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Feb 17 14:37:45 2022 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb 17 14:37:45 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]90.145.143.98:1194
Thu Feb 17 14:37:45 2022 UDP link local (bound): [AF_INET][undef]:1194
Thu Feb 17 14:37:45 2022 UDP link remote: [AF_INET]90.145.143.98:1194
Thu Feb 17 14:37:47 2022 [synology.com] Peer Connection Initiated with [AF_INET]90.145.143.98:1194
Thu Feb 17 14:37:48 2022 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb 17 14:37:48 2022 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb 17 14:37:48 2022 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Thu Feb 17 14:37:48 2022 open_tun
Thu Feb 17 14:37:48 2022 tap-windows6 device [Local Area Connection 2] opened
Thu Feb 17 14:37:48 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {850B6E9B-038E-44E0-BFAF-3A2CEF48B08C} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Feb 17 14:37:48 2022 Successful ARP Flush on interface [12] {850B6E9B-038E-44E0-BFAF-3A2CEF48B08C}
Thu Feb 17 14:37:48 2022 IPv4 MTU set to 1500 on interface 12 using service
Thu Feb 17 14:37:53 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb 17 14:37:53 2022 Initialization Sequence Completed

Config:

Code: Select all

dev tun
tls-client

remote vpn.....hidden.... 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 10.5.1.3

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2

comp-lzo

reneg-sec 0

cipher BF-CBC

auth SHA1

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgIJAJdjJiye+i0JMA0GCSqGSIb3DQEBCwUAMFExCzAJBgNV
BAYTAlRXMQ8wDQYDVQQHDAZUYWlwZWkxFjAUBgNVBAoMDVN5bm9sb2d5IEluYy4x
GTAXBgNVBAMMEFN5bm9sb2d5IEluYy4gQ0EwHhcNMTkwMjI4MDk0MTAzWhcNMzgx
MTE1MDk0MTAzWjBRMQswCQYDVQQGEwJUVzEPMA0GA1UEBwwGVGFpcGVpMRYwFAYD
VQQKDA1TeW5vbG9neSBJbmMuMRkwFwYDVQQDDBBTeW5vbG9neSBJbmMuIENBMIIB
..cut...
OiaLtGk4yziNIVNpbnO9WxgD65HkYOd512lXB9ToRShDKLlnT+96VsfwnM5DdtaV
HOjWy725eBR4XpwrzIlzbXTRvDNWuuLvsXgU1WHm17Mu9/x2KyTI/P8tHVwYVa1F
DkjD4LdrAxQdfoSntPy+a++1uUvN1GPzMVWuwpEJ7O4C/rK3NMw9RdvI5nSL1lcG
Yi3nuCp812gz2fvYz31hcy8tBFY75RIrAsdo5O7NgGLDPsqEKPqUfBKleEOPnnmO
E+bEmryiQacKj00Zpy8sh/v9yZ/lN4fZiA==
-----END CERTIFICATE-----

</ca>

Example of the problem (image): https://ibb.co/Sx4XSFf

[TinCanTech]

See your server log for problems, when the VPN dies.

[code54]

This problem is solved. It was caused by a DoS-protection feature on our Draytek router.
By default is limits UDP traffic to 2.000 packets/sec.

[TinCanTech]

Thanks for letting us know