On 9/27/05, Marcelo Toledo <marc...@marcelotoledo.org> wrote: > I have one OpenVPN server version 2.0.2 using TCP port 1194 with TLS > with about 400 clients connected to it. From time to time it's > impossible to ping the client from the server, but if you log into the > client and ping the server, the server now became able to ping the > client. I made a lot of tests removing the bridge and trying a older > versions of openvpn and the problem still hapenning with about 20% of > the clients connected to the vpn. > > here is the config of the client and server: > > # SERVER CONFIG > mode server > port 1194 > proto tcp-server > dev tap [snip]
Observations: 1. 400 clients... 1 server only? 2. TAP means additional overhead full ethernet packet encapsulated in TCP/IP packet. Broadcasts, fragmented ethernet datagrams and for 400 clients.... 3. TCP over TCP is not recommended. The internal congestion control can conflict with the external congestion control. 4. What is your full bandwidth and usable bandwidth at the server? Troubleshooting: Do packet captures on the real interfaces that the VPN tunnel is using (there the TCP 1194 traffic is), the TAP interfaces. Look for TCP issues. Recommendations: 1. switch to UDP 2. switch to TUN even if this requires additional configuration. to rely on broadcasts over a VPN is problematic. 3. Bandwidth may be a major bottleneck. suggestions 1 & 2 will help, but it may not be enough. 4. Server look for bottlenecks, may require upgrade(s). Removing one bottleneck may reveal the next bottleneck... -- Leonard Isham, CISSP Ostendo non ostento.
