Hi, I have a problem with OpenVPN and I hope you'll be able to help...
I have two OpenVPN daemons on one Linux machine - one listening on TCP and one bound to the UDP port. They are using TAP devices that are bridged together, and TCP additionally shares port with ssh via "port-share". The problem is with clients connected to the TCP server (I can't switch them to UDP because of the firewall). During testing, I switched one UDP client (Linux) to TCP and observed the problem only over TCP. Ping time between them when connection is idle is about 30 ms both over the Internet and over VPN and that's okay. #v+ $ ping -c 5 vps PING vps (81.4.x.x) 56(84) bytes of data. 64 bytes from vps (81.4.x.x): icmp_seq=1 ttl=53 time=29.9 ms 64 bytes from vps (81.4.x.x): icmp_seq=2 ttl=53 time=31.5 ms 64 bytes from vps (81.4.x.x): icmp_seq=3 ttl=53 time=31.1 ms 64 bytes from vps (81.4.x.x): icmp_seq=4 ttl=53 time=30.5 ms 64 bytes from vps (81.4.x.x): icmp_seq=5 ttl=53 time=31.1 ms --- vps ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 29.915/30.859/31.529/0.582 ms $ ping -c 5 vps.v PING vps.v (172.24.44.18) 56(84) bytes of data. 64 bytes from vps.v (172.24.44.18): icmp_seq=1 ttl=64 time=32.1 ms 64 bytes from vps.v (172.24.44.18): icmp_seq=2 ttl=64 time=30.4 ms 64 bytes from vps.v (172.24.44.18): icmp_seq=3 ttl=64 time=30.8 ms 64 bytes from vps.v (172.24.44.18): icmp_seq=4 ttl=64 time=29.8 ms 64 bytes from vps.v (172.24.44.18): icmp_seq=5 ttl=64 time=30.2 ms --- vps.v ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 29.845/30.722/32.160/0.816 ms #v- When I start a full-speed transfer from server to client, the ping raises over VPN to about 3500-4000 ms, but over Internet it stays the same. It makes remote work nearly impossible despite having enough Internet capacity. #v+ $ ping -c 5 vps.v PING vps.v (172.24.44.18) 56(84) bytes of data. 64 bytes from vps.v (172.24.44.18): icmp_seq=1 ttl=64 time=3438 ms 64 bytes from vps.v (172.24.44.18): icmp_seq=2 ttl=64 time=4167 ms 64 bytes from vps.v (172.24.44.18): icmp_seq=3 ttl=64 time=4110 ms 64 bytes from vps.v (172.24.44.18): icmp_seq=4 ttl=64 time=3959 ms 64 bytes from vps.v (172.24.44.18): icmp_seq=5 ttl=64 time=3976 ms --- vps.v ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4141ms rtt min/avg/max/mdev = 3438.649/3930.410/4167.983/258.253 ms, pipe 4 $ ping -c 5 vps PING vps (81.4.x.x) 56(84) bytes of data. 64 bytes from vps (81.4.x.x): icmp_seq=1 ttl=53 time=31.5 ms 64 bytes from vps (81.4.x.x): icmp_seq=2 ttl=53 time=36.7 ms 64 bytes from vps (81.4.x.x): icmp_seq=3 ttl=53 time=33.4 ms 64 bytes from vps (81.4.x.x): icmp_seq=4 ttl=53 time=30.6 ms 64 bytes from vps (81.4.x.x): icmp_seq=5 ttl=53 time=30.7 ms --- vps ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 30.650/32.641/36.799/2.314 ms #v- What can be the cause for this? And how could I remedy? I already tried adding TCP_NODELAY option to the socket, but it didn't help. My full configs are below. #v+ server config (no IP address, because it's set on the bridge) dev tap1 port 443 proto tcp-server ca /etc/openvpn/ca.crt cert /etc/openvpn/svpst.crt key /etc/openvpn/svpst.key dh /etc/openvpn/dh2048.pem crl-verify /etc/openvpn/crl.pem mode server tls-server client-to-client keepalive 10 45 max-clients 64 verb 4 mute 20 persist-key persist-tun comp-lzo no user nobody group nogroup # socket-flags TCP_NODELAY port-share 127.0.0.1 22 cipher AES-256-CBC #v- #v+ client config dev tap0 port 443 proto tcp-client ca /etc/openvpn/ca.crt cert /etc/openvpn/pi.crt key /etc/openvpn/pi.key remote 81.4.x.x ifconfig 172.24.44.20 255.255.255.0 comp-lzo no keepalive 10 45 tls-client persist-key persist-tun # socket-flags TCP_NODELAY user nobody group nogroup connect-retry 1 connect-timeout 7 verb 4 mute 60 script-security 2 up /etc/openvpn/pi.up.sh down /etc/openvpn/pi.down.sh cipher AES-256-CBC #v- Mentioned up and down scripts only set default routing through the VPN (I'm using two routing tables and fwmark to be able to access all ports on the server except 443 through the VPN, and only 443 through the default gateway), but the machine I did testing on doesn't use this form of routing and the problem is the same, so it can be ruled out... Thank you! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
