How to fix significant speed loss over OpenVPN (TCP)?

F

fadd2018-02-05 16:20:52

openvpn

fadd, 2018-02-05 16:20:52

Server - small VPS, channel 200/200mbit;
Client - Windows 7, channel 40/40mbit.
After two days of deep googling, I tried dozens of configuration options, now I settled on the most productive one, which gives a speed of 12 / 8 mbit according to measurements on SpeedTest.

configs

Сервер

port 443
proto tcp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp" 
crl-verify crl.pem
ca ca.crt
cert server_cR0qH59D9aI9rtXh.crt
key server_cR0qH59D9aI9rtXh.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
cipher AES-128-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status openvpn.log
verb 3

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
tun-mtu 6000
mssfix 0

Клиент

client
proto tcp-client
remote 185.20.*.* 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_cR0qH59D9aI9rtXh name
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns

verb 4
sndbuf 524288
rcvbuf 524288
tun-mtu 6000
mssfix 0

cat /etc/sysctl.conf

net.ipv4.ip_forward=1
net.core.rmem_max = 6291456
net.core.wmem_max = 4194304
net.core.wmem_default = 212992
net.core.rmem_default = 212992

Client log, verb 4

Mon Feb 05 15:14:33 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Mon Feb 05 15:14:33 2018 Windows version 6.1 (Windows 7) 64bit
Mon Feb 05 15:14:33 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Mon Feb 05 15:14:33 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Feb 05 15:14:33 2018 Need hold release from management interface, waiting...
Mon Feb 05 15:14:34 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'state on'
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'log all on'
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'echo all on'
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'hold off'
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'hold release'
Mon Feb 05 15:14:34 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Feb 05 15:14:34 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Feb 05 15:14:34 2018 Control Channel MTU parms [ L:6123 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Mon Feb 05 15:14:34 2018 Data Channel MTU parms [ L:6123 D:6123 EF:123 EB:1156 ET:0 EL:3 ]
Mon Feb 05 15:14:34 2018 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 6071,tun-mtu 6000,proto TCPv4_CLIENT,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Mon Feb 05 15:14:34 2018 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 6071,tun-mtu 6000,proto TCPv4_SERVER,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Mon Feb 05 15:14:34 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.20.*.*:443
Mon Feb 05 15:14:34 2018 Socket Buffers: R=[8192->524288] S=[8192->524288]
Mon Feb 05 15:14:34 2018 Attempting to establish TCP connection with [AF_INET]185.20.*.*:443 [nonblock]
Mon Feb 05 15:14:34 2018 MANAGEMENT: >STATE:1517836474,TCP_CONNECT,,,,,,
Mon Feb 05 15:14:35 2018 TCP connection established with [AF_INET]185.20.*.*:443
Mon Feb 05 15:14:35 2018 TCP_CLIENT link local: (not bound)
Mon Feb 05 15:14:35 2018 TCP_CLIENT link remote: [AF_INET]185.20.*.*:443
Mon Feb 05 15:14:35 2018 MANAGEMENT: >STATE:1517836475,WAIT,,,,,,
Mon Feb 05 15:14:35 2018 MANAGEMENT: >STATE:1517836475,AUTH,,,,,,
Mon Feb 05 15:14:35 2018 TLS: Initial packet from [AF_INET]185.20.*.*:443, sid=dfc346a0 689685b6
Mon Feb 05 15:14:35 2018 VERIFY OK: depth=1, CN=cn_PZZZZZBo2Pcf2THq
Mon Feb 05 15:14:35 2018 VERIFY KU OK
Mon Feb 05 15:14:35 2018 Validating certificate extended key usage
Mon Feb 05 15:14:35 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Feb 05 15:14:35 2018 VERIFY EKU OK
Mon Feb 05 15:14:35 2018 VERIFY X509NAME OK: CN=server_cR0qH59D9aI9rtXh
Mon Feb 05 15:14:35 2018 VERIFY OK: depth=0, CN=server_cR0qH59D9aI9rtXh
Mon Feb 05 15:14:36 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
Mon Feb 05 15:14:36 2018 [server_cR0qH59D9aI9rtXh] Peer Connection Initiated with [AF_INET]185.20.*.*:443
Mon Feb 05 15:14:37 2018 MANAGEMENT: >STATE:1517836477,GET_CONFIG,,,,,,
Mon Feb 05 15:14:37 2018 SENT CONTROL [server_cR0qH59D9aI9rtXh]: 'PUSH_REQUEST' (status=1)
Mon Feb 05 15:14:37 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,sndbuf 524288,rcvbuf 524288,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon Feb 05 15:14:37 2018 Socket Buffers: R=[524288->524288] S=[524288->524288]
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: route options modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: route-related options modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: peer-id set
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: adjusting link_mtu to 6126
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: data channel crypto options modified
Mon Feb 05 15:14:37 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 05 15:14:37 2018 Data Channel MTU parms [ L:6054 D:6054 EF:54 EB:1156 ET:0 EL:3 ]
Mon Feb 05 15:14:37 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 05 15:14:37 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 05 15:14:37 2018 interactive service msg_channel=0
Mon Feb 05 15:14:37 2018 ROUTE_GATEWAY 10.88.184.129/255.255.255.128 I=11 HWADDR=14:b3:1f:11:54:87
Mon Feb 05 15:14:37 2018 open_tun
Mon Feb 05 15:14:37 2018 TAP-WIN32 device [Подключение по локальной сети 2] opened: \\.\Global\{7ACB281C-80B4-4B51-BC8E-7FC68DC0E106}.tap
Mon Feb 05 15:14:37 2018 TAP-Windows Driver Version 9.21 
Mon Feb 05 15:14:37 2018 TAP-Windows MTU=1500
Mon Feb 05 15:14:37 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Mon Feb 05 15:14:37 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {7ACB281C-80B4-4B51-BC8E-7FC68DC0E106} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Mon Feb 05 15:14:37 2018 DHCP option string: 06080808 08080808 0404
Mon Feb 05 15:14:37 2018 Successful ARP Flush on interface [23] {7ACB281C-80B4-4B51-BC8E-7FC68DC0E106}
Mon Feb 05 15:14:37 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Feb 05 15:14:37 2018 MANAGEMENT: >STATE:1517836477,ASSIGN_IP,,10.8.0.2,,,,
Mon Feb 05 15:14:37 2018 Blocking outside DNS
Mon Feb 05 15:14:37 2018 Block_DNS: WFP engine opened
Mon Feb 05 15:14:37 2018 Block_DNS: Using existing sublayer
Mon Feb 05 15:14:37 2018 Block_DNS: Added permit filters for exe_path
Mon Feb 05 15:14:37 2018 Block_DNS: Added block filters for all interfaces
Mon Feb 05 15:14:37 2018 Block_DNS: Added permit filters for TAP interface
Mon Feb 05 15:14:42 2018 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Mon Feb 05 15:14:42 2018 C:\Windows\system32\route.exe ADD 185.20.*.* MASK 255.255.255.255 10.88.184.129
Mon Feb 05 15:14:42 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon Feb 05 15:14:42 2018 Route addition via IPAPI succeeded [adaptive]
Mon Feb 05 15:14:42 2018 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Mon Feb 05 15:14:42 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=3 and dwForwardType=4
Mon Feb 05 15:14:42 2018 Route addition via IPAPI succeeded [adaptive]
Mon Feb 05 15:14:42 2018 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Mon Feb 05 15:14:42 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=3 and dwForwardType=4
Mon Feb 05 15:14:42 2018 Route addition via IPAPI succeeded [adaptive]
Mon Feb 05 15:14:42 2018 Initialization Sequence Completed
Mon Feb 05 15:14:42 2018 MANAGEMENT: >STATE:1517836482,CONNECTED,SUCCESS,10.8.0.2,185.20.*.*,443,10.88.184.177,52403
Mon Feb 05 16:14:35 2018 VERIFY OK: depth=1, CN=cn_PZZZZZBo2Pcf2THq
Mon Feb 05 16:14:35 2018 VERIFY KU OK
Mon Feb 05 16:14:35 2018 Validating certificate extended key usage
Mon Feb 05 16:14:35 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Feb 05 16:14:35 2018 VERIFY EKU OK
Mon Feb 05 16:14:35 2018 VERIFY X509NAME OK: CN=server_cR0qH59D9aI9rtXh
Mon Feb 05 16:14:35 2018 VERIFY OK: depth=0, CN=server_cR0qH59D9aI9rtXh
Mon Feb 05 16:14:36 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 05 16:14:36 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 05 16:14:36 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 2048 bit RSA

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

J

just_hank_moody, 2018-03-06
@just_hank_moody

Is it necessary to use TCP? in due time reconfigured the server and clients on UDP. speed has improved significantly.