Answer the question
In order to leave comments, you need to log in
How to fix significant speed loss over OpenVPN (TCP)?
Server - small VPS, channel 200/200mbit;
Client - Windows 7, channel 40/40mbit.
After two days of deep googling, I tried dozens of configuration options, now I settled on the most productive one, which gives a speed of 12 / 8 mbit according to measurements on SpeedTest.
port 443
proto tcp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server_cR0qH59D9aI9rtXh.crt
key server_cR0qH59D9aI9rtXh.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
cipher AES-128-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status openvpn.log
verb 3
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
tun-mtu 6000
mssfix 0
client
proto tcp-client
remote 185.20.*.* 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_cR0qH59D9aI9rtXh name
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 4
sndbuf 524288
rcvbuf 524288
tun-mtu 6000
mssfix 0
net.ipv4.ip_forward=1
net.core.rmem_max = 6291456
net.core.wmem_max = 4194304
net.core.wmem_default = 212992
net.core.rmem_default = 212992
Mon Feb 05 15:14:33 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Mon Feb 05 15:14:33 2018 Windows version 6.1 (Windows 7) 64bit
Mon Feb 05 15:14:33 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Mon Feb 05 15:14:33 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Feb 05 15:14:33 2018 Need hold release from management interface, waiting...
Mon Feb 05 15:14:34 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'state on'
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'log all on'
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'echo all on'
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'hold off'
Mon Feb 05 15:14:34 2018 MANAGEMENT: CMD 'hold release'
Mon Feb 05 15:14:34 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Feb 05 15:14:34 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Feb 05 15:14:34 2018 Control Channel MTU parms [ L:6123 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Mon Feb 05 15:14:34 2018 Data Channel MTU parms [ L:6123 D:6123 EF:123 EB:1156 ET:0 EL:3 ]
Mon Feb 05 15:14:34 2018 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 6071,tun-mtu 6000,proto TCPv4_CLIENT,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Mon Feb 05 15:14:34 2018 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 6071,tun-mtu 6000,proto TCPv4_SERVER,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Mon Feb 05 15:14:34 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.20.*.*:443
Mon Feb 05 15:14:34 2018 Socket Buffers: R=[8192->524288] S=[8192->524288]
Mon Feb 05 15:14:34 2018 Attempting to establish TCP connection with [AF_INET]185.20.*.*:443 [nonblock]
Mon Feb 05 15:14:34 2018 MANAGEMENT: >STATE:1517836474,TCP_CONNECT,,,,,,
Mon Feb 05 15:14:35 2018 TCP connection established with [AF_INET]185.20.*.*:443
Mon Feb 05 15:14:35 2018 TCP_CLIENT link local: (not bound)
Mon Feb 05 15:14:35 2018 TCP_CLIENT link remote: [AF_INET]185.20.*.*:443
Mon Feb 05 15:14:35 2018 MANAGEMENT: >STATE:1517836475,WAIT,,,,,,
Mon Feb 05 15:14:35 2018 MANAGEMENT: >STATE:1517836475,AUTH,,,,,,
Mon Feb 05 15:14:35 2018 TLS: Initial packet from [AF_INET]185.20.*.*:443, sid=dfc346a0 689685b6
Mon Feb 05 15:14:35 2018 VERIFY OK: depth=1, CN=cn_PZZZZZBo2Pcf2THq
Mon Feb 05 15:14:35 2018 VERIFY KU OK
Mon Feb 05 15:14:35 2018 Validating certificate extended key usage
Mon Feb 05 15:14:35 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Feb 05 15:14:35 2018 VERIFY EKU OK
Mon Feb 05 15:14:35 2018 VERIFY X509NAME OK: CN=server_cR0qH59D9aI9rtXh
Mon Feb 05 15:14:35 2018 VERIFY OK: depth=0, CN=server_cR0qH59D9aI9rtXh
Mon Feb 05 15:14:36 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
Mon Feb 05 15:14:36 2018 [server_cR0qH59D9aI9rtXh] Peer Connection Initiated with [AF_INET]185.20.*.*:443
Mon Feb 05 15:14:37 2018 MANAGEMENT: >STATE:1517836477,GET_CONFIG,,,,,,
Mon Feb 05 15:14:37 2018 SENT CONTROL [server_cR0qH59D9aI9rtXh]: 'PUSH_REQUEST' (status=1)
Mon Feb 05 15:14:37 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,sndbuf 524288,rcvbuf 524288,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon Feb 05 15:14:37 2018 Socket Buffers: R=[524288->524288] S=[524288->524288]
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: route options modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: route-related options modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: peer-id set
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: adjusting link_mtu to 6126
Mon Feb 05 15:14:37 2018 OPTIONS IMPORT: data channel crypto options modified
Mon Feb 05 15:14:37 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 05 15:14:37 2018 Data Channel MTU parms [ L:6054 D:6054 EF:54 EB:1156 ET:0 EL:3 ]
Mon Feb 05 15:14:37 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 05 15:14:37 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 05 15:14:37 2018 interactive service msg_channel=0
Mon Feb 05 15:14:37 2018 ROUTE_GATEWAY 10.88.184.129/255.255.255.128 I=11 HWADDR=14:b3:1f:11:54:87
Mon Feb 05 15:14:37 2018 open_tun
Mon Feb 05 15:14:37 2018 TAP-WIN32 device [Подключение по локальной сети 2] opened: \\.\Global\{7ACB281C-80B4-4B51-BC8E-7FC68DC0E106}.tap
Mon Feb 05 15:14:37 2018 TAP-Windows Driver Version 9.21
Mon Feb 05 15:14:37 2018 TAP-Windows MTU=1500
Mon Feb 05 15:14:37 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Mon Feb 05 15:14:37 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {7ACB281C-80B4-4B51-BC8E-7FC68DC0E106} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Mon Feb 05 15:14:37 2018 DHCP option string: 06080808 08080808 0404
Mon Feb 05 15:14:37 2018 Successful ARP Flush on interface [23] {7ACB281C-80B4-4B51-BC8E-7FC68DC0E106}
Mon Feb 05 15:14:37 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Feb 05 15:14:37 2018 MANAGEMENT: >STATE:1517836477,ASSIGN_IP,,10.8.0.2,,,,
Mon Feb 05 15:14:37 2018 Blocking outside DNS
Mon Feb 05 15:14:37 2018 Block_DNS: WFP engine opened
Mon Feb 05 15:14:37 2018 Block_DNS: Using existing sublayer
Mon Feb 05 15:14:37 2018 Block_DNS: Added permit filters for exe_path
Mon Feb 05 15:14:37 2018 Block_DNS: Added block filters for all interfaces
Mon Feb 05 15:14:37 2018 Block_DNS: Added permit filters for TAP interface
Mon Feb 05 15:14:42 2018 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Mon Feb 05 15:14:42 2018 C:\Windows\system32\route.exe ADD 185.20.*.* MASK 255.255.255.255 10.88.184.129
Mon Feb 05 15:14:42 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon Feb 05 15:14:42 2018 Route addition via IPAPI succeeded [adaptive]
Mon Feb 05 15:14:42 2018 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Mon Feb 05 15:14:42 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=3 and dwForwardType=4
Mon Feb 05 15:14:42 2018 Route addition via IPAPI succeeded [adaptive]
Mon Feb 05 15:14:42 2018 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Mon Feb 05 15:14:42 2018 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=3 and dwForwardType=4
Mon Feb 05 15:14:42 2018 Route addition via IPAPI succeeded [adaptive]
Mon Feb 05 15:14:42 2018 Initialization Sequence Completed
Mon Feb 05 15:14:42 2018 MANAGEMENT: >STATE:1517836482,CONNECTED,SUCCESS,10.8.0.2,185.20.*.*,443,10.88.184.177,52403
Mon Feb 05 16:14:35 2018 VERIFY OK: depth=1, CN=cn_PZZZZZBo2Pcf2THq
Mon Feb 05 16:14:35 2018 VERIFY KU OK
Mon Feb 05 16:14:35 2018 Validating certificate extended key usage
Mon Feb 05 16:14:35 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Feb 05 16:14:35 2018 VERIFY EKU OK
Mon Feb 05 16:14:35 2018 VERIFY X509NAME OK: CN=server_cR0qH59D9aI9rtXh
Mon Feb 05 16:14:35 2018 VERIFY OK: depth=0, CN=server_cR0qH59D9aI9rtXh
Mon Feb 05 16:14:36 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 05 16:14:36 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 05 16:14:36 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
Answer the question
In order to leave comments, you need to log in
Is it necessary to use TCP? in due time reconfigured the server and clients on UDP. speed has improved significantly.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question