Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
cherkunoff2021-02-27 10:51:02
linux
cherkunoff, 2021-02-27 10:51:02

How to fix very slow local traffic routing when VPN is connected?

Good afternoon!

I've run into a problem that I can't solve and would like some advice.
There is a Raspberry Pi 4 acting as a VPN gateway. At the same time, the task is to pass all the traffic of LAN clients (10.10.10.0/24) that use Malinka through the VPN, and Malinka's own traffic through the provider.

To solve the problem of routing your own traffic, after connecting the VPN, a routing table and one rule are added:

ip route add table 100 10.10.10.0/24 dev eth0 src 10.10.10.100
ip route add table 100 default via 10.10.10.1
ip rule add iif lo lookup 100 prio 201


After that, the traffic of Malinka itself starts to go through the provider, and not through the VPN (more precisely, it starts going through the gateway 10.10.10.1).
However, there is a problem - the traffic goes well, very slowly. And what to do with this, I still can not understand - I ask for help.

Here are the speedtest results if the VPN is not connected (all traffic goes through the ISP):
Hosted by XXX [0.39 km]: 3.467 ms
Testing download speed................................................................................
Download: 594.71 Mbit/s
Testing upload speed......................................................................................................
Upload: 172.22 Mbit/s


Here are the results of the test when the VPN is connected, but the local traffic goes through the provider (using the same server for testing):
Hosted by XXX [0.39 km]: 239.691 ms
Testing download speed................................................................................
Download: 44.03 Mbit/s
Testing upload speed......................................................................................................
Upload: 11.64 Mbit/s


The difference is very significant.
And here is the result of a VPN connection test from one of the LAN clients, when the VPN is connected and its (client's) traffic goes through the VPN (another server is used):
Hosted by YYY [9.68 km]: 37.024 ms
Testing download speed................................................................................
Download: 139.88 Mbit/s
Testing upload speed......................................................................................................
Upload: 144.09 Mbit/s


All tests were performed "without load", i.e. when the test was running, no other clients or processes on Malinka were downloading/downloading anything.

Add. information.
Here are the routing rules after connecting the VPN:
# ip rule
0:      from all lookup local
201:    from all iif lo lookup 100
32763:  from all lookup main suppress_prefixlength 0
32764:  not from all fwmark 0xca6c lookup 51820
32765:  from all to <IP ноды VPN> lookup main
32766:  from all lookup main
32767:  from all lookup default

201 - I add this to redirect local traffic. 32763 - 32765 appends the VPN client at the time of connection.

Here are the firewall rules (nordlynx is the VPN interface name):
# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.10.0/24 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8555 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8444 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i eth0 -o nordlynx -j ACCEPT
-A FORWARD -i nordlynx -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN


I would be glad for advice on how to speed up the routing of local traffic!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
M
mikes, 2021-02-27
@mikes

Try to do the opposite. Push traffic from clients through ip rule into the second routing table, and the raspberry itself by default.
But people are talking. Get a Mikrotik and enjoy life.

Similar questions
N
Nikita Reshetnyak2019-10-07 07:26:25
Why can't you hear the interlocutor in the absence of a tunnel between offices? 2Reply
O
OKNOZA2015-06-21 23:31:05
Can I not use NodeJS templating engine? 7Reply
A
alex5e2016-05-09 10:03:01
How to solve tmp overflow problem in Ubuntu? 4Reply
C
Coder 14482020-08-26 17:13:52
How to change the keyboard layout to different languages ​​​​in Linux (kali) with one command in the terminal? 1Reply
M
Mendax2014-03-12 15:01:27
How to find free ip addresses in dhcpd.conf? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question