Solved

OpenVPN connection OK with Win client but very slow with Mac client (Tunnelblick)

Posted on 2009-07-14
8
3,040 Views
Last Modified: 2012-05-07
I have OpenVPN 2.1 installed on a Linux server (CentOS 5.3) and different users connect to it through Windows client GUI. The connection has been working great if the Windows client is used.

However, when the OpenVPN client is Tunnelblick on a Mac (OS X Leopard 1.0.5.7), the connection is problematic. It establishes just fine but the ping gets very slow once you start transferring more data. In other words, if you run the ping command in terminal, it looks OK but if you then for example open an URL, it becomes extremely slow, the ping can suddenly change from 30ms to 2000ms and then comes back to 30ms once there is no data transfer again.

Any idea why this is happening? There does not seem to be any error recorded in the server logs.

Here is the server configuration:
---------------------------------

auth-user-pass-verify "/etc/openvpn/vpnauth.php" via-file
tmp-dir /tmp
port 443
tls-server
mode server
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
crl-verify keys/crl.pem
tls-auth /etc/openvpn/keys/ta.key 0
client-config-dir /etc/openvpn/ccd
server 10.88.12.0 255.255.254.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.88.12.1"
cipher AES-256-CBC
user openvpn
group openvpn
status logs/openvpn-status.log
log-append logs/openvpn.log
verb 4
mute 20
max-clients 500
management 127.0.0.1 4445
keepalive 10 120
comp-lzo
persist-key
persist-tun
writepid /var/run/openvpn.pid
duplicate-cn


Here is the client configuration:
---------------------------------

remote PUBLIC_SERVER_IP
port 443
proto udp
client
tls-client
auth-user-pass
auth-retry interact
dev tun
ca keys/ca.crt
cert keys/vpnclient.crt
key keys/vpnclient.key
tls-auth keys/ta.key 1
explicit-exit-notify 1
ns-cert-type server
cipher AES-256-CBC
verb 2
mute 20
comp-lzo
persist-key
persist-tun


Again, this server+client configuration is working great as long the client is Windows OpenVPN. I have tried TCP configuration with a few modifications (different port etc.) but the problem persisted.

Any idea where there is the problem on Macs? Tunnelblick is the newest version available and so is the server (2.1.x OpenVPN branch).

0
Comment
Question by:tomfra
  • 4
  • 4
8 Comments
 
LVL 2

Expert Comment

by:everkleer
ID: 24855215
I came across something that may or may not be the issue just yesterday when listening to the latest episode (#210) of the Mac Geek Gab podcast (http://www.macobserver.com/tmo/podcast/mgg_210_itunes_iphoto_printing_tips_fixes_ssd_drives/).  They discussed an issue where PCs would work ok on a network but Macs on the same network would slow to a crawl (similar to what you describe.)  They suggested trying to change the MTU value from 1500 to 1400 (directions here: http://support.apple.com/kb/HT2532).  MTU determines the size of the packets sent from your computer and 1500 is the default, but they even mention that certain types of networks like VPNs may require it to be smaller.
0
 

Author Comment

by:tomfra
ID: 24871254
I tried that but it didn't make any difference. I'll try changing the default mtu in the server config but that would be an imperfect solution as it could create problems for non-Mac clients I suppose.
0
 
LVL 2

Expert Comment

by:everkleer
ID: 24872127
Sorry I'm not too familiar with this, I just thought it might help since in the podcast they mentioned the problem being with Macs and not PCs.  They also mentioned that firmware updates (if available) are the best solution for this type of thing.  Is the firmwre on the router up to date?
0
 

Author Comment

by:tomfra
ID: 24872195
This has nothing to do with a router, the Internet connection works just fine, the problem happens only when I connect through the OpenVPN server (running on Linux). But it seems it may indeed be MTU related, I set the mtu size to 1400 on the OpenVPN server side and so far it seems to be working.

However, I need to test it more and it could also have negative impact on non-Mac clients I suppose so I will need to test that too.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Accepted Solution

by:
everkleer earned 500 total points
ID: 24872321
Didn't seem like the router would be the problem, but there are often weird solutions you wouldn't think would work.  When troubleshooting problems with people I often tell them to try something that I don't think will work and a lot of times they even argue with me that it won't work, but I tell them to just try it and occasionally (although not often) it happens to work!

Sound like your at least on the right track with the MTU though.  Good luck!
0
 

Author Comment

by:tomfra
ID: 24872497
Well, so far I found that using "tun-mtu 1400" instead of the default value 1500 on the server side makes the connection much better, however, it's still not ideal when you transfer a lot of data - for example downloading a file over the internet. But I think I am getting there.

Actually, I thought it could have something to do with the mtu side initially, but did not find any info on the Internet, if it was a common problem I suppose Google would return a lot of results but it did not...

By the way, we are not talking about one server here. I use the same configuration on 10 different servers in several different datacenters. All have the same problem when connecting using Tunnelblick on a Mac.
0
 

Author Comment

by:tomfra
ID: 24945305
OK, accepting the solution because it was apparently indeed MTU related. I got the best results when adding these values to both the server & client configuration files:

tun-mtu 1500
fragment 1450
mssfix 1450

This is for UDP config. It's still not perfect so some more optimization may be necessary but this config seems to work OK for both Windows and Mac clients.
0
 
LVL 2

Expert Comment

by:everkleer
ID: 24946499
Glad you found something that works (at least better than before)!
0

Featured Post

ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

Join & Write a Comment

Syslogd is a utility that traps and logs messages sent by running processes. It is configured with the syslog.conf file, which consists of lines containing a pair of fields: "the selector field which specifies the types of messages and priorities to…
Remote Desktop Connections allow you to control remote host machines via the magic of the Internet and RDP (Remote Desktop Protocol). For the purposes of this article we will assume you are connecting from your home PC or laptop to a remote offic…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now