Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

OpenVPN connection OK with Win client but very slow with Mac client (Tunnelblick)

Posted on 2009-07-14
8
3,286 Views
Last Modified: 2012-05-07
I have OpenVPN 2.1 installed on a Linux server (CentOS 5.3) and different users connect to it through Windows client GUI. The connection has been working great if the Windows client is used.

However, when the OpenVPN client is Tunnelblick on a Mac (OS X Leopard 1.0.5.7), the connection is problematic. It establishes just fine but the ping gets very slow once you start transferring more data. In other words, if you run the ping command in terminal, it looks OK but if you then for example open an URL, it becomes extremely slow, the ping can suddenly change from 30ms to 2000ms and then comes back to 30ms once there is no data transfer again.

Any idea why this is happening? There does not seem to be any error recorded in the server logs.

Here is the server configuration:
---------------------------------

auth-user-pass-verify "/etc/openvpn/vpnauth.php" via-file
tmp-dir /tmp
port 443
tls-server
mode server
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
crl-verify keys/crl.pem
tls-auth /etc/openvpn/keys/ta.key 0
client-config-dir /etc/openvpn/ccd
server 10.88.12.0 255.255.254.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.88.12.1"
cipher AES-256-CBC
user openvpn
group openvpn
status logs/openvpn-status.log
log-append logs/openvpn.log
verb 4
mute 20
max-clients 500
management 127.0.0.1 4445
keepalive 10 120
comp-lzo
persist-key
persist-tun
writepid /var/run/openvpn.pid
duplicate-cn


Here is the client configuration:
---------------------------------

remote PUBLIC_SERVER_IP
port 443
proto udp
client
tls-client
auth-user-pass
auth-retry interact
dev tun
ca keys/ca.crt
cert keys/vpnclient.crt
key keys/vpnclient.key
tls-auth keys/ta.key 1
explicit-exit-notify 1
ns-cert-type server
cipher AES-256-CBC
verb 2
mute 20
comp-lzo
persist-key
persist-tun


Again, this server+client configuration is working great as long the client is Windows OpenVPN. I have tried TCP configuration with a few modifications (different port etc.) but the problem persisted.

Any idea where there is the problem on Macs? Tunnelblick is the newest version available and so is the server (2.1.x OpenVPN branch).

0
Comment
Question by:tomfra
  • 4
  • 4
8 Comments
 
LVL 2

Expert Comment

by:everkleer
ID: 24855215
I came across something that may or may not be the issue just yesterday when listening to the latest episode (#210) of the Mac Geek Gab podcast (http://www.macobserver.com/tmo/podcast/mgg_210_itunes_iphoto_printing_tips_fixes_ssd_drives/).  They discussed an issue where PCs would work ok on a network but Macs on the same network would slow to a crawl (similar to what you describe.)  They suggested trying to change the MTU value from 1500 to 1400 (directions here: http://support.apple.com/kb/HT2532).  MTU determines the size of the packets sent from your computer and 1500 is the default, but they even mention that certain types of networks like VPNs may require it to be smaller.
0
 

Author Comment

by:tomfra
ID: 24871254
I tried that but it didn't make any difference. I'll try changing the default mtu in the server config but that would be an imperfect solution as it could create problems for non-Mac clients I suppose.
0
 
LVL 2

Expert Comment

by:everkleer
ID: 24872127
Sorry I'm not too familiar with this, I just thought it might help since in the podcast they mentioned the problem being with Macs and not PCs.  They also mentioned that firmware updates (if available) are the best solution for this type of thing.  Is the firmwre on the router up to date?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:tomfra
ID: 24872195
This has nothing to do with a router, the Internet connection works just fine, the problem happens only when I connect through the OpenVPN server (running on Linux). But it seems it may indeed be MTU related, I set the mtu size to 1400 on the OpenVPN server side and so far it seems to be working.

However, I need to test it more and it could also have negative impact on non-Mac clients I suppose so I will need to test that too.
0
 
LVL 2

Accepted Solution

by:
everkleer earned 500 total points
ID: 24872321
Didn't seem like the router would be the problem, but there are often weird solutions you wouldn't think would work.  When troubleshooting problems with people I often tell them to try something that I don't think will work and a lot of times they even argue with me that it won't work, but I tell them to just try it and occasionally (although not often) it happens to work!

Sound like your at least on the right track with the MTU though.  Good luck!
0
 

Author Comment

by:tomfra
ID: 24872497
Well, so far I found that using "tun-mtu 1400" instead of the default value 1500 on the server side makes the connection much better, however, it's still not ideal when you transfer a lot of data - for example downloading a file over the internet. But I think I am getting there.

Actually, I thought it could have something to do with the mtu side initially, but did not find any info on the Internet, if it was a common problem I suppose Google would return a lot of results but it did not...

By the way, we are not talking about one server here. I use the same configuration on 10 different servers in several different datacenters. All have the same problem when connecting using Tunnelblick on a Mac.
0
 

Author Comment

by:tomfra
ID: 24945305
OK, accepting the solution because it was apparently indeed MTU related. I got the best results when adding these values to both the server & client configuration files:

tun-mtu 1500
fragment 1450
mssfix 1450

This is for UDP config. It's still not perfect so some more optimization may be necessary but this config seems to work OK for both Windows and Mac clients.
0
 
LVL 2

Expert Comment

by:everkleer
ID: 24946499
Glad you found something that works (at least better than before)!
0

Featured Post

ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you other experts are anything like me you are always looking into and testing out new features. While I was doing some research one day I ran across an app that I installed on my Mac and used as a security system. Mac OS X: SecureHome uses your …
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question