Link to home
Start Free TrialLog in
Avatar of tomfra
tomfraFlag for Czechia

asked on

OpenVPN connection OK with Win client but very slow with Mac client (Tunnelblick)

I have OpenVPN 2.1 installed on a Linux server (CentOS 5.3) and different users connect to it through Windows client GUI. The connection has been working great if the Windows client is used.

However, when the OpenVPN client is Tunnelblick on a Mac (OS X Leopard 1.0.5.7), the connection is problematic. It establishes just fine but the ping gets very slow once you start transferring more data. In other words, if you run the ping command in terminal, it looks OK but if you then for example open an URL, it becomes extremely slow, the ping can suddenly change from 30ms to 2000ms and then comes back to 30ms once there is no data transfer again.

Any idea why this is happening? There does not seem to be any error recorded in the server logs.

Here is the server configuration:
---------------------------------

auth-user-pass-verify "/etc/openvpn/vpnauth.php" via-file
tmp-dir /tmp
port 443
tls-server
mode server
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
crl-verify keys/crl.pem
tls-auth /etc/openvpn/keys/ta.key 0
client-config-dir /etc/openvpn/ccd
server 10.88.12.0 255.255.254.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.88.12.1"
cipher AES-256-CBC
user openvpn
group openvpn
status logs/openvpn-status.log
log-append logs/openvpn.log
verb 4
mute 20
max-clients 500
management 127.0.0.1 4445
keepalive 10 120
comp-lzo
persist-key
persist-tun
writepid /var/run/openvpn.pid
duplicate-cn


Here is the client configuration:
---------------------------------

remote PUBLIC_SERVER_IP
port 443
proto udp
client
tls-client
auth-user-pass
auth-retry interact
dev tun
ca keys/ca.crt
cert keys/vpnclient.crt
key keys/vpnclient.key
tls-auth keys/ta.key 1
explicit-exit-notify 1
ns-cert-type server
cipher AES-256-CBC
verb 2
mute 20
comp-lzo
persist-key
persist-tun


Again, this server+client configuration is working great as long the client is Windows OpenVPN. I have tried TCP configuration with a few modifications (different port etc.) but the problem persisted.

Any idea where there is the problem on Macs? Tunnelblick is the newest version available and so is the server (2.1.x OpenVPN branch).

Avatar of everkleer
everkleer

I came across something that may or may not be the issue just yesterday when listening to the latest episode (#210) of the Mac Geek Gab podcast (http://www.macobserver.com/tmo/podcast/mgg_210_itunes_iphoto_printing_tips_fixes_ssd_drives/).  They discussed an issue where PCs would work ok on a network but Macs on the same network would slow to a crawl (similar to what you describe.)  They suggested trying to change the MTU value from 1500 to 1400 (directions here: http://support.apple.com/kb/HT2532).  MTU determines the size of the packets sent from your computer and 1500 is the default, but they even mention that certain types of networks like VPNs may require it to be smaller.
Avatar of tomfra

ASKER

I tried that but it didn't make any difference. I'll try changing the default mtu in the server config but that would be an imperfect solution as it could create problems for non-Mac clients I suppose.
Sorry I'm not too familiar with this, I just thought it might help since in the podcast they mentioned the problem being with Macs and not PCs.  They also mentioned that firmware updates (if available) are the best solution for this type of thing.  Is the firmwre on the router up to date?
Avatar of tomfra

ASKER

This has nothing to do with a router, the Internet connection works just fine, the problem happens only when I connect through the OpenVPN server (running on Linux). But it seems it may indeed be MTU related, I set the mtu size to 1400 on the OpenVPN server side and so far it seems to be working.

However, I need to test it more and it could also have negative impact on non-Mac clients I suppose so I will need to test that too.
ASKER CERTIFIED SOLUTION
Avatar of everkleer
everkleer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tomfra

ASKER

Well, so far I found that using "tun-mtu 1400" instead of the default value 1500 on the server side makes the connection much better, however, it's still not ideal when you transfer a lot of data - for example downloading a file over the internet. But I think I am getting there.

Actually, I thought it could have something to do with the mtu side initially, but did not find any info on the Internet, if it was a common problem I suppose Google would return a lot of results but it did not...

By the way, we are not talking about one server here. I use the same configuration on 10 different servers in several different datacenters. All have the same problem when connecting using Tunnelblick on a Mac.
Avatar of tomfra

ASKER

OK, accepting the solution because it was apparently indeed MTU related. I got the best results when adding these values to both the server & client configuration files:

tun-mtu 1500
fragment 1450
mssfix 1450

This is for UDP config. It's still not perfect so some more optimization may be necessary but this config seems to work OK for both Windows and Mac clients.
Glad you found something that works (at least better than before)!