schnibitz
asked on
Openvpn speed/throughput optimization
Hi there, I have Openvpn installed, and want to get the best possible performance with it, and still have SOME encryption. Hardware aside, what are some settings and parameters that can optimize throughput (file transfer speed) and latency?
ASKER
I have tried those options. Well sorta. . . .
I tried putting them in the .ovpn file with the appropriate syntax. That didn't work correctly. I'm not sure where to put that config. It says
"For a RouterOS client, the syntax is:
/interface ovpn-client set <interface-name> auth=sha1 cipher=none"
But where is that syntax put? It doesn't work if I put that in the .ovpn file. I've tried to find various parameters that basically do the same thing, and put them in the config file and I keep getting errors.
--------------------------
Unless there's a way to make that not such a hassle, I'd rather not mess with those options. I can't use them anyway in a production environment. I know they help establish a baseline, but I can't seem to get any of that to work without errors and problems. Just trying to find a good list of common settings that boost throughput. I've tried changing the MTU, and that didn't help. Made things worse actually. I've tried changing the algo to blowfish, but I got errors when that happened. There doesn't seem to be a step-by-step out there that describes how to tweak for performance.
I tried putting them in the .ovpn file with the appropriate syntax. That didn't work correctly. I'm not sure where to put that config. It says
"For a RouterOS client, the syntax is:
/interface ovpn-client set <interface-name> auth=sha1 cipher=none"
But where is that syntax put? It doesn't work if I put that in the .ovpn file. I've tried to find various parameters that basically do the same thing, and put them in the config file and I keep getting errors.
--------------------------
Unless there's a way to make that not such a hassle, I'd rather not mess with those options. I can't use them anyway in a production environment. I know they help establish a baseline, but I can't seem to get any of that to work without errors and problems. Just trying to find a good list of common settings that boost throughput. I've tried changing the MTU, and that didn't help. Made things worse actually. I've tried changing the algo to blowfish, but I got errors when that happened. There doesn't seem to be a step-by-step out there that describes how to tweak for performance.
ASKER
I apologize for the above message. Those options work, just not for me at the time. Turns out that there were some funny options in my init file that were interfering with adding that into my .conf file, and ovpn file. Once I cleared up the init file, everything worked for --cipher none. It helped my upload speed SLIGHTLY, but the download speed remained the same. I did not turn off AUTH BTW.
Unless you have any other suggestions, I'm going to retry tweaking some of the other settings too. Thank you for your help.
Unless you have any other suggestions, I'm going to retry tweaking some of the other settings too. Thank you for your help.
ASKER
Yes, however I'm going to re-try all of that in light of the init-file problem I solved above. Hopefully I'll have some better results. There is a chance too, that there is some limit on the hosted machine I am running this server on. It's linux, and I only have access to the command line, so I'm not sure how to test that. I'll report back anyway soon. Thank you.
ASKER
Okay, it's not a problem with my host server. I just downloaded a 10mb file in less than half a second from the server.
My home machine connected to the server (openvpn) downloaded it in like 10 seconds at 800+K/sec in Firefox. So obviously the server has plenty of bandwidth. Wget reported 36.4 MB/s which is way higher than what is available at even my home connection.
I'll check the other settings soon.
My home machine connected to the server (openvpn) downloaded it in like 10 seconds at 800+K/sec in Firefox. So obviously the server has plenty of bandwidth. Wget reported 36.4 MB/s which is way higher than what is available at even my home connection.
I'll check the other settings soon.
ASKER
Looks like:
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
Didn't help either. The MTU settings won't work very well to adjust for me because my openvpn adapter only goes up to max 1500, regardless of what's set in the ovpn file (I don't like messing with command-line parameters, so I put it in the ovpn file). In fact that setting seems to have little to no effect.
There must be something I'm missing. How can there be such a disparity between the server's download speed and the openvpn throughput even when unencrypted? I installed the openvpn binaries with yum. That can't make THAT much of a difference as opposed to compiling right?
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
Didn't help either. The MTU settings won't work very well to adjust for me because my openvpn adapter only goes up to max 1500, regardless of what's set in the ovpn file (I don't like messing with command-line parameters, so I put it in the ovpn file). In fact that setting seems to have little to no effect.
There must be something I'm missing. How can there be such a disparity between the server's download speed and the openvpn throughput even when unencrypted? I installed the openvpn binaries with yum. That can't make THAT much of a difference as opposed to compiling right?
Can you upload a visio or network layout from lan to lan?
ASKER
Sure. I'll post that here once complete.
Thank you
-S
Thank you
-S
ASKER
Here's something I noticed:
eth0 Link encap:Ethernet HWaddr 00:16:3E:6F:76:67
inet addr:<ip address> Bcast:<broadcast> Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe6f:7667/6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3654782 errors:0 dropped:0 overruns:0 frame:0
TX packets:2495699 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2109824036 (1.9 GiB) TX bytes:1756609492 (1.6 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3681 errors:0 dropped:0 overruns:0 frame:0
TX packets:4814 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2412266 (2.3 MiB) TX bytes:5277893 (5.0 MiB)
Notice that the "tun0" interface used in openvn only shows 5.0 MiB and the physical interface is 1.5GiB.
I know that only show usage, but it got me to wondering if the tun interface is set to a speed that it too low? Still working on the diagram.
-S
eth0 Link encap:Ethernet HWaddr 00:16:3E:6F:76:67
inet addr:<ip address> Bcast:<broadcast> Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe6f:7667/6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3654782 errors:0 dropped:0 overruns:0 frame:0
TX packets:2495699 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2109824036 (1.9 GiB) TX bytes:1756609492 (1.6 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3681 errors:0 dropped:0 overruns:0 frame:0
TX packets:4814 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2412266 (2.3 MiB) TX bytes:5277893 (5.0 MiB)
Notice that the "tun0" interface used in openvn only shows 5.0 MiB and the physical interface is 1.5GiB.
I know that only show usage, but it got me to wondering if the tun interface is set to a speed that it too low? Still working on the diagram.
-S
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thing is that their support actually confirmed the limitation. Unless I can find a way around it, I'll have to change hosting.
http://internetforce.org/iforce/index.php?/topic/28-openvpn-tweaks/#entry29
Have you set it up yet?