Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Why OpenVPN is so slow? (cool story)
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Why OpenVPN is so slow? (cool story)

From time to time, I see people asking for help on forums, who have connected 2 remote sites via OpenVPN and have an awful speed compared to link speed, like 400 Kbit/s with 2 Mbit/s link or 20 Mbit/s with 100 Mbit/s link. Some recommend them to increase MTU on tunnel interface up to 48000, some say they should tune mssfix parameter, but none really helps. Sometimes people say that OpenVPN is so slow because it's userspace and this is its' usual speed. That's Nonsense!

A little bit of history

It's July, 2004. Usual home internet speed in developed countries is 256-1024 Kbit/s, in less developed countries is 56 Kbit/s. Linux 2.6.7 has been released not a long ago and 2.6.8 where TCP Windows Size Scaling would be enabled by default is released only in a month. OpenVPN is in active development for 3 years already, 2.0 version is almost released.
One of the developers decides to add some code for socket buffer, I think to unify buffer sizes between OSes. In Windows, something goes wrong with adapters' MTU if custom buffers sizes are set, so finally it transformed to the following code:

#ifndef WIN32
    o->rcvbuf = 65536;
    o->sndbuf = 65536;
#endif

A little bit of technical info

If you used OpenVPN, you should know that it can work over TCP and UDP. If you set custom TCP socket buffer value as low as 64 KB, TCP Window Size Scaling algorithm can't adjust Window Size to more than 64 KB. What does that mean? That means that if you're connecting to other VPN site over long fat link, i.e. USA to Russia with ping about 100 ms, you can't get speed more than 5.12 Mbit/s with default OpenVPN buffer settings. You need at least 640 KB buffer to get 50 Mbit/s over that link.
UDP would work faster because it doesn't have window size but also won't work very fast.

What should I do?

As you already may guess, the latest OpenVPN release still uses 64 KB socket buffer size. How should we fix this issue? The best way is to disallow OpenVPN to set custom buffer sizes. You should add the following code in both server and client config files:

sndbuf 0
rcvbuf 0

After this, socket buffers would be handled by OS. As for Linux and TCP, this is values from net.ipv4.tcp_rmem and net.ipv4.tcp_wmem and for UDP is a fixed value from net.core.rmem_default and net.core.wmem_default, divided by two.
If you can't change client config, you should push bigger buffer sizes from server:

sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push "rcvbuf 393216"

UDP is different from TCP. It doesn't have Window Scale but it doesn't need it OS-wide, but low buffer sizes may slow down it, too. If you think OpenVPN is still slow after changing buffer values to 0, you should either increase OS-wide buffer sizes (net.core.rmem_default and net.core.wmem_default) or increase buffer in server config:

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

But I use Windows!

If you use Windows on both server and client, you should not suffer from this bug.

Tagged:

Comments

  • Excuse me for my English.

    Thanked by 1tridinebandim
  • TarZZ92TarZZ92 Member
    edited January 2015

    never had a speed problem with openvpn and tcp usually maxes out about 70Mbps where UDP can go in hundreds.

    • Fixed typo

    I AM BACK :) Working Windows Server 2012 R2 on 6GB! Beat that!

  • @TarZZ92 said: never hard a speed problem with openvpn and tcp usually maxes out about 70Mbps where UDP can go in hundreds.

    I suppose you're talking about low latency wired links. Everything is different with high latency wireless links.

  • ValdikSS said: I suppose you're talking about low latency wired links. Everything is different with high latency wireless links.

    are we talking FWA ? or 3G?

    i can easily get 28-30Mbps here on 3G too. even still i dont see that being a huge problem unless there is some rate limiting on the wireless link.

    I AM BACK :) Working Windows Server 2012 R2 on 6GB! Beat that!

  • TarZZ92 said: are we talking FWA ? or 3G?

    i can easily get 28-30Mbps here on 3G too. even still i dont see that being a huge problem unless there is some rate limiting on the wireless link.

    That's interesting. What server and client OS do you have? I've got only 20 Mbit/s over Wifi with 80 Mbit/s link, and ~75 Mbit/s after applying my settings.

  • Hm, yesterday here was the post about how openvpn fast and why pptpd so slow :) And yes, they was talking about mtu.

    KVM VDS SSD from 4.99$ https://en.friendhosting.net/vps.php

    Thanked by 1jemaltz
  • Thank you for writing this @ValdikSS!

  • Interesting.

    I just tested the config change on my OpenVPN box. Before the change I was getting 7 down and 1 up.

    After adding the config changes to the server and client I'm getting 20 down and 1 up.

    My normal connection is 60 down, 3 up, so that's a bit of a speed increase.

    The OpenVPN server is running off Debian Wheezy and the client is a Windows 7 desktop.

  • ValdikSSValdikSS Member
    edited January 2015

    @cnbeining thanks! Article in Russian.

    @CharlesA did you set buffer values to 0 or to some big value? If you use UDP, try to increase values even higher if you have high latency link.

  • CharlesA did you set buffer values to 0 or to some big value? If you use UDP, try to increase values even higher if you have high latency link.

    I set them to 0. I was using tcp instead of udp, though.

  • Thanks, I have already read your article at Habr.

  • rm_rm_ Member
    edited January 2015

    Why still use OpenVPN, when we now have Tinc? As mentioned in the article, OpenVPN is really something from 2004 indeed. Aside from all of its other improvements compared to OpenVPN (such as automatic full mesh routing), see http://www.tinc-vpn.org/ for that; but I am easily getting 50 Mbit/sec (maxing out my broadband connection) with Tinc and w/o any kind of tweaking of buffers, etc. And on the other side is a simple Via Nano CPU, working just at 30% CPU load.

  • rm_ said: Why still use OpenVPN, when we now have Tinc? As mentioned in the article, OpenVPN is really something from 2004 indeed. Aside from all of its other improvements compared to OpenVPN (such as automatic full mesh routing), see http://www.tinc-vpn.org/ for that; but I am easily getting 50 Mbit/sec (maxing out my broadband connection) with Tinc and w/o any kind of tweaking of buffers, etc. And on the other side is a simple Via Nano CPU, working just at 30% CPU load.

    In my wikipedia, Tinc is from 1998 and OpenVPN from 2001. Maybe because tinc isnt as widely supported as OpenVPN? All I had to do was run an install script and open the .ovpn file on all my devices. No clue how to use tinc.

    (((o(゚▽゚)o))) If privacy is outlawed, only outlaws will have privacy. (((o(゚▽゚)o)))

    ヽ(`Д´)ノ Everyone should run Tor on their idle servers.

  • i never heard about this Tinc before :D

  • @4n0nx said:

    Same here. Tinc sounds familiar, but I can't really place it. I've used the auto installer for openvpn and it's dead simple for me. I might lookinto using Tinc later, but for now, OpenVPN suits my needs.

  • I'm using openvpn never had a slow in speed, also the LZO compression make it speed

  • Finally - My openVPN is so damn fast for both upload and downloads :) , thanks a bunch. Earlier my speed was throttled at 20 mbps and upload to 4 mbps. now i can max out my internet line

  • Why your vpn is too slow, may be there is a high latency from your connection into vpn server.

  • PcNyPcNy Member
    edited March 2015

    Nice info

    Thanked by 1wcgodz
  • fitvpnfitvpn Member

    Why slow? Same speed as other does

    Yes, I can boogie

  • @fitvpn said: Why slow? Same speed as other does

    Yes, with applied configuration settings.

  • This fix really does help. I now use this fix with a VPN provider I use and I can finally max my line. Thanks @ValdikSS

    This signature is brought to you by the NSA. Spying on the entire world since 1952!

  • @TheHackBox tell you provider to apply the fixm that's better than to fix it only on client side. When I first did this fix on my VPN (I own a small VPN service for Russian-speakers), everybody said I have the fastest VPN service they ever used.

  • fitvpnfitvpn Member

    ValdikSS said: Еverybody said I have the fastest VPN service they ever used.

    Which location? Speed test?

    Yes, I can boogie

  • @fitvpn generally US since ping from Russia to US is about 150 ms. The higher latency, the slower OpenVPN works with default settings. For example, you can get 3-5 Mbit/s with default settings and 40 Mbit/s with increased buffer size.

    I hope this would be fixed by default in 2.3.7.

    Thanked by 1TheHackBox
  • @ValdikSS said: TheHackBox tell you provider to apply the fixm that's better than to fix it only on client side. When I first did this fix on my VPN (I own a small VPN service for Russian-speakers), everybody said I have the fastest VPN service they ever used.

    My provider has too many servers to probably want to.

    This signature is brought to you by the NSA. Spying on the entire world since 1952!

  • TACServersTACServers Member, Provider

    @TheHackBox - Your provider with too many servers should be using puppet or chef or similar, so system wide config changes should be trivial.

    Thanked by 1TheHackBox
  • I installed OpenVPN Access Server, according to their documentation, the default value for buffer is 100000, should I change it into larger value? like 393216?

  • @siprof

    leave it as default, it works more than fine without serious changes.

    I AM BACK :) Working Windows Server 2012 R2 on 6GB! Beat that!

  • Hi, It's really very useful discussion. And your fix really helped me. With OpenVPN I used to have down: 5Mbs/s- up:5Mbits/s (my original connexion 20Mbits up and down). But after the fix both up and down are fixed but : -For Download : I get nearly the original speed connexion (17-18-19 Mbits/s) -But for Upload: I always have difference of (3-5Mbits/s) in each test I did.

    Have you an Idea about this ??? And thanks (Knowing that I work with TCP protocol, Tun interface & The server is on Linux machine but clients are windows8 machines).

  • So, today in IRC I've been told that in the next release they'll be implementing sndbuf 0 and rcvbuf 0 values as default.

    I love necromancy btw.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

    Thanked by 1netomx
  • @Nomad said: So, today in IRC I've been told that in the next release they'll be implementing sndbuf 0 and rcvbuf 0 values as default.

    I love necromancy btw.

    That's true, it would be included in 2.3.9 with other cool speed fixes.

  • would be faster if it support more than 1 thread / 1+ cpu cores. Waiting on openvpn 3, seems like they been working on this for some time, years?


    Nexus 6 - Great Phone!

  • ZEROFZEROF Member
    edited December 2015

    Great tip @ValdikSS, got almost full home internet speed. And i have dns cache server with dnsmasq (set on BeagleBone), now all goes very fast on my side.

    Pentesting with open source, BackBox Linux

  • @ZEROF great! We'll release 2.3.9 this Monday with this fix enabled by default.

  • ZEROFZEROF Member
    edited December 2015

    DNS cache (dnsmasq) + OpenVPN give me dig query time 7msec and ping 20,9 ms (over wifi connection, not cable). That is fine for me :). I don't know when Debian will push new version to their repository (now 2.3.4), i will stick with this settings for now.

    Pentesting with open source, BackBox Linux

Sign In or Register to comment.