Openvpn, forward packets very slowly
I rebooted my server, and an odd issue just came out. I am running on
ArchLinux, the clients are Ubuntu, Android and Mac.
The problem is that accessing the internet via the clients is slow, about
2ko/s and slowly stop. But downloading something from the server to the
client directly is made at full speed. And, obviously, internet from the
server is at his full speed (40mo/s).
I don't know what happened from the reboot, but this issue is here on all
clients, and is only related to the traffic that openvpn forward to
internet.
EDIT: Tried with tcp, did not solve. EDIT: mtu-test give me 1538, which is
close to the used value by default.
Here are all my confs:
¨q©¤<root@Alduin>-</etc/openvpn>-<1:45:07>-¡ó
¨t©¤➤ cat Alduin.conf ccd/Thunderaan
local 212.83.129.104
port 1194
proto udp
dev tun
;tun-ipv6
;ifconfig-ipv6 2001:bc8:300a:dead::1337:1/64 2001:bc8:300a:dead::1337:0
;ifconfig-ipv6-pool 2001:bc8:300a:dead::1337:42/64
ca keys/ca.crt
cert keys/Alduin.crt
key keys/Alduin.key # This file should be kept secret
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 10.8.0.1"
;push tun-ipv6
client-to-client
keepalive 5 60
ping-timer-rem
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-config-dir ccd
topology subnet
ccd from here +++++++++++++++
ifconfig-push 10.8.0.2 255.255.255.0
;ifconfig-ipv6-push 2001:bc8:300a:dead::1337:2/64 2001:bc8:300a:dead::1337:0
push "redirect-gateway def1"
Client conf:
client
dev tun
proto udp
remote 212.83.129.104 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert name.crt
key name.key
ns-cert-type server
comp-lzo
verb 3
and some output that might help you:
¨q©¤<cubox@Alduin>-<~>-<1:49:43>-¡ó
¨t©¤➤ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
1000
link/ether b8:ac:6f:94:e2:4e brd ff:ff:ff:ff:ff:ff
inet 88.190.15.135/24 scope global eno1
valid_lft forever preferred_lft forever
inet 212.83.129.104/32 scope global eno1
valid_lft forever preferred_lft forever
inet6 2001:bc8:300a:dead::b12d/64 scope global
valid_lft forever preferred_lft forever
inet6 2a01:e0b:1000:15:baac:6fff:fe94:e24e/64 scope global dynamic
valid_lft 2592000sec preferred_lft 604800sec
inet6 fe80::baac:6fff:fe94:e24e/64 scope link
valid_lft forever preferred_lft forever
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether b8:ac:6f:94:e2:4f brd ff:ff:ff:ff:ff:ff
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
¨q©¤<cubox@Alduin>-<~>-<1:49:47>-¡ó
¨t©¤➤ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 88-190-15-1.rev 0.0.0.0 UG 0 0 0 eno1
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
88.190.15.0 * 255.255.255.0 U 0 0 0 eno1
¨q©¤<cubox@Alduin>-<~>-<1:49:51>-¡ó
¨t©¤➤ route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: U 256 0 0 lo
2001:bc8:300a:dead::/64 :: U 256 0 0
eno1
2a01:e0b:1000:15::/64 :: UAe 256 0 0
eno1
fe80::/64 :: U 256 0 0
eno1
::/0 fe80::225:45ff:fef6:947f UGDAe 1024 2
0 eno1
::/0 :: !n -1 1 1891 lo
::1/128 :: Un 0 2 5227 lo
2001:bc8:300a:dead::/128 :: Un 0 1 0 lo
2001:bc8:300a:dead::b12d/128 :: Un 0 1 131 lo
2a01:e0b:1000:15::/128 :: Un 0 1 0 lo
2a01:e0b:1000:15:baac:6fff:fe94:e24e/128 :: Un 0
3 29356 lo
fe80::/128 :: Un 0 1 0 lo
fe80::baac:6fff:fe94:e24e/128 :: Un 0 1 311 lo
ff00::/8 :: U 256 0 0
eno1
::/0 :: !n -1 1 1891 lo
-A POSTROUTING -s 10.8.0.0/24 -o eno1 -j SNAT --to-source 88.190.15.135 #
The iptables rule
The iptables rule here is the only that is active on the server.
¨t©¤➤ tc qd
qdisc mq 0: dev eno1 root
qdisc pfifo_fast 0: dev tun0 root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0
0 1 1 1 1 1 1 1 1
EDIT: Here is a tcpdump of the server downloading directly a file:
http://sprunge.us/aaJX Here is the client downloading this ressource:
http://sprunge.us/WUCC and here is a normal client from another openvpn
(working) server: http://www4.slashusr.com/57552.tcpdump
Thanks! A beer for the one who help me to fix this!
No comments:
Post a Comment