New OpenVPN server install connects ok but very s l o w w w

prothed · October 29, 2018, 5:01pm

Hi all. I have an 'almost working' OpenVPN installation but I have run out of expertise so I'm hoping someone can spot the problem.

I'm running LEDE Reboot 17.01.5 r3919 on a BT Home Hub 5A router with an internet connection speed of around 25Mbps down, 5Mbps up.
I installed OpenVPN using luci-app-openvpn and configured it using the guide from [loganmarchione.com/2015/08/openwrt-with-openvpn-server-on-tp-link-archer-c7.](http://logan marchione)

No obvious errors (to me anyway) and I'm testing from outside my network using the OpenVPN client on an Android 7 phone.

The client connects to the server, and I can ping the router, and a host on my network, and hosts on the internet. All good - but - when I try to open a web site or stream any media, the data transfer rate is almost zero. The one time I got a result from speedtest.net it was about 0.05Mbps. The 'realtime traffic' screen shows short bursts of data on the tun0 interface but mainly zilch. The 'realtime load' shows a max of 0.8 and average below 0.4.

rtg

I have just checked the Android client by temporarily connecting to a public OpenVPN server (in Japan yet) and I get steady transfer speeds around 2Mbps, which would be enough for my needs.

I've read the online documentation and googled around without finding anything that seems to describe this problem, so I'm hoping that someone may recognise what is happening.

I include my config files and logs below.

/tmp/etc/openvpn-myvpn.conf

client-to-client
persist-key
persist-tun
tls-server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/svrcert.crt
comp-lzo yes
dev tun
dh /etc/openvpn/dh2048.pem
keepalive 10 120
key /etc/openvpn/svrcert.key
log /tmp/openvpn.log
mode server
mute 5
port 1194
proto udp
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "topology subnet"
push "route-gateway dhcp"
push "redirect-gateway def1"
push "route 10.10.1.0 255.255.255.0"
push "dhcp-option DNS 1.1.1.1"
route-gateway dhcp
server 10.8.0.0 255.255.255.0
status /var/log/openvpn_status.log
topology subnet
verb 3

Client .ovpn

dev tun
proto udp
client
remote-cert-tls server
remote xxx.xxx.xxx.xxx 1194
<ca>
-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN PRIVATE KEY-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----

</key>

/tmp/log/openvpn_status.log

OpenVPN CLIENT LIST
Updated,Mon Oct 29 16:32:08 2018
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

/tmp/openvpn.log

Mon Oct 29 11:06:16 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Oct 29 11:06:16 2018 library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Mon Oct 29 11:06:16 2018 Diffie-Hellman initialized with 2048 bit key
Mon Oct 29 11:06:16 2018 TUN/TAP device tun0 opened
Mon Oct 29 11:06:16 2018 TUN/TAP TX queue length set to 100
Mon Oct 29 11:06:16 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Oct 29 11:06:16 2018 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Mon Oct 29 11:06:16 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Oct 29 11:06:16 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Oct 29 11:06:16 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Oct 29 11:06:16 2018 UDPv4 link remote: [AF_UNSPEC]
Mon Oct 29 11:06:16 2018 MULTI: multi_init called, r=256 v=256
Mon Oct 29 11:06:16 2018 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Mon Oct 29 11:06:16 2018 Initialization Sequence Completed
Mon Oct 29 11:22:38 2018 213.205.192.130:40437 TLS: Initial packet from [AF_INET]213.205.192.130:40437, sid=5710771a d56c111b
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 VERIFY OK: 
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 VERIFY OK: 
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_GUI_VER=OC30Android
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_VER=3.2
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_PLAT=android
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_NCP=2
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_TCPNL=1
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_PROTO=2
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_IPv6=0
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_AUTO_SESS=1
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_BS64DL=1
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 [clicert] Peer Connection Initiated with [AF_INET]213.205.192.130:40437
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 MULTI: Learn: 10.8.0.2 -> clicert/213.205.192.130:40437
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 MULTI: primary virtual IP for clicert/213.205.192.130:40437: 10.8.0.2
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 PUSH: Received control message: 'PUSH_REQUEST'
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 SENT CONTROL [clicert]: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,
route-gateway dhcp,redirect-gateway def1,route 10.10.1.0 255.255.255.0,dhcp-option DNS 1.1.1.1,route-gateway 10.8.0.1,topology subnet,ping 10,
ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 29 11:28:17 2018 clicert/213.205.192.130:40437 SIGTERM[soft,remote-exit] received, client-instance exiting

Mon Oct 29 11:28:28 2018 213.205.192.130:34051 TLS: Initial packet from [AF_INET]213.205.192.130:34051, sid=b75e25d5 87c9ea50
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 VERIFY OK: 
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 VERIFY OK: 
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_GUI_VER=OC30Android
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_VER=3.2
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_PLAT=android
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_NCP=2
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_TCPNL=1
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_PROTO=2
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_IPv6=0
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_AUTO_SESS=1
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_BS64DL=1
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 [clicert] Peer Connection Initiated with [AF_INET]213.205.192.130:34051
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 MULTI: Learn: 10.8.0.2 -> clicert/213.205.192.130:34051
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 MULTI: primary virtual IP for clicert/213.205.192.130:34051: 10.8.0.2
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 PUSH: Received control message: 'PUSH_REQUEST'
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 SENT CONTROL [clicert]: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,
route-gateway dhcp,redirect-gateway def1,route 10.10.1.0 255.255.255.0,dhcp-option DNS 1.1.1.1,route-gateway 10.8.0.1,topology subnet,ping 10,
ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 29 11:56:33 2018 clicert/213.205.192.130:34051 SIGTERM[soft,remote-exit] received, client-instance exiting

Client log

13:03:51.503 -- EVENT: RECONNECTING
13:03:51.509 -- EVENT: RESOLVE
13:03:51.516 -- Contacting xxx.xxx.xxx.xxx:1194 via UDP
13:03:51.517 -- EVENT: WAIT
13:03:51.522 -- Connecting to [nnn.nnn.nnn]:1194 (xxx.xxx.xxx.xxx) via UDPv4
13:03:51.595 -- EVENT: CONNECTING
13:03:51.599 -- Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
13:03:51.602 -- Creds: UsernameEmpty/PasswordEmpty
13:03:51.603 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_IPv6=0
IV_AUTO_SESS=1
IV_BS64DL=1
13:03:51.876 -- VERIFY OK : depth=1
cert. version     : 3
serial number     : B6:16:96:0B:44:E0:76:12 issuer name  .......    
subject name      : C=GB, ST=GB, ..........
issued  on        : 2018-10-23 15:09:24
expires on        : 2028-10-20 15:09:24
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
13:03:51.878 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : 01
issuer name       : C=GB, ST=GB,...............
subject name      : C=US, ST=CA, ...............
13:03:52.159 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
13:03:52.163 -- Session is ACTIVE
13:03:52.167 -- EVENT: GET_CONFIG
13:03:52.175 -- Sending PUSH_REQUEST to server...
13:03:52.225 -- OPTIONS:
0 [comp-lzo] [yes]
1 [persist-key]
2 [persist-tun]
3 [topology] [subnet]
4 [route-gateway] [dhcp]
5 [redirect-gateway] [def1]
6 [route] [10.10.1.0] [255.255.255.0]
7 [dhcp-option] [DNS] [1.1.1.1]
8 [route-gateway] [10.8.0.1]
9 [topology] [subnet]
10 [ping] [10]
11 [ping-restart] [120]
12 [ifconfig] [10.8.0.2] [255.255.255.0]
13 [peer-id] [0]
14 [cipher] [AES-256-GCM]
15 [block-ipv6] 
13:03:52.227 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO
  peer ID: 0
13:03:52.228 -- EVENT: ASSIGN_IP
13:03:52.266 -- Connected via tun
13:03:52.269 -- LZO-ASYM init swap=0 asym=0
13:03:52.271 -- EVENT: CONNECTED info='@nnn.nnn.nnn:1194 (xxx.xxx.xxx.xxx) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]' trans=TO_CONNECTED

vgaetera · October 29, 2018, 5:18pm

Make sure there's no packet loss on client and server WAN-interfaces.
Try to change cipher: OpenVPN poor / lack of outgoing traffic on client
Try to change port and protocol to 443/TCP.
Try to change compression algorithm or remove compression.

prothed · October 29, 2018, 6:23pm

vgaetera - Thanks for this. I have tried 443/tcp with no effect - and my ISP (Plusnet) say that they do not block any ports or do any traffic shaping. I'll try the others tomorrow and report back.

krazeh · October 29, 2018, 8:25pm

The HH5A isn't powerful enough to really run openvpn at any decent speed. You'd be much better off looking at using Wireguard instead.

prothed · October 31, 2018, 12:32pm

Update. I have tried changing the cipher (to aes-128) and compression (to none) and either resulted in no change or my breaking my 'working' vpn! As I was getting frazzled by this point I decided to uninstall openvpn and try the Wireguard software (thanks krazeh) and... it works.
The documentation (such as it is) assumes you are running both ends on unix machines but I found a blog describing the configuration of the android client and it took about an hour to get it installed and running.on the HH5A and android client. The speed is about 2-3Mbps which is ok for my needs.
The most painful part of the configuration was copying the public keys between the two machines.
The wireguard software is certainly a work in progress (as the maker says) but it is certainly worth investigating.

atrocia · October 31, 2018, 6:17pm

The documentation is certainly a WIP, but the code itself is actually quite polished. Why was copying keys so painful? It's just a simple file transfer, or copy and paste at worst.

prothed · October 31, 2018, 7:20pm

It wasn't a showstopping problem, but the documentation seems to assume that you can access the console of each machine so with a bit of cut-and-paste you are done. No such luck. I could access the router via ssh to copy the router public key and paste the phone public key, but to get the key from the phone I had to copy the generated key from the wireguard app, paste it into a notepad file and then email myself the file. I did the reverse to get the router key onto the phone. At the time I just didn't see an elegant way of doing it.

atrocia · November 5, 2018, 6:28pm

Okay, but I imagine that getting keys to and from devices to which you have no copy / paste or file transfer access is going to be a problem with any VPN framework.

prothed · November 5, 2018, 7:37pm

Yes, though openvpn does it with the .ovpn file you send to the client.
There is an option in the WG app to read in a file but there is no documentation as to the format...

system · November 15, 2018, 7:44pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.