Hi all. I have an 'almost working' OpenVPN installation but I have run out of expertise so I'm hoping someone can spot the problem.
I'm running LEDE Reboot 17.01.5 r3919 on a BT Home Hub 5A router with an internet connection speed of around 25Mbps down, 5Mbps up.
I installed OpenVPN using luci-app-openvpn and configured it using the guide from [loganmarchione.com/2015/08/openwrt-with-openvpn-server-on-tp-link-archer-c7.](http://logan marchione)
No obvious errors (to me anyway) and I'm testing from outside my network using the OpenVPN client on an Android 7 phone.
The client connects to the server, and I can ping the router, and a host on my network, and hosts on the internet. All good - but - when I try to open a web site or stream any media, the data transfer rate is almost zero. The one time I got a result from speedtest.net it was about 0.05Mbps. The 'realtime traffic' screen shows short bursts of data on the tun0 interface but mainly zilch. The 'realtime load' shows a max of 0.8 and average below 0.4.
I have just checked the Android client by temporarily connecting to a public OpenVPN server (in Japan yet) and I get steady transfer speeds around 2Mbps, which would be enough for my needs.
I've read the online documentation and googled around without finding anything that seems to describe this problem, so I'm hoping that someone may recognise what is happening.
I include my config files and logs below.
/tmp/etc/openvpn-myvpn.conf
client-to-client
persist-key
persist-tun
tls-server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/svrcert.crt
comp-lzo yes
dev tun
dh /etc/openvpn/dh2048.pem
keepalive 10 120
key /etc/openvpn/svrcert.key
log /tmp/openvpn.log
mode server
mute 5
port 1194
proto udp
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "topology subnet"
push "route-gateway dhcp"
push "redirect-gateway def1"
push "route 10.10.1.0 255.255.255.0"
push "dhcp-option DNS 1.1.1.1"
route-gateway dhcp
server 10.8.0.0 255.255.255.0
status /var/log/openvpn_status.log
topology subnet
verb 3
Client .ovpn
dev tun
proto udp
client
remote-cert-tls server
remote xxx.xxx.xxx.xxx 1194
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----
</key>
/tmp/log/openvpn_status.log
OpenVPN CLIENT LIST
Updated,Mon Oct 29 16:32:08 2018
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
/tmp/openvpn.log
Mon Oct 29 11:06:16 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Oct 29 11:06:16 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Mon Oct 29 11:06:16 2018 Diffie-Hellman initialized with 2048 bit key
Mon Oct 29 11:06:16 2018 TUN/TAP device tun0 opened
Mon Oct 29 11:06:16 2018 TUN/TAP TX queue length set to 100
Mon Oct 29 11:06:16 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Oct 29 11:06:16 2018 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Mon Oct 29 11:06:16 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Oct 29 11:06:16 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Oct 29 11:06:16 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Oct 29 11:06:16 2018 UDPv4 link remote: [AF_UNSPEC]
Mon Oct 29 11:06:16 2018 MULTI: multi_init called, r=256 v=256
Mon Oct 29 11:06:16 2018 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Mon Oct 29 11:06:16 2018 Initialization Sequence Completed
Mon Oct 29 11:22:38 2018 213.205.192.130:40437 TLS: Initial packet from [AF_INET]213.205.192.130:40437, sid=5710771a d56c111b
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 VERIFY OK:
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 VERIFY OK:
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_GUI_VER=OC30Android
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_VER=3.2
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_PLAT=android
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_NCP=2
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_TCPNL=1
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_PROTO=2
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_IPv6=0
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_AUTO_SESS=1
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 peer info: IV_BS64DL=1
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Oct 29 11:22:39 2018 213.205.192.130:40437 [clicert] Peer Connection Initiated with [AF_INET]213.205.192.130:40437
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 MULTI: Learn: 10.8.0.2 -> clicert/213.205.192.130:40437
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 MULTI: primary virtual IP for clicert/213.205.192.130:40437: 10.8.0.2
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 PUSH: Received control message: 'PUSH_REQUEST'
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 SENT CONTROL [clicert]: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,
route-gateway dhcp,redirect-gateway def1,route 10.10.1.0 255.255.255.0,dhcp-option DNS 1.1.1.1,route-gateway 10.8.0.1,topology subnet,ping 10,
ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 29 11:22:39 2018 clicert/213.205.192.130:40437 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 29 11:28:17 2018 clicert/213.205.192.130:40437 SIGTERM[soft,remote-exit] received, client-instance exiting
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 TLS: Initial packet from [AF_INET]213.205.192.130:34051, sid=b75e25d5 87c9ea50
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 VERIFY OK:
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 VERIFY OK:
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_GUI_VER=OC30Android
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_VER=3.2
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_PLAT=android
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_NCP=2
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_TCPNL=1
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_PROTO=2
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_IPv6=0
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_AUTO_SESS=1
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 peer info: IV_BS64DL=1
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Oct 29 11:28:28 2018 213.205.192.130:34051 [clicert] Peer Connection Initiated with [AF_INET]213.205.192.130:34051
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 MULTI: Learn: 10.8.0.2 -> clicert/213.205.192.130:34051
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 MULTI: primary virtual IP for clicert/213.205.192.130:34051: 10.8.0.2
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 PUSH: Received control message: 'PUSH_REQUEST'
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 SENT CONTROL [clicert]: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,
route-gateway dhcp,redirect-gateway def1,route 10.10.1.0 255.255.255.0,dhcp-option DNS 1.1.1.1,route-gateway 10.8.0.1,topology subnet,ping 10,
ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 29 11:28:28 2018 clicert/213.205.192.130:34051 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 29 11:56:33 2018 clicert/213.205.192.130:34051 SIGTERM[soft,remote-exit] received, client-instance exiting
Client log
13:03:51.503 -- EVENT: RECONNECTING
13:03:51.509 -- EVENT: RESOLVE
13:03:51.516 -- Contacting xxx.xxx.xxx.xxx:1194 via UDP
13:03:51.517 -- EVENT: WAIT
13:03:51.522 -- Connecting to [nnn.nnn.nnn]:1194 (xxx.xxx.xxx.xxx) via UDPv4
13:03:51.595 -- EVENT: CONNECTING
13:03:51.599 -- Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
13:03:51.602 -- Creds: UsernameEmpty/PasswordEmpty
13:03:51.603 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_IPv6=0
IV_AUTO_SESS=1
IV_BS64DL=1
13:03:51.876 -- VERIFY OK : depth=1
cert. version : 3
serial number : B6:16:96:0B:44:E0:76:12 issuer name .......
subject name : C=GB, ST=GB, ..........
issued on : 2018-10-23 15:09:24
expires on : 2028-10-20 15:09:24
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
13:03:51.878 -- VERIFY OK : depth=0
cert. version : 3
serial number : 01
issuer name : C=GB, ST=GB,...............
subject name : C=US, ST=CA, ...............
13:03:52.159 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
13:03:52.163 -- Session is ACTIVE
13:03:52.167 -- EVENT: GET_CONFIG
13:03:52.175 -- Sending PUSH_REQUEST to server...
13:03:52.225 -- OPTIONS:
0 [comp-lzo] [yes]
1 [persist-key]
2 [persist-tun]
3 [topology] [subnet]
4 [route-gateway] [dhcp]
5 [redirect-gateway] [def1]
6 [route] [10.10.1.0] [255.255.255.0]
7 [dhcp-option] [DNS] [1.1.1.1]
8 [route-gateway] [10.8.0.1]
9 [topology] [subnet]
10 [ping] [10]
11 [ping-restart] [120]
12 [ifconfig] [10.8.0.2] [255.255.255.0]
13 [peer-id] [0]
14 [cipher] [AES-256-GCM]
15 [block-ipv6]
13:03:52.227 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: LZO
peer ID: 0
13:03:52.228 -- EVENT: ASSIGN_IP
13:03:52.266 -- Connected via tun
13:03:52.269 -- LZO-ASYM init swap=0 asym=0
13:03:52.271 -- EVENT: CONNECTED info='@nnn.nnn.nnn:1194 (xxx.xxx.xxx.xxx) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]' trans=TO_CONNECTED