OpenVPN poor / lack of outgoing traffic on client

Hi there,

I have the OpenWrt 18.06 on the Linksys WRT1200AC and I've configured the OpenVPN service.

My intention is

• each connected client has its own static IP address 10.8.0.*,
• each connected client can access samba share hosted on the router,
• all the internet traffic should go through the tunnel.

Router IP is 192.168.1.1, devices have 192.168.1.100 - 192.168.1.110 addresses.
I use dynamic dns service from OVH.
My ISP (UPC) offers asynchronous connection 150 / 10 Mbit/s.

In general it works. However, once device (Moto G5 in this example below) is connected, outgoing traffic is extremely poor, almost 0 - I know I can expect 10 / 5 Mbit/s as a maximum through the VPN but Ookla cannot even run upload test while downloading is ~10 Mbit/s. So, as a result I can't even send an e-mail when I'm behind the VPN.

Could you please help me with solving this issue?

iwinfo

tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          inet6 addr: fe80::162a:d3f8:92fc:fc55/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:43991 errors:0 dropped:0 overruns:0 frame:0
          TX packets:78291 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:3128995 (2.9 MiB)  TX bytes:101139214 (96.4 MiB)

/etc/config/openvpn

config openvpn 'bonkowo'
    option enabled '1'
    option dev 'tun0'
    option port '1915'
    option proto 'udp'
    option log '/tmp/openvpn.log'
    option verb '3'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/skynet.crt'
    option key '/etc/openvpn/skynet.key'
    option server '10.8.0.0 255.255.255.0'
    option dh '/etc/openvpn/dh.pem'
    option client_config_dir '/etc/openvpn/ccd'
    option topology 'subnet'
    list push 'route 192.168.1.0 255.255.255.0'
    list push 'redirect-gateway def1'
    option keepalive '10 180'

/etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option name 'transmission'
    option src 'wan'
    option target 'ACCEPT'
    option proto 'tcp'
    option dest_port '55666'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '2211'
    option dest_ip '192.168.1.1'
    option dest_port '2211'
    option name 'SSH'

config zone
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option network 'vpn'
    option masq '1'

config forwarding
    option src 'vpn'
    option dest 'wan'

config rule
    option name 'OpenVPN'
    option target 'ACCEPT'
    option src 'wan'
    option proto 'udp'
    option dest_port '1915'

config forwarding
    option src 'vpn'
    option dest 'lan'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd77:4b85:3b6a::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

route -n #client

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.1        0.0.0.0         UG    50     0        0 tun0
0.0.0.0         192.168.43.1    0.0.0.0         UG    600    0        0 wlp4s0
10.8.0.0        0.0.0.0         255.255.255.0   U     50     0        0 tun0
xxx.xxx.xxx.xxx 192.168.43.1    255.255.255.255 UGH   600    0        0 wlp4s0
192.168.1.0     10.8.0.1        255.255.255.0   UG    50     0        0 tun0
192.168.43.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp4s0
192.168.43.1    0.0.0.0         255.255.255.255 UH    600    0        0 wlp4s0

vpn client config

client
ca ca.crt
cert moto.crt
dev tun0
key moto.key
proto udp
remote subdomena.domena.ovh 1915
remote-cert-tls server
verb 3

grep 10.8.0.2 /tmp/openvpn.log

Sun Oct 14 17:27:33 2018 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Sun Oct 14 17:27:33 2018 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Sun Oct 14 17:30:33 2018 moto/xxx.xxx.101.197:xxx MULTI: Learn: 10.8.0.2 -> moto/xxx.xxx.101.197:xxx
Sun Oct 14 17:30:33 2018 moto/xxx.xxx.101.197:xxx MULTI: primary virtual IP for moto/xxx.xxx.101.197:xxx: 10.8.0.2
Sun Oct 14 17:30:34 2018 moto/xxx.xxx.101.197:xxx SENT CONTROL [moto]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

Best regards, Przemek

May be there's packet loss or some traffic shaping from ISP?
Try to use 443/TCP.

Thank you @vgaetera for your reply, I'll try but honestly I doubt because not long ago I've been using OpenVPN on Gargoyle and everything worked perfectly using 1915/udp. But ok, maybe something has changed on the ISP's side.

Do you have any other clients to compare to localize the issue?
It might be client-hardware or client-software related.

I've been testing this on a regular desktop PC, mobile and macbook (outside of the local network), same behaviour on each device.

Hmm, I believe that something wrong is in routing because there is a Destination 192.168.43.1 and same Gateway address. Why there isn't 192.168.1.1 which is router ip? Well, I'm not the expert on networking

That is LAN-gateway of VPN-client.

Your overall configuration looks fine.
This kind of issue is more likely protocol-related and might not be limited to upper level OpenVPN protocol.

Follow the troubleshooting section of the guide:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/comprehensive#troubleshooting

You're likely going to need to tune your VPN. See the wikis linked to under OpenVPN.

• Specific things needing to be tuned:
  • Depending what you're server log shows, the TLS ciphers
  • Send & Receive side buffers
  • Tunnel MTU
    • This is not the same as the link mtu, of which should not exceed 1500, whereas the Tunnel MTU should be ~48000.
  • Potentially specifying a fragment and mss-fix value of 0, however I haven't had the time to fully read through the 2.4 changelog and man page to know if these were depreciated from 2.3.
    
    
• Ensuring all clients are utilizing OpenVPN 2.4, and I'm not sure if Android's two OpenVPN client apps are running 2.4 (the official OpenVPN app and OpenVPN for Android, with the latter being the preferred app to utilize)

Is it possible you also have a VPN app installed on your phone, thereby creating a VPN within a VPN ?

Because that would make things really slow.

@JW0914 thank you for your reply, changing cipher from aes-cbc-256 to aes-cbc-128 solved the problem, thanks for sharing your ideas!

@stumper to be honest, I don't understand your question. I have simply installed a VPN official client and used certificates to connect

> However, once device (Moto G5 in this example below) is connected, outgoing traffic is extremely poor, almost 0.

1. If you have configured this phone to use a VPN (manually or by installing an app) it will setup a connection on its own.
2. You have your router configured to connect to a VPN by default.

If the above are both true, and you are at home, you will have a VPN running within a VPN.
And that would make things really slow, on your phone.

Thanks @stumper for your clarification. As I understand, you've described a situation in which a mobile is connected to the network via wifi and via vpn to the same network at the same time, is that correct? If yes, then my answer is no, I used a completely diffirent 'source of internet', external to the tuneled network.

Provided all clients are running OpenVPN 2.4, SSL ciphers should not be utilized, as TLS EC ciphers are more efficient. Add the following to your server config

    option  tls_server          '1'
    option  tls_version_min     '1.2'
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'

Also, if your Moto G was released 1+ years ago, I'd recommend flashing Lineage OS if an exploit exists to unlock your bootloader.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.