2

I have an OpenVPN server with Debian 8 and OpenVPN 2.3.14 x86_64-pc-linux-gnu. Today I have realised packet loss. My server is on TCP port 443.

Ping statistics for 144.76.41.103:
    Packets: Sent = 1135, Received = 1121, Lost = 14 (1% loss),
Approximate round trip times in milli-seconds:
    Minimum = 29ms, Maximum = 961ms, Average = 51ms

Other stat:

Ping statistics for 144.76.41.103:
    Packets: Sent = 1135, Received = 1121, Lost = 70 (5% loss),
Approximate round trip times in milli-seconds:
    Minimum = 29ms, Maximum = 961ms, Average = 51ms

Server config:

port 443
float
proto tcp
dev tun2

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/1.crt
key /etc/openvpn/keys/1.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
script-security 3
auth-user-pass-verify "/etc/openvpn/auth.sh" via-env
keepalive 20 100
cipher BF-CBC
max-clients 100
persist-key
persist-tun
username-as-common-name
log logs/443tcp.log
log-append logs/443app.log
status status/443tcp_status.log 60
verb 2
mute 15
inactive 1200
comp-lzo
reneg-sec 86400
up /etc/openvpn/up.sh

Because of this, I ofter receives lag (jut freeze for a sec) in my applications, SSH consoles and of course on online game.

Any ideas what could cause this?

iwaseatenbyagrue
  • 3,688
  • 15
  • 24
George
  • 21
  • 1
  • 2
  • This seems like a [better fit](https://serverfault.com/help/on-topic) for SuperUser. I am not sure a couple of ping tests are really enough to see the issue as such - do you possible have some stats (e.g. tcp retransmit count, error count), and could you run [iperf](https://iperf.fr/) between VPN endpoints to give a better view of your issue? – iwaseatenbyagrue Apr 04 '17 at 17:49

1 Answers1

5

You need to set correct MTU for your VPN link. You can determine the value with ping command. Start pinging server from client with 

ping -M do -s 1500 -c 1 10.8.0.1

It will probably say ping: local error: Message too long, mtu=1500

Decrease the 1500 value by 10 each time, until the ping succeeds. Once the ping succeeds, the value used is the MTU you should use. OpenVPN requires a value called the MSS to be set. The MSS is the value for the MTU minus 40.

Eg. If your MTU is 1460, your MSS is 1420

MSS = MTU  - 40
MSS = 1460 - 40
MSS = 1420

To set the MSS for OpenVPN, add the following server configuration line (replacing 1420 with the appropriate value).

mssfix 1420

You can also turn on MSS auto-discovery by using the following config directives:

tun-mtu 1460
mtu-disc yes

More info

Anubioz
  • 3,677
  • 18
  • 23
  • 2
    `for i in {1500..900..-10}; do ping -M do -c 1 10.8.0.1 -s "$i"; done` - I just stop it when I see the pings succeed. – bjd2385 Dec 10 '18 at 17:30
  • 3
    @bd1251252 nice one indeed, can be somwhat improved: ```for i in {1500..900..-2}; do ping -M do -c 1 10.8.0.1 -s "$i" 2>&1 | grep -q '1 received' && break; done; echo $i``` – Anubioz Dec 20 '18 at 05:57