From patchwork Tue Oct 20 13:28:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3591 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CFvb63pKqz3wgb for ; Tue, 20 Oct 2020 13:28:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CFvb53FSsz11K; Tue, 20 Oct 2020 13:28:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CFvb52HVjz2yPl; Tue, 20 Oct 2020 13:28:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CFvb41KBcz2yP9 for ; Tue, 20 Oct 2020 13:28:32 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4CFvb33cTcz74; Tue, 20 Oct 2020 13:28:31 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1603200511; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dmV0ymNXbwBkorCRtxn+36Xqxc1eGJIqMQelwoOt9Pk=; b=o7ok2zS1zShJ6b3h1JZW8pcDSbSzFrIOxL2wDW+e4eHbhVYMXnI5hQAJRJiF9wbHIUNOsO gUiRxUxvSZ9A0/CA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1603200511; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dmV0ymNXbwBkorCRtxn+36Xqxc1eGJIqMQelwoOt9Pk=; b=J8OCc0G82Urcu0JydsyyG7aBZ5ZSNz1c9PairCNMLEZnSe7ajnx6rNYsbt2jWLrTfC7AlA r48+L5yCrpDTs48RlshP2vmeJ+TBLU3NJ4YtDg7K8mBDcd7CsWao9H38UIXfWmzU5BLLO+ sPXI0F4U+6kTT7riY49NIXW0O9xoWxNv90uBlWr+Bg9BFv3G3dTNBQN/6NA1Tzi1qVLFlT J7xpNVd79uDXwxTARtU8kbs+T1yQmPLNtr17MiO/g8NyEvvj9Jqb8guNVnUvyRGv4Nfbfb sNL1V2qmqCMQ7fJudp5vtfW3or5VbWhxgAsLI9T5oTBcpMk4AKUuC/3G1jTVTQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH] openvpn: Actually apply configured parameters Date: Tue, 20 Oct 2020 13:28:25 +0000 Message-Id: <20201020132825.8416-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" OpenVPN is an absolute mess. The behaviour of configuration parameters has been changed over the time; default values have been changed over time; and it looks like nobody is actually testing anything any more. I have been spending hours today on figuring out why OpenVPN is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance it achieves about 100 MBit/s in the default configuration when "openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s. Changing any of the cryptography parameters does not change anything. Throughput remains around 100 MBit/s. I finally set "cipher none" and "auth none" which disables encryption and authentication altogether but does not increase throughput. From here on it was absolutely clear that it was not a crypto issue. OpenVPN tries to be smart here and does its own fragmentation. This is the worst idea I have heard of all day, because that job is normally done best by the OS. Various settings which allow the user to "tune" this are grossly ineffective - let alone it isn't even clear what I am supposed to configure anywhere. Setting "fragment 1500" weirdly still does not convince openvpn to generate a packet that is longer than 1400 bytes. Who'd a thunk? There is a number of other parameters to set the MTU or which are related to it (tun-mtu, link-mtu, fragment, mssfix). On top of all of this we have two "bugs" in ovpnmain.cgi which are being fixed in this patch: 1) mssfix can be configured by the user. However, we always enable it in openvpn. The default is on, we only add "mssfix" which simply turns it on. It is now being disabled when the user has chosen so in the web UI. I do not know if this is backwards-compatible. 2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being used. So it becomes pointless that the user can this and the user is not being made aware of this when they hit the save button. This was added when we added path MTU discovery. Since that did not work and was removed, we can remove this now, too. I archived a solid 500-600 MBit/s of goodput with these settings: * Disable mssfix * Set "fragment" to 0 * Set MTU to 9000 I am sure the MTU could be further increased to have bigger packets, but I did not test how badly this will affect latency of the tunnel. OpenVPN seems to only be able to handle a certain amount of packets a second - no matter what. With larger packets, the throughput of the tunnel increases, but latency might as well. Signed-off-by: Michael Tremer Cc: Erik Kapfer Cc: Stefan Schantl --- html/cgi-bin/ovpnmain.cgi | 29 +++++++++-------------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index e7bc505e7..e5bc45c1c 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -280,14 +280,7 @@ sub writeserverconf { print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; - # Check if we are using mssfix, fragment and set the corretct mtu of 1500. - # If we doesn't use one of them, we can use the configured mtu value. - if ($sovpnsettings{'MSSFIX'} eq 'on') - { print CONF "tun-mtu 1500\n"; } - elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') - { print CONF "tun-mtu 1500\n"; } - else - { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } + print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; if ($vpnsettings{'ROUTES_PUSH'} ne '') { @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'}); @@ -320,6 +313,8 @@ sub writeserverconf { } if ($sovpnsettings{MSSFIX} eq 'on') { print CONF "mssfix\n"; + } else { + print CONF "mssfix 0\n"; } if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; @@ -975,7 +970,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}}; print SERVERCONF "tun-mtu $tunmtu\n"; if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";} - if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; + if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" }; } print SERVERCONF "# Auth. Server\n"; @@ -1074,7 +1069,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}}; print CLIENTCONF "tun-mtu $tunmtu\n"; if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";} - if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; + if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" }; } # Check host certificate if X509 is RFC3280 compliant. @@ -2204,7 +2199,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; print CLIENTCONF "tun-mtu $tunmtu\n"; if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";} - if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} + if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; } } # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. @@ -2285,15 +2280,7 @@ else print CLIENTCONF "nobind\r\n"; print CLIENTCONF "dev tun\r\n"; print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; - - # Check if we are using fragment, mssfix and set MTU to 1500 - # or use configured value. - if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) - { print CLIENTCONF "tun-mtu 1500\r\n"; } - elsif ($vpnsettings{MSSFIX} eq 'on') - { print CLIENTCONF "tun-mtu 1500\r\n"; } - else - { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; } + print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; @@ -2383,6 +2370,8 @@ else print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n"; if ($vpnsettings{MSSFIX} eq 'on') { print CLIENTCONF "mssfix\r\n"; + } else { + print CLIENTCONF "mssfix 0\r\n"; } if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) { print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";