Just setup a new Ubuntu box - got OpenVPN installed, simple iptables/masquerade setup. I can tell the server speed to where I am (China) is really snappy.

Then the most bizarre thing happens. I connect to the OpenVPN server on my box with my mac (using Viscosity), everything works. Load the first webpage, loads in an instant (@ about 175k/sec). Load another site, the page loads 50%, then stalls. Open yet another tab, now the pages don't load at all.

I ran a persistent Ping on the tunnel (10.8.0.1) while I'm doing this, and I notice that pings start timing out when I load web pages. On my VPN client, the traffic graph looks like bunch of spikes (hits a peak, then goes back to zero or near zero).

My initial thoughts are that maybe this is getting throttled by the Great Firewall of China (even though openVPN is supposedly safe from that). However, I also subscribe to a paid VPN service (StrongVPN) and that works flawlessly.

I'm running the openVPN server on UDP, and tried a number of different ports to no avail. I also tried enabling and disabling comp-lzo.

My iptables is as follows:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



Is there something I'm doing wrong? I can't for the life of me figure out why it's behaving the way it is.

Thanks in advance for the experts that can point me in the right direction.

thebai


UPDATE: I set up a PPTP VPN. Works flawlessly. The plot thickens....

I've always used OpenVPN-AS, never had any issues. Perhaps the PRC is interfering with Port 1194 that is for standard installations? Try changing it to 443 (TLS), no one would dare block that...

PPTP is dangerous! Unstable, unencrypted (weak)... Beware!

_________________
Liberal Party of Canada FTW!

If you're just using it for web browsing, an SSH tunnel might be easier to set up. Just connect to ssh with the -D flag, and set your web browser to use the local port as a socks proxy.

@ComplexMind -

Thanks for the heads up on OpenVPN-AS. I wish I had gone with this initially. I have configured it to use PAM as login - does it still require keys for the client? I generated keys for regular openVPN but they don't seem to work (I get the login / pass) but cannot proceed further.

I tried to download the ovpn file from the web interface and that gave me a : Options error: Unrecognized option or missing parameter(s) in config.conf:25: key-direction (2.0.9)

@hybinet

Thanks for the recommendation. Yes, that works fine for web browsing- but it doesn't allow HULU streaming.

Still would like to get OpenVPN working if possible. I feel like I'm close!!!!

I've had similar problems, try playing with the fragment and/or mssfix options to see if your hitting MTU / fragmentation issues.

I've never run OpenVPN but I'd say Complex Mind's suggestion makes sense, try running the server on port 443 the HTTPS port. Maybe pay for the second IP in case you need 443 for a real HTTPS server on your main IP.

Thanks guys. I tried 443. Was a tad better but same problem - VPN became unusable within minutes. Strange that PPTP works perfectly but openVPN does not.

Well, they're two totally different ways of tunneling, not to mention distinct software, so while they can share some failure modes, I'm sure there are plenty that aren't common.

I'd agree with a prior suggestion to try the mssfix or fragment options to try to protect against MTU issues along the path. And for testing, I'd start by being aggressive (like keep packet sizes below 512 or something) only worrying about larger sizes for performance once things seem stable.

You could also try switching the OpenVPN connection to use TCP rather than UDP, as it may be more resilient to the particular path being used and/or friendlier to devices in the middle that may not like seeing a UDP stream. (And it's possible those devices are treating GRE tunnel traffic differently)

I guess if nothing else works, bump up debugging in the OpenVPN configuration on both ends and see if it notes anything interesting. If it seems to be missing traffic, you could also run a tcpdump on the relevant interfaces to see if you can deduce if the problem is on the sending or receiving end (the latter probably pointing to an issue in the middle).

It might also be worth testing from a different client if to date you've only tried the single client on your Mac, just in case it's something about how the client ties into the networking subsystem on your Mac. I use Tunnelblick myself, so that might be worth giving a shot if the Mac is the only client platform you have access to.

It certainly should be solvable - I know I'm using OpenVPN connections to Linodes without any major issues.

-- David

Thanks for the help everyone. I have good news to report.

I played with MTU settings as advised - namely tun-mtu, fragment, and mssfix. I used mtu-test on the client and determined that the MTU size is 997.

Using this, I tried the settings (using UDP)

tun-mtu 1500
fragment 1000
mssfix

and I'm happy to report that the connection is stable, and fairly fast. Not as fast as the PPTP VPN, but not bad (about 2/3 the speed by unscientific and subjective measures)

lowering tun-mtu or using TCP had a direct impact on the speed, and using the combination of fragment and tun-mtu seems to have yielded the desired results.

I will keep playing around with the settings to see if I can improve the speed, and report back in the event anyone else runs into this problem.

update:

keeping tun-mtu at 1500 (changing this affects speed), and continuing with my tweak of fragment size:

fragment 1200 (caused the same problems - likely because it exceeds the recommended mtu-test MTU suze)

fragment 900 works really well. So far, no dropped connections.

I did notice that on the load of a long page (say a flickr gallery with a lot of thumbnails, it gets slower at the end).

But overall, very happy with the improvement, thanks to the valuable advice from everyone here.

First, glad you were able to get stability.

It may or may not make a difference, but if comparing performance with PPTP, you should check if your particular setup is encrypting the data tunnel - as encryption does add some overhead. If not, then OpenVPN may suffer by comparison as is it encrypting by default. Alternatively, independent of PPTP, if it's not critical to you, you could try disabling encryption with OpenVPN (cipher none) and see if that gives any additional performance boost.

-- David

Considering where he is, I'd say encryption is quite desired...

Try setting MTU to 576. See if that helps.

@hoopycat: did you mean tun-mtu or link-mtu? I found that if I set them too low, the connection speed decreases.