Short answer: disable comp-lzo.

I realize this is an old post, but I was also suffering from poor OpenVPN performance. I had tried everything, adjusting the MTU, changing the snd and rcv buffers, mss clamping, you name it. CPU load was negligible.

On a whim, I disabled compression (removed comp-lzo from the client and the server) and performance increased 2-4x.

So, with comp-lzo enabled my max performance was around 25-30 Mbit/s, and without it I hit 120 Mbit/s (my internet connection speed).

Server is a Xeon E5-2650, client is Core i5-3320M. Both running OpenVPN 2.3.10, AES-256-CBC, SHA512. My Intel Chromebook also maxed out my internet speed. Performance doubled on my Android clients (14 Mbit/s -> 30 Mbit/s), matching IKEv2 tunnel speed.


TCP is going to be /much/ slower than UDP, caused by the TCP-over-TCP problem. Basically, TCP relies on packet drops/congestion to identify connection parameters, and your TCP-over-OpenVPN connections do not experience either of those. But you've said that's not an option.

You could also try the mtu-disc option to automatically discover the optimal MTU settings for your connection. There are slight mismatches in different places, such as OpenVPN's MTU setting including the size of the Ethernet header. [1]

Your tun-mtu setting is massive, as a 65KB packet is going to have a lot of latency issues going through the internet (IPv4 jumbo packets are around 9000 bytes in size, and mostly work on local networks). Try something under 1460 instead, like 1300, to see if MTU is your issue.


Even though this might be a bit late, you may try what I did:

remove all mss, mtu, etc related options

do a port scan at your institution and selected a UDP port, generally 53 GRE /123 NDP ports should be open:

Add these lines to your server config (ref here)

#possible bandwidth increase
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

I do not fully understand these settings but they surely did help, some say it helps alot, in my experience, it increased my throughput by +/- 30%

Start the server on one of those ports and you should be good to go :P

Hope this helps!