TCP under OpenVPN is very slow (tsg attached)
I have a very weird problem with OpenVPN.
Most VPNs work fine, except this one. Here I get very low performance from TCP connections, but the CPU load is low (so, not a CPU issue).
OpenVPN is configured with UDP, AES-256-CBC cipher, SHA256 auth and no compression.
Here are some measurements I did with iperf:
Network connection without VPN:
iperf -c external.ip result:300 - 500mbps (good)
iperf -c vpn.int.ip result: 20-30mbps (not good)
The cpu usage on both ends is low. OK, maybe some ISP shapes or filters the UDP packets.
iperf -c external.ip -b 500M result: no packet loss
Hmm... what if I force UDP stream trough VPN
iperf -c vpn.int.ip -b 100M result: no packet loss
iperf -c vpn.int.ip -b 180M result: packet loss ~0.1%
So, my VPN connection should go up to 180mbps, based on the results with UDP, but it doesn't. I also get very weird graph with tcptrace.
This is how the good test goes (without VPN, using external IPs):
As you see, the sent packets stay near the yellow line, meaning the receive window is kept almost full. This portion of the graph is near the start of the connection, later, the sent packets are practically on top of the yellow line.
And this graphs is what I get from VPN:
Now here for some reason the sender acts as if the window was very small, even though it is large (it does not matter what I set the window to, tried keeping the default setting and 4MB) and sends the packets only in small bursts.
This is the first time I have seen a graph like this? What could be causing it? Some UDP filtering by the ISP, OpenVPN itself, something else?
EDIT: Running the VPN using TCP instead of UDP results in 10mbps troughput.
Solution 1:
I have solved it. Or rather, I know how to make it faster, but do not know why it is slow. It seems that AES cipher interferes somehow with TCP on this particular server and results in the low performance. If I change the cipher to, say, 3des (which is slower as reported by "openssl speed"), I get 150mbps. After some trials, I now use this:
cipher camellia-128-cbc
auth sha1
tun-mtu 9000
Now I get 300mbps for a single stream and 450mbps for multiple streams.
Solution 2:
maybe you are running into issues with MTU on the connection. take a look at the following two links, they may contains some usefull info.
Configure the MTU with Fragment and MSS
Optimizing performance on gigabit networks