How do I improve OpenVPN reliability over a high latency link?

openvpn

1542 as an MTU? Never heard of that for a WAN link. Usually, MTU is the max payload, ip packet size minus the header for IP (20 bytes) and ICMP (8 bytes). That means MTU=1500 for a traditional Ethernet LAN. Furthermore, most VPN's introduce an overhead for their packet encapsulation. A typical VPN MTU is 1400.

In modern networks, it is difficult to conclude what MTU will be at any moment, as ingress and egress paths may be different, and they may also change due to automatic path re-routing. For a network like this, it may be more effective to set the MTU low on your hosts that are on either side of the VPN link, such as 576.

MSS (maximum segment size) is MTU minus the IP+TCP headers (40 bytes). This is typically negotiated by the network stack, and usually does not have the same negotiation issues as MTU, unless MTU is wrong. (MTU negotiation is usually impaired by blocked ICMP or black hole routers).

The first thing I would do is do a network packet capture on your sending end, and sort the display by frame size (you may need to add this column in Wireshark). You should verify that you aren't sending any frames that are oversize, what you would expect them to be. It's not unusual for modern network cards to send oversize frames if options such as Large Send Offload or Jumbo Frames are enabled. I've seen 30,000+ byte frames when these options are enabled.


Just out of curiosity, have you tried lowering the MTU of the network interface? Perhaps the satellite link screws up fragmentation badly. As a counter-intuitive note, you might want to try openvpn over TCP for a change. I know it should decrease performances, but if you have no control over fragmentation along the line it might assist you.


When you use TCP, increase the window size of TCP; this will help with the "number of packets in the air".

It's been a while since I've had to play with this stuff, but here is one link google found for me.

After I re-read your question I see you're running BGAN - I'd have a good look at this (or just google for: "BGAN spoofing").

As for bandwidth measurement, I've found iperf to be pretty decent so long as you're using reasonable packet sizes.


I think you might be barking at the wrong tree. Any time I've had wrong MTU issues, traffic stopped way before 192KB. I think it's more related to some in "in flight packets" window, either TCP window, or maybe some buffers in the satellite uplink itself.

Definitely do some long packet captures (both 'inside' and 'outside' of the VPN) and see if you're getting all the ACK's

Related

How does the updated Shellshock vulnerability test for CVE-2014-7169 work?
How can I configure Postfix to ignore relayhost for some domains?
deleted cron tab file and need to recover it
How to extract Only the file name from the request uri
Will changing applicationHost.config cause IIS7 restart?
Exchange 2007 Client for Linux
Increase the value of LimitRequestFieldSize in Apache
What's the safest online password system?
Tunnel an ssh connection through an intermediate machine in a single command
docker-compose for nginx and nodejs server
Find all virtual machines with ballooned or swapped RAM in VMware cluster?
Why do AWS spot-instance prices spike above the "on demand" pricing?