OpenVPN client/server floating bandwidth

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Nightbridge
DD-WRT User


Joined: 09 Jan 2017
Posts: 76
Location: Dublin

PostPosted: Wed Nov 16, 2022 21:07    Post subject: OpenVPN client/server floating bandwidth Reply with quote
Hi all, I have recently configured a client/server OpenVPN for a friend. I have used two brand new WRT1200ACv2 routers, which I have flashed with the latest available build: 50841.
The VPN is working fine, but when running speed tests I have a very high ping (like 120-140ms), but most annoying a "floating" bandwidth (speed tests jump from 5 to 60 Mbps then go down again and so on). I have created an extra certificate for a router I use for tests (which I know it works fine) and speed tests behave the same there, so I guess it is a server issue.

Here the configuration of both routers:

Server:

OpenVPN: Enable
CVE-2019-14899 Mitigation: Disable
Start Type: System
Inbound Firewall on TUN: FALSE
Config as: GUI(server)
Server mode: Router (TUN)
Network: 192.168.3.0
Netmask 255.255.255.0
Port: 1194
Tunnel Protocol: udp4
Encryption Cipher: Not Set
Hash Algorithm: None
First Data Cipher: CHACHA20-POLY1305
Second Data Cipher: AES-128-GCM
Third Data Cipher: AES-256-GCM
Advanced Options: Enable
TLS Cipher: None
Compression: Disabled
Push Client route: Default Gateway
Allow Client to Client: Enable
Allow duplicate Clients: Disabled
Allow Clients WAN access: Enable
Bypass LAN Same-Origin Policy: Enable
Tunnel MTU setting: 0
Tunnel UDP Fragment:
Tunnel UDP MSS-Fix: Disable
Use ECDH instead of DH.PEM: Enable
TLS / Static Key Choice: None

Client:

Start OpenVPN Client: Enable
CVE-2019-14899 Mitigation: Enabled
Server IP/Name : Port: *****.****:1194
Set Multiple Servers: Disable
Tunnel Device: TUN
Tunnel Protocol: udp4
Encryption Cipher: Not Set
Hash Algorithm: None
First Data Cipher: CHACHA20-POLY1305
Second Data Cipher: AES-128-GCM
Third Data Cipher: AES-256-GCM
User Pass Authentication: Disable
Advanced Options: Enable
TLS Cipher: None
Compression: Disabled
NAT: Enable
Inbound Firewall on TUN: FALSE
Killswitch: TRUE
Watchdog: Disable
Source routing (PBR): Route Selected Sources via VPN
Split DNS: FALSE
Policy based Routing: Needed Range
Tunnel MTU setting: 0
Tunnel UDP Fragment:
Tunnel UDP MSS-Fix: Disable
Verify Server Cert: FALSE
TLS Key choice: None

I have suggested to choose those two routers as we got a good offer and as I have my personal server running on a WRT1200ACv1. In my case the bandwidth is always the same and ping is like half of it (distances are same), the only thing is that it is running a 2018 build.

Any default setting that could cause this? As I have basically left the default router configuration (I just needed an AP on a separate subnet) and I have disabled SFE. Other settings should be mostly defaults.


Thanks to all who will reply.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Wed Nov 16, 2022 21:24    Post subject: Reply with quote
MTU 0 means let openvpn decide.

Most of the times that does not work very well.

Try MTU 1400.

You might need to go lower.

On another note why not try WireGuard this is much faster than OpenVPN.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Nightbridge
DD-WRT User


Joined: 09 Jan 2017
Posts: 76
Location: Dublin

PostPosted: Thu Nov 17, 2022 1:57    Post subject: Reply with quote
Hello @egc, I thought in newer release the automatic MTU was fixed, isn't it? Anyway, I have tried 1400, 1500 and lower ones as well, but nothing changes. I have even tried moving to TCP Crying or Very sad
Nightbridge
DD-WRT User


Joined: 09 Jan 2017
Posts: 76
Location: Dublin

PostPosted: Fri Nov 18, 2022 10:47    Post subject: Reply with quote
Bumping this up with an update: I have noticed a packet loss as well. Any setting that may be worth to check?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Fri Nov 18, 2022 12:17    Post subject: Reply with quote
The two usual suspects e.g. MTU and disabling SFE you already have tackled.

You can try another port as 1194 sometimes is throttled.

You can also have a look at the VPN trouble shooting guide.

I would also check your connection without VPN maybe it is not the VPN at all?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Nightbridge
DD-WRT User


Joined: 09 Jan 2017
Posts: 76
Location: Dublin

PostPosted: Fri Nov 18, 2022 19:31    Post subject: Reply with quote
Hi @ecg, thanks for your reply.

I have tried the following:

- Tried a couple of different VPN ports. (same behaviour)
- Tested provider connectivity w/o VPN (connection is fast and stable)
- Did a long test to prepare, but it was worth it: I have downgraded the server with the same (very old 37305) build I have on my personal WRT1200AC, configuration copy/pasted from mine, but I am still experiencing this floating bandwidth with packet loss (tried both of them from my asus openvpn client router). It is strange, as that servers were exactly the same except mine is a WRT1200ACv1 and my friend's is a WRT1200ACv2.

I went through the troubleshooting guide and everything suggest it is an MTU problem, as I thought at the beginning, but I have tried 0, 1500, 1400, 1350 and 1300. Nothing has changed.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Fri Nov 18, 2022 19:39    Post subject: Reply with quote
You should try much lower MTU.
1278, 1250, 1150, 1000

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Nightbridge
DD-WRT User


Joined: 09 Jan 2017
Posts: 76
Location: Dublin

PostPosted: Sat Nov 19, 2022 0:31    Post subject: Reply with quote
I have tried down to 1000 as you suggested, but nothing Crying or Very sad .
Nightbridge
DD-WRT User


Joined: 09 Jan 2017
Posts: 76
Location: Dublin

PostPosted: Mon Nov 21, 2022 22:55    Post subject: Reply with quote
Bumping this up with another update:
I have created a client certificate for a smartphone (previously connected through the dd-wrt VPN client) and this floating behaviour disappears completely when connecting it directly to the server. This is the .ovpn file for it:

Code:

client
dev tun
proto udp4
remote ******.****** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
float
auth none
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>


I would say this is definitely something wrong with the dd-wrt OpenVPN client configuration, or with other settings scattered here and there.
Has anyone any clue of what it could be?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum