Hi
We need rock stable openVPN with routing all traffic via our network for our new project.
Let me very briefly describe the config - 7.5 set as gateway with multi-wan (2 fibre connections).
multi-wan configured:
enp4s0 (backup) - Weight 1
enp5s0 - Weight 100
We also have Destination Port Rule for UDP 1194 to go through enp5s0, and a disabled rule for UDP 1194 to go through enp4s0 (so it's easy to enable when something goes wrong).
We added:
push "redirect-gateway def1"
to /etc/openvpn/clients.conf.
We also added "reneg-sec 28800" to the server side and client side config.
All seems to work nicely...But I have also came across this article:
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_forcing_openvpn_traffic_for_clients_through_server
that advises to add 3 custom firewall rules
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow VPN client traffic back in if established
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT # Allow VPN clients out
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # nat for VPN
Do we need this (with enp5s0 instead of eth0 for our server) or it's an outdated documentation? I have added those rules but it seems to work with them or without them correctly during my short tests.
Thanks.
We need rock stable openVPN with routing all traffic via our network for our new project.
Let me very briefly describe the config - 7.5 set as gateway with multi-wan (2 fibre connections).
multi-wan configured:
enp4s0 (backup) - Weight 1
enp5s0 - Weight 100
We also have Destination Port Rule for UDP 1194 to go through enp5s0, and a disabled rule for UDP 1194 to go through enp4s0 (so it's easy to enable when something goes wrong).
We added:
push "redirect-gateway def1"
to /etc/openvpn/clients.conf.
We also added "reneg-sec 28800" to the server side and client side config.
All seems to work nicely...But I have also came across this article:
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_forcing_openvpn_traffic_for_clients_through_server
that advises to add 3 custom firewall rules
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow VPN client traffic back in if established
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT # Allow VPN clients out
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # nat for VPN
Do we need this (with enp5s0 instead of eth0 for our server) or it's an outdated documentation? I have added those rules but it seems to work with them or without them correctly during my short tests.
Thanks.
In OpenVPN
Share this post:
Accepted Answer
The first two are covered by the rule with the tun+ interface in the FORWARD chain. AFAIK, the last one changes the behaviour of the incomng traffic so it gets NAT'd to the ClearOS LAN IP so all traffic appears local to the LAN. This will/may get round a Windows firewalling issue where the Windows firewall often blocks traffic not originating from its own LAN so avoids changing firewall rules to any LAN attached machines which are required to be accessed via OpenVPN, but you'd need to check the Windows firewalls. It is generally unnecessary. I don't use it. I just use the default rules.
You may want to look at changing:
to
There are ways of making the connection more stable and resilient to an interface outage. In the ovpn file you can have multiple "remote" lines, one for each WAN, so the OpenVPN client will keep trying both until a connection is made. Also add a line "float" to the ovpn file. This will allow the client to automatically receive a packet from either interface once a connection is negotiated.
In /etc/openvpn/clients.conf, check you have the line "multihome".
I personally would leave udp:1194 open on both interfaces and remove the destination port as it should make switching more automatic, but you may want to test it.
You may want to look at changing:
push "redirect-gateway def1"
to
push "redirect-gateway def1 bypass-dhcp"
This is to avoid a possible issue when the client tries to renew its local DHCP lease.There are ways of making the connection more stable and resilient to an interface outage. In the ovpn file you can have multiple "remote" lines, one for each WAN, so the OpenVPN client will keep trying both until a connection is made. Also add a line "float" to the ovpn file. This will allow the client to automatically receive a packet from either interface once a connection is negotiated.
In /etc/openvpn/clients.conf, check you have the line "multihome".
I personally would leave udp:1194 open on both interfaces and remove the destination port as it should make switching more automatic, but you may want to test it.
Responses (6)
-
Accepted Answer
-
Accepted Answer
Thanks, Nick.
MTU issues should affect all files, not just small like you say.
BTW, why do you have "reneg-sec 28800"? Is that a SWEET32 mitigation? If so, current server and client software is not vulnerable.
I had password prompts every hour on old openVPN desktop client - that's why I added it. Not sure if it's needed for openVPN GUI which I'm using now. This shouldn't affect performance though. -
Accepted Answer
I'm afraid I have no idea about speed issues like you say. I don't recall any but I don't really transfer a lot of files. I don't even know if it is an encryption problem. Do your system loads climb much when downloading these files? Have a look at "top".
BTW, why do you have "reneg-sec 28800"? Is that a SWEET32 mitigation? If so, current server and client software is not vulnerable.
[edit]
The other thing which comes to mind is MTU issues, but then, why just for smaller files?
[/edit] -
Accepted Answer
Hi
I'm back on it...The connection is stable but performance is poor when clients connect via WiFi or mobile connection. Now I understand the problem with mobile connection but WiFi used for testing is OK -> 10Mbps Downstream / 6Mbps Upstream, very stable, no other clients connected to the WiFi. The server side connection is 60Mbps / 20Mbps.
The issue is that speed drops to few kb/s when connected via Wifi and copying a folder containing e.g. 200 small files (101MB total) which I find strange. Another example is launching a software that relies on data stored on a shared drive - it gets painfully slow as it needs to load data from many smaller files.
Iperf test on that connection:
local 192.168.2.1 port 5001 connected with 10.8.0.6 port 50079
[ 4] 0.0-12.4 sec 8.66 MBytes 5.85 Mbits/sec
All seems to be good for large files - no problems, the speed is what you expect. Transferring smaller files is a completely different story - it just gets very slow.
This is sample config I'm using:
client
remote ***.poweredbyclear.com 1194
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca-cert.pem
cert client-***-cert.pem
key client-***-key.pem
ns-cert-type server
comp-lzo
verb 3
auth-user-pass
reneg-sec 28800
float
I have also created QoS rule for 1194 ports inbound and outbound but that did not help.
Suggestions to the problem would be very welcome. -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »