Reply
New Member
Posts: 6
Registered: ‎02-10-2018
Kudos: 1

[SOLVED] Edgerouter X super slow VPN

[ Edited ]

Finally ditched my old ASUS home router/AP and joined the world of Ubiquiti with an EdgeRouter-X and AC-PRO. Initial setup was all pretty straightforward and successful.

 

However, setting up a VPN server on the EdgeRouter has been extremely challenging and tedious compared to the 3 seconds via GUI it takes on an ASUS consumer product... but it appears to generally be working.. ish.

 

I have a fairly basic setup. 

 

AT&T fiber set to ip-pass-thru > eth0 EdgeRouter

EdgeRouter eth1 > Switch which the rest of the network connects to (including the AC-PRO)

EdgeRouter eth2 > Some network device as I ran out of ports on my switch

 

 

1. I can connect to the VPN from my iPhone.

2. I can surf the web - but it's s-l-o-o-o-o-o-o-o-w. Like 1990's dialup slow. But pages eventually load.

3. Ping utils always report "Can't resolve host" when attempting to ping public domain like google.com or any of the devices on my LAN by ip such as 192.168.2.1 (the EdgeRouter)

 

My goals are to:

1. Connect to VPN.

2. Have all traffic route through VPN.

3. Be able to access the local network (192.168.2.xxx) via the VPN.

 

Where have I gone wrong?

 

 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
:
 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "Allow OpenVPN"
             destination {
                 port 1194
             }
             protocol udp
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description Local
         duplex auto
         speed auto
     }
     loopback lo {
     }
     openvpn vtun0 {
         description "OpenVPN server"
         encryption aes256
         hash sha256
         mode server
         openvpn-option "-port 1194"
         openvpn-option -tls-server
         openvpn-option "-comp-lzo yes"
         openvpn-option -persist-key
         openvpn-option -persist-tun
         openvpn-option "-keepalive 10 120"
         openvpn-option "-user nobody"
         openvpn-option "-group nogroup"
         openvpn-option "--push redirect-gateway def1 bypass-dhcp"
         server {
             name-server 192.168.2.1
             push-route 192.168.2.0/24
             subnet 192.168.200.0/24
         }
         tls {
             ca-cert-file /config/openvpn/demoCA/cacert.pem
             cert-file /config/openvpn/server.pem
             dh-file /config/openvpn/dh2048.pem
             key-file /config/openvpn/server-decrypted.key
         }
     }
     switch switch0 {
         address 192.168.2.1/24
         description Local
         mtu 1500
         switch-port {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
     }
 }
 port-forward {
     auto-firewall enable
     hairpin-nat enable
     lan-interface eth1
     lan-interface eth2
     lan-interface eth3
     lan-interface eth4
     rule 1 {
         description "Thing1"
         forward-to {
             address 192.168.2.100
             port 31400
         }
         original-port 31400
         protocol tcp_udp
     }
     rule 2 {
         description "Thing2
         forward-to {
             address 192.168.2.100
             port 32400
         }
         original-port 32400
         protocol tcp_udp
     }
     wan-interface eth0
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update enable
         shared-network-name LAN {
             authoritative disable
             subnet 192.168.2.0/24 {
                 default-router 192.168.2.1
                 dns-server 192.168.2.1
                 dns-server 208.67.222.222
                 lease 86400
                 start 192.168.2.2 {
                     stop 192.168.2.80
                 }
                 static-mapping AC-PRO {
                     ip-address 192.168.2.120
                     mac-address 78:8a:20:89:f2:ac
                 }
                 static-mapping Chromebox {
                     ip-address 192.168.2.110
                     mac-address C4:54:44:5B:F0:D4
                 }
                 static-mapping CVO {
                     ip-address 192.168.2.169
                     mac-address EC:C8:82:BA:AE:38
                 }
                 static-mapping Switch {
                     ip-address 192.168.2.254
                     mac-address C0:7B:BC:65:74:01
                 }
                 static-mapping S1 {
                     ip-address 192.168.2.100
                     mac-address 00:08:9B:EF:29:6E
                 }
                 static-mapping S2 {
                     ip-address 192.168.2.101
                     mac-address 00:08:9b:ef:29:70
                 }
                 static-mapping SONY_PS4_PRO {
                     ip-address 192.168.2.94
                     mac-address BC:60:A7:F4:87:E2
                 }
             }
         }
         use-dnsmasq disable
     }
     dns {
         dynamic {
             interface eth0 {
                 service custom-noip {
                     host-name <sanitized_hostname>
                     login <sanitized_username>
                     password <sanitized_password>
                     protocol noip
                     server dynupdate.no-ip.com
                 }
             }
         }
         forwarding {
             cache-size 150
             listen-on switch0
             listen-on vtun0
         }
     }
     gui {
         http-port 80
         https-port 443
         listen-address 192.168.2.1
         older-ciphers enable
     }
     nat {
         rule 5010 {
             description "masquerade for WAN"
             outbound-interface eth0
             type masquerade
         }
     }
     ssh {
         listen-address 192.168.2.1
         port 22
         protocol-version v2
     }
 }
 system {
     host-name ubnt
     login {
         user cgraham {
             authentication {
                 encrypted-password <sanitized_password>
                 plaintext-password ""
             }
             full-name ""
             level admin
         }
         user openvpn-user {
             authentication {
                 encrypted-password <sanitized_password>
                 plaintext-password ""
             }
             level operator
         }
     }
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     offload {
         hwnat enable
         ipsec enable
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
     traffic-analysis {
         dpi enable
         export enable
     }
 }

tail -f /var/log/messages

 

Hmmm, seems to be some useful warnings in here. Man Happy

 

Feb 22 03:19:50 ubnt openvpn[10305]: 99.203.16.24:27391 TLS: Initial packet from [AF_INET]99.203.16.24:27391, sid=2aadb824 ec839782
Feb 22 03:19:51 ubnt openvpn[10305]: 99.203.16.24:27391 VERIFY OK: depth=1, C=US, ST=NC, O=cgraham, CN=<sanitized_host>
Feb 22 03:19:51 ubnt openvpn[10305]: 99.203.16.24:27391 VERIFY OK: depth=0, C=US, ST=NC, L=Cary, O=cgraham, CN=chris-openvpn
Feb 22 03:19:52 ubnt openvpn[10305]: 99.203.16.24:27391 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1570'
Feb 22 03:19:52 ubnt openvpn[10305]: 99.203.16.24:27391 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Feb 22 03:19:52 ubnt openvpn[10305]: 99.203.16.24:27391 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 22 03:19:52 ubnt openvpn[10305]: 99.203.16.24:27391 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 22 03:19:52 ubnt openvpn[10305]: 99.203.16.24:27391 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 22 03:19:52 ubnt openvpn[10305]: 99.203.16.24:27391 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 22 03:19:52 ubnt openvpn[10305]: 99.203.16.24:27391 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Feb 22 03:19:52 ubnt openvpn[10305]: 99.203.16.24:27391 [chris-openvpn] Peer Connection Initiated with [AF_INET]99.203.16.24:27391
Feb 22 03:19:52 ubnt openvpn[10305]: MULTI: new connection by client 'chris-openvpn' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 22 03:19:52 ubnt openvpn[10305]: MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Feb 22 03:19:52 ubnt openvpn[10305]: MULTI: Learn: 192.168.200.2 -> chris-openvpn/99.203.16.24:27391
Feb 22 03:19:52 ubnt openvpn[10305]: MULTI: primary virtual IP for chris-openvpn/99.203.16.24:27391: 192.168.200.2
Feb 22 03:19:52 ubnt openvpn[10305]: chris-openvpn/99.203.16.24:27391 PUSH: Received control message: 'PUSH_REQUEST'
Feb 22 03:19:52 ubnt openvpn[10305]: chris-openvpn/99.203.16.24:27391 send_push_reply(): safe_cap=940
Feb 22 03:19:52 ubnt openvpn[10305]: chris-openvpn/99.203.16.24:27391 SENT CONTROL [chris-openvpn]: 'PUSH_REPLY,dhcp-option DNS 192.168.2.1,route 192.168.2.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.200.2 255.255.255.0' (status=1)
Feb 22 03:19:53 ubnt openvpn[10305]: chris-openvpn/99.203.16.24:27391 IP packet with unknown IP version=15 seen
Feb 22 03:20:54  openvpn[10305]: last message repeated 22 times

Thanks in advance.

Highlighted
New Member
Posts: 6
Registered: ‎02-10-2018
Kudos: 1

Re: [SOLVED] Edgerouter X super slow VPN

[ Edited ]

Solved this myself with a little adjustment to my openvpn configuration.  Can now ping, access LAN resources, and internet is working much faster.

 

These were the critical changes:

 

         openvpn-option "--push route-gateway 192.168.2.1"
         openvpn-option "--push redirect-gateway def1"
         openvpn-option "--comp-lzo no"

 

That block now looks like:

 

     openvpn vtun0 {
         description "OpenVPN server"
         encryption aes256
         hash sha256
         mode server
         openvpn-option "-port 1194"
         openvpn-option -tls-server
         openvpn-option -persist-key
         openvpn-option -persist-tun
         openvpn-option "-keepalive 10 120"
         openvpn-option "-user nobody"
         openvpn-option "-group nogroup"
         openvpn-option "--push route-gateway 192.168.2.1"
         openvpn-option "--push redirect-gateway def1"
         openvpn-option "--comp-lzo no"
         server {
             name-server 192.168.2.1
             push-route 192.168.2.0/24
             subnet 192.168.200.0/24
         }
         tls {
             ca-cert-file /config/openvpn/demoCA/cacert.pem
             cert-file /config/openvpn/server.pem
             dh-file /config/openvpn/dh2048.pem
             key-file /config/openvpn/server-decrypted.key
         }
     }

 

Reply