Reply
New Member
Posts: 32
Registered: ‎03-29-2016
Kudos: 2
Accepted Solution

VPN Client Problem

[ Edited ]

I have the problem that OpenVPN connections via UDP run very slowly over the EdgeRouter X SFP v1.10.8

as a router. My PC (Debian OpenVPN) I have as a client. As a VPN Server, I use AzireVPN. When I use OpenVPN over the port 443 TCP I have full speed (about 66/13). If I use port 443 UDP or port 1194 then the speed will be very slow, 0.49 Mbit down and 0.27 up. I think it's ER X because my ISP does not block UDP.

Here is my config.

Maybe someone can help me. Thank you!

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Internet (PPPoE)"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id *******
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
        }
        vif 10 {
            address 172.16.1.1/24
            description "Gast LAN"
            mtu 1500
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    lan-interface switch0.10
    rule 1 {
        description *******
        forward-to {
            address 192.168.1.6
            port 443
        }
        original-port 443
        protocol tcp
    }
    rule 2 {
        description *******
        forward-to {
            address 192.168.1.6
            port 64000
        }
        original-port 64000
        protocol tcp_udp
    }
    rule 3 {
        description ********
        forward-to {
            address 192.168.1.6
            port 80
        }
        original-port 80
        protocol tcp
    }
    wan-interface pppoe0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Gast_LAN {
            subnet 172.16.1.0/24 {
                default-router 172.16.1.1
                dns-server 172.16.1.1
                start 172.16.1.2 {
                    stop 172.16.1.150
                }
            }
        }
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.2 {
                    stop 192.168.1.243
                }
            }
        }
    }
    dns {
        dynamic {
            interface pppoe0 {
                service custom-******* {
                    host-name ********
                    login *************
                    password ****************
                    protocol noip
                    server dynupdate.no-ip.com
                }
                service custom-******** {
                    host-name *********
                    login *************
                    password ****************
                    protocol noip
                    server dynupdate.no-ip.com
                }
                service custom-***** {
                    host-name **********
                    login ************
                    password ****************
                    protocol noip
                    server dynupdate.no-ip.com
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on switch0.10
        }
    }
    gui {
        https-port 8443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    unms {
        disable
    }
}
system {
    host-name ubnt-router
    login {
        user **** {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 1.1.1.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
traffic-control {
    smart-queue A1 {
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 16mbit
        }
        wan-interface pppoe0
    }
}

 


Accepted Solutions
Member
Posts: 736
Registered: ‎09-13-2018
Kudos: 138
Solutions: 48

Re: VPN Client Problem

All I can say is that I use OpenVPN from an ERX with 1.10.8 (in lab) through another ERX (with NAT) to a ER4 with static IP at work, using the default UDP encapsulation, and it works (as well as OpenVPN will).  So I am not convinced that the problem is the ERX running 1.10.8.   How do you know that your ISP is not throttling you?

 

Have you tried connecting your Debian PC directly to the modem, use the pppoe setup, and test with the ERX out of the picture.  You could also run iperf3 to a public iperf server using udp and tcp.  

 

Before you do that, you could use tcpdump on the ERX to look at the traffic to the remote end point of the OpenVPN tunnel, or since you are using Debian, do the tcpdump there (possibly in addition to what you do at the ERX).

View solution in original post


All Replies
Member
Posts: 736
Registered: ‎09-13-2018
Kudos: 138
Solutions: 48

Re: VPN Client Problem

Is OpenVPN running on the Debian pc?  You are port forwarding tcp 443. 

 

But I don't understand why you need port forwarding for OpenVPN, since you are initiating the connection.  I can connect to PIA with OpenVPN and no port forwarding.

 

One possibility of what is causing the problem is a reduced MTU somewhere along the path.  mss clamp only affects tcp, not udp.  So it is at least a possibility that there are packets being dropped due to being too large.  See this https://prabuddha.me/openvpn-tcp-or-udp-tunneling/

 

I have been reading about WireGuard, and it appears that AzireVPN supports it.  You may want to try that out, it looks reasonably easy to install/configure (there is a help page at the AzireVPN home page about WireGuard).  But it uses udp only, but you can change the mtu of the wg device to a smaller value to get by mtu blackholes.

New Member
Posts: 32
Registered: ‎03-29-2016
Kudos: 2

Re: VPN Client Problem

Thank you for your prompt reply. Unfortunately, I've already tried the Wireguard client. The same result. The port 443 TCP I opened because of my Nextcloud, which has nothing to do with the VPN. Somehow my ER X has problems with UDP packets, because the VPN client runs perfectly over TCP.

Member
Posts: 736
Registered: ‎09-13-2018
Kudos: 138
Solutions: 48

Re: VPN Client Problem

All I can say is that I use OpenVPN from an ERX with 1.10.8 (in lab) through another ERX (with NAT) to a ER4 with static IP at work, using the default UDP encapsulation, and it works (as well as OpenVPN will).  So I am not convinced that the problem is the ERX running 1.10.8.   How do you know that your ISP is not throttling you?

 

Have you tried connecting your Debian PC directly to the modem, use the pppoe setup, and test with the ERX out of the picture.  You could also run iperf3 to a public iperf server using udp and tcp.  

 

Before you do that, you could use tcpdump on the ERX to look at the traffic to the remote end point of the OpenVPN tunnel, or since you are using Debian, do the tcpdump there (possibly in addition to what you do at the ERX).

New Member
Posts: 32
Registered: ‎03-29-2016
Kudos: 2

Re: VPN Client Problem

Thank you for putting me on the right path. Smiley Very Happy The ER X is not the problem. Have my Debian PC connected directly via pppoe with the modem and there are the same problems with UDP. Apparently my ISP really slows down UDP packets.

Reply