iBurst + OpenVPN = teh suck?

RatX

Well-Known Member
Joined
Apr 27, 2005
Messages
137
Quick question - has anybody had any luck talking to an OpenVPN server over iBurst? I recently set up an OpenVPN box at the office, which I can connect to without issue. Latency is fine (avg 100ms) and I can connect to ssh sessions, but as soon as I try to do anything which requires more than a few bytes, the connection grinds to a screaming halt. It doesn't disconnect, it just stalls. I have similar issues connecting to an OpenVPN server in NYC, although the performance on that one is slightly better.

OpenVPN is using default port 1194 UDP and my iBurst MTU is 1352. I've been working happily with an Avaya VPN solution over iBurst up until now, but it has been discontinued. I'm going to try TCP instead of UDP, and perhaps a different port, but was just wondering if anybody has experienced anything similar.

Peace y'all.
 

titanium

Well-Known Member
Joined
Jun 13, 2005
Messages
277
OpenVPN uses a default MTU size of 1500 if memory serves.

Try increase your iBurst MTU, or decrease the MTU setting in OpenVPN / Windows. Also perhaps enable the --fragment or --mssfix options. Can't really suggest more without knowing your environment / config settings in more detail.

You could try --tun-mtu 1500 --fragment 1300 --mssfix in OpenVPN.

Cheers
 

RatX

Well-Known Member
Joined
Apr 27, 2005
Messages
137
Titanium, you're a diamond. The MTU settings never occured to me and are a clear pointer to the erratic performance I'm getting. Will play around with MTU settings on the local and remote end and post my findings.
 

RatX

Well-Known Member
Joined
Apr 27, 2005
Messages
137
Thanks vensters - is that on the iBurst connection itself or on the VPN connection?
 

Ekhaatvensters

Executive Member
Joined
Sep 8, 2005
Messages
7,247
Oh, sorry I meant you use 1342 for the Iburst connection connecting to the VPN.

I'm not shure about the VPN itself..
 

Taranchio

Member
Joined
Sep 4, 2006
Messages
20
Actually I think leave the IBurst MTU alone and pull the VPN MTU down to 1342.

Remember the VPN adds some additional headers to every packet so to have those fit into the 1352 of IBurst packets you need to make the VPN pacets smaller
 

RatX

Well-Known Member
Joined
Apr 27, 2005
Messages
137
Solution found! Set MTU on local tun0 interface!

Thanks all for your helpful pointers in resolving this issue. They gave me the clues I needed to eventually solve it. Not sure if my solution is the optimal route, but for now it works just fine, although probably only for routed OpenVPN's. I tried various permutations of iBurst MTU's and OpenVPN link-mtu's (client/server/both) to no avail. OpenVPN mssfix or fragment settings didn't seem to help either.

Then I set the MTU on the tun0 interface on one of my Windows machines to 1300 using DrTCP (been testing on both Windows & Linux clients). Current iBurst MTU is set back to 1352. After this change, I had VPN happiness with good throughput, despite the low upstream on the remote IS aDSL Internet connection. Remote OpenVPN and everything else is set to default 1500 MTU.

I'm still getting my head around the optimal MTU for this slightly complex setup (< OpenVPN client(s) on LAN > < Smoothwall f/w > < iBurst > < Internet > < IS aDSL> < remote f/w > < OpenVPN server in DMZ > < remote LAN / multi-site WAN>). Right now the throughput is just fine for my purposes and I will leave it as is before I break it trying to make it faster.

One interesting fact that came out of this experience is that the only application which was functional (able to connect and operate) over the OpenVPN connection when the MTU discrepencies were too great for anything else was UltraVNC client / server. Hopefully this helps somebody one day!

Thanks again to those who contributed to my query.
 

who.is.michael

Expert Member
Joined
Aug 4, 2006
Messages
2,929
No issues with Open VPN

An after thought, you might have done this already....

OVPN works fine if you leave the default iBurst MTU value at 1352, however still best to make use of the service before/(after) the networks become congested.

Set this via your router; then right click on your VPN NIC, (normally called TAP-Win32 Adapter V8) go to properties, under the general tab click configure, click the advanced tab, last setting in the property column is MTU, click it and set the value in the right column to 1352.

You should see a marked difference, also experiment with the value EHV has suggested of 1324, however I prefer 1352.
 
Top