Hi !
I'm using openvpn as a client on clearos since couple of years. Clearos is set as a Gateway for my LAN, but connect as a client to a VPS from DigitalOcean in Toronto, to be able to have all my devices behind a VPN. I also have a Cisco ASA5505 Firewall between my internet connection and the eth0 of clearos.
Everything was going very well on my 30 Mbit internet connection. Then i decided to upgrade it to 60 Mbit. I noticed that when openvpn is connected to the VPS, my speed is limited to 30M (speedtest.net). I did the speedtest on the IP Setting page of Clearos, then saved the result on eth0, but it still cap at 30Mbit.
To make sure where was the problem, i installed openvpn on my Archlinux PC, then put the pc behind the ASA5505, but before ClearOS eth0. With openvpn client connected to the same VPS on my Archlinux PC, i can reach the 60 Mbit on speedtest.net. So the problem is not the ASA, not the Digitalocean server. It look like openvpn on clearos is limiting the bandwitdth to 30M.
Here is a basic overview of the current routing. All my devices goes on the internet from DigitalOcean IP.
Internet --> ASA5505 --> Clearos eth0 [ ] Clearos eth1 --> Cisco 48 port gig switch --> All my devices
Clearos openvpn client --> My Toronto VPS --> DigitalOcean Internet
Here is the clearos openvpn.conf :
# Mode et protocol
client
remote xxxxxxx.ca 1443
proto udp
dev tun
# Option du VPN
topology subnet
comp-lzo
persist-key
keepalive 10 120
verb 3
log digitalocean.log
# Encryption et TLS
cipher AES-256-CBC
auth SHA256
tls-client
remote-cert-tls server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
# Certificats
tls-crypt /etc/openvpn/keys/do-vps.tlsauth
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/pingouin.crt
key /etc/openvpn/keys/pingouin.key
Here is the server side config:
# Mode et protocol
port 1443
proto udp
dev tun
# Option du VPN
topology subnet
tls-server
ifconfig-pool-persist ipp.txt
comp-lzo
max-clients 3
persist-key
user nobody
group nobody
client-to-client
client-config-dir ccd
keepalive 10 120
chroot /var/empty/openvpn_server
verb 3
log server.log
# Encryption et TLS
cipher AES-256-CBC
auth SHA256
remote-cert-eku "TLS Web Client Authentication"
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
# Certificats
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/do-vps.crt
key /etc/openvpn/easy-rsa/keys/do-vps.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-crypt /etc/openvpn/easy-rsa/keys/do-vps.tlsauth
# Config IP
server 10.9.0.0 255.255.255.0
route 10.195.198.0 255.255.255.0 10.9.0.2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
10.195.198.0 is my LAN subnet
Here is the routing table, when connected to the VPS:
[root@pingouin ~]# ip route
0.0.0.0/1 via 10.9.0.1 dev tun0
default via 172.16.24.1 dev ens18
10.9.0.0/24 dev tun0 proto kernel scope link src 10.9.0.2
10.195.198.0/24 dev ens19 proto kernel scope link src 10.195.198.2
128.0.0.0/1 via 10.9.0.1 dev tun0
159.203.27.104 via 172.16.24.1 dev ens18
172.16.24.0/24 dev ens18 proto kernel scope link src 172.16.24.2
ens19 is the LAN interface of clearos, which is set to 10.195.198.2
172.16.24.1 is the ASA5505, 172.16.24.2 is clearos External interface ens18
I'm using openvpn as a client on clearos since couple of years. Clearos is set as a Gateway for my LAN, but connect as a client to a VPS from DigitalOcean in Toronto, to be able to have all my devices behind a VPN. I also have a Cisco ASA5505 Firewall between my internet connection and the eth0 of clearos.
Everything was going very well on my 30 Mbit internet connection. Then i decided to upgrade it to 60 Mbit. I noticed that when openvpn is connected to the VPS, my speed is limited to 30M (speedtest.net). I did the speedtest on the IP Setting page of Clearos, then saved the result on eth0, but it still cap at 30Mbit.
To make sure where was the problem, i installed openvpn on my Archlinux PC, then put the pc behind the ASA5505, but before ClearOS eth0. With openvpn client connected to the same VPS on my Archlinux PC, i can reach the 60 Mbit on speedtest.net. So the problem is not the ASA, not the Digitalocean server. It look like openvpn on clearos is limiting the bandwitdth to 30M.
Here is a basic overview of the current routing. All my devices goes on the internet from DigitalOcean IP.
Internet --> ASA5505 --> Clearos eth0 [ ] Clearos eth1 --> Cisco 48 port gig switch --> All my devices
Clearos openvpn client --> My Toronto VPS --> DigitalOcean Internet
Here is the clearos openvpn.conf :
# Mode et protocol
client
remote xxxxxxx.ca 1443
proto udp
dev tun
# Option du VPN
topology subnet
comp-lzo
persist-key
keepalive 10 120
verb 3
log digitalocean.log
# Encryption et TLS
cipher AES-256-CBC
auth SHA256
tls-client
remote-cert-tls server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
# Certificats
tls-crypt /etc/openvpn/keys/do-vps.tlsauth
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/pingouin.crt
key /etc/openvpn/keys/pingouin.key
Here is the server side config:
# Mode et protocol
port 1443
proto udp
dev tun
# Option du VPN
topology subnet
tls-server
ifconfig-pool-persist ipp.txt
comp-lzo
max-clients 3
persist-key
user nobody
group nobody
client-to-client
client-config-dir ccd
keepalive 10 120
chroot /var/empty/openvpn_server
verb 3
log server.log
# Encryption et TLS
cipher AES-256-CBC
auth SHA256
remote-cert-eku "TLS Web Client Authentication"
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
# Certificats
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/do-vps.crt
key /etc/openvpn/easy-rsa/keys/do-vps.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-crypt /etc/openvpn/easy-rsa/keys/do-vps.tlsauth
# Config IP
server 10.9.0.0 255.255.255.0
route 10.195.198.0 255.255.255.0 10.9.0.2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
10.195.198.0 is my LAN subnet
Here is the routing table, when connected to the VPS:
[root@pingouin ~]# ip route
0.0.0.0/1 via 10.9.0.1 dev tun0
default via 172.16.24.1 dev ens18
10.9.0.0/24 dev tun0 proto kernel scope link src 10.9.0.2
10.195.198.0/24 dev ens19 proto kernel scope link src 10.195.198.2
128.0.0.0/1 via 10.9.0.1 dev tun0
159.203.27.104 via 172.16.24.1 dev ens18
172.16.24.0/24 dev ens18 proto kernel scope link src 172.16.24.2
ens19 is the LAN interface of clearos, which is set to 10.195.198.2
172.16.24.1 is the ASA5505, 172.16.24.2 is clearos External interface ens18
In OpenVPN
Share this post:
Responses (5)
-
Accepted Answer
Encryption with something like OpenVPN is relatively CPU intensive but I would have thought that most hardware could cope with those speeds (but I know a Pi won't - the old Pi2 can barely do 5Mbps). What is the output of "top" when doing the speed test?
Unfortunately virtualisation introduces another level of complexity -
Accepted Answer
Nick Howitt wrote:
OK. What is the output of:lspci -k grep Eth -A 3
For my site<->site connections I use this doc. It does not use certificates or:
I wonder if that makes any difference. I guess I could try setting up some sort of internal test. I can't set up an external test as one end has an up-link speed of 3Mbps and the other of about 9Mbps.auth SHA256
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
I wonder also if you are hardware limited, but I don't know what sort of speeds to expect.
Here is the result of the lspci:
00:12.0 Ethernet controller: Intel Corporation 82540EM Gigabit Ethernet Controller (rev 03)
Subsystem: Red Hat, Inc. QEMU Virtual Machine
Kernel driver in use: e1000
Kernel modules: e1000
00:13.0 Ethernet controller: Intel Corporation 82540EM Gigabit Ethernet Controller (rev 03)
Subsystem: Red Hat, Inc. QEMU Virtual Machine
Kernel driver in use: e1000
Kernel modules: e1000
Clearos is running on a Proxmox OS (Virtualization). I don't think i'm hardware limited, as I can get the 60M with clearos, but with openvpn stopped.
Also, I don't think that the certificate or encryption (TLS) is doing a difference, because i took the clearos certificate, and clearos config to connect to the VPS using my Archlinux PC (bypassing clearos gateway) and I get the 60M.
Thanks for the help by the way ! -
Accepted Answer
OK. What is the output of:lspci -k grep Eth -A 3
For my site<->site connections I use this doc. It does not use certificates or:
I wonder if that makes any difference. I guess I could try setting up some sort of internal test. I can't set up an external test as one end has an up-link speed of 3Mbps and the other of about 9Mbps.auth SHA256
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
I wonder also if you are hardware limited, but I don't know what sort of speeds to expect. -
Accepted Answer
No, i'm not using QOS. As i mentioned, i did the speedtest under Ip setting of the webmin page (little RPM logo) and saved the result.
Here is the network.conf file:
[root@pingouin ~]# cat /etc/clearos/network.conf
# Network mode
MODE="gateway"
# Network interface roles
EXTIF="ens18"
LANIF="ens19"
DMZIF=""
HOTIF=""
# Domain and Internet Hostname
DEFAULT_DOMAIN="xxxxx.ca"
INTERNET_HOSTNAME="xxxxx.ca"
# Extra LANS
EXTRALANS=""
# ISP Maximum Speeds
ENS18_MAX_DOWNSTREAM=66000
ENS18_MAX_UPSTREAM=10930
Also, I forgot to mention that when i shutdown the openvpn service, all my device get the 60M, passing through the clearos gateway -
Accepted Answer
Have you set the bandwidth limit for the NIC to 30Mbps? In this cast the QoS could be throttling you. If you can't do it through the webconfig, set the speeds to 0 in /etc/clearos/network.conf then restart the firewall by doing a "service firewall restart". Or just disable QoS while testing.
Please post back if this is the issue and I'll file a bug to remove disable QoS before speedtesting and enable it after if it was enabled before the speed test.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »