OpenVPN client speed - Merlin 384.19 vs 386.1

[Viktor Jaep]

OpenVPN advanced parameters I use are copied from ExpressVPN website and are meant for Merlin firmware:
fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
keysize 256
sndbuf 524288
rcvbuf 524288

@bukso, your OpenVPN parameters had me question some of my settings, so I dove into it deeper. Please keep in mind, I'm definitely no expert here. When I look at the expressvpn.com site on instructions for configuring OpenVPN on an Asus router using Merlin's firmware (https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/), they give you this sample config to use... and looks just like yours:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
keysize 256
sndbuf 524288
rcvbuf 524288

... but in my own config, my mssfix was set to 1450, and things seemed to be working fine, and wanted to understand the difference. So I looked up how to properly configure mtu and mssfix using these instructions: https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn

So I found out that using this method: ping -n 1 -l 1500 -f www.example.com -- that my MTU was actually 1470... and subtracting 40 from that would make my mssfix 1430.

I applied these settings hoping to see some kind of difference, but I didn't see any increase or decrease in speed, plus I started seeing a tun-mtu warning now in the logs... I'm not sure what to do about the link-mtu since I don't specify it anywhere, but I guess that's normal.

Feb 10 06:00:01 ovpn-client1[15002]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1606'
Feb 10 06:00:01 ovpn-client1[15002]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1470', remote='tun-mtu 1500'

So I changed my tun-mtu back to 1500, and am using mssfix 1460... so far so good. Speedtests are still the same... I'm sure this wasn't much help, but it was a good exercise.

 

[maxbraketorque]

Have you tried running without tun-mtu and mssfix? Those are typically not needed and not recommended to be used. Those settings can be disabled by putting a # symbol in front of them. Another item to try would be running the mtu test. This is done by adding mtu-test to the configuration.

 

[Viktor Jaep]

Have you tried running without tun-mtu and mssfix? Those are typically not needed and not recommended to be used. Those settings can be disabled by putting a # symbol in front of them. Another item to try would be running the mtu test. This is done by adding mtu-test to the configuration.

I never considered that... I've just stolen parts and pieces from other people's examples until I got something that worked for my needs. I'll definitely give it a shot!

 

[Tom Jo-Jo Junior Shabadoo]

Has anyone looked to see what cipher is being used?

I have used AES-256-CBC both before and after the FW upgrade.
I don't see any errors in the connection log

Feb 10 15:28:25 ovpn-client1[4189]: VERIFY OK: depth=1, C=SC, ST=Mahe, L=Victoria, O=Global Stealth, Inc., OU=VPN, CN=Global Stealth, Inc. CA, name=serverlocation-key, emailAddress=admin@serverlocation.co
Feb 10 15:28:25 ovpn-client1[4189]: VERIFY KU OK
Feb 10 15:28:25 ovpn-client1[4189]: Validating certificate extended key usage
Feb 10 15:28:25 ovpn-client1[4189]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Feb 10 15:28:25 ovpn-client1[4189]: VERIFY EKU OK
Feb 10 15:28:25 ovpn-client1[4189]: VERIFY OK: depth=0, C=SC, ST=Mahe, L=Victoria, O=Global Stealth, Inc., OU=VPN, CN=*.serverlocation.co, name=serverlocation-key, emailAddress=admin@serverlocation.co
Feb 10 15:28:26 ovpn-client1[4189]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1570'
Feb 10 15:28:26 ovpn-client1[4189]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Feb 10 15:28:26 ovpn-client1[4189]: Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Feb 10 15:28:26 ovpn-client1[4189]: [*.serverlocation.co] Peer Connection Initiated with [AF_INET]xxx.xxx.81.133:54
Feb 10 15:28:28 ovpn-client1[4189]: SENT CONTROL [*.serverlocation.co]: 'PUSH_REQUEST' (status=1)
Feb 10 15:28:28 ovpn-client1[4189]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS xxx.xxx.169.181,dhcp-option DNS xxx.xxx.249.225,sndbuf 393216,rcvbuf 393216,route-gateway 10.16.0.1,topology subnet,ping 10,ping-restart 30,ifconfig 10.16.0.6 255.255.255.0'
Feb 10 15:28:28 ovpn-client1[4189]: OPTIONS IMPORT: timers and/or timeouts modified
Feb 10 15:28:28 ovpn-client1[4189]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Feb 10 15:28:28 ovpn-client1[4189]: Socket Buffers: R=[524288->786432] S=[524288->786432]
Feb 10 15:28:28 ovpn-client1[4189]: OPTIONS IMPORT: --ifconfig/up options modified
Feb 10 15:28:28 ovpn-client1[4189]: OPTIONS IMPORT: route options modified
Feb 10 15:28:28 ovpn-client1[4189]: OPTIONS IMPORT: route-related options modified
Feb 10 15:28:28 ovpn-client1[4189]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 10 15:28:28 ovpn-client1[4189]: Using peer cipher 'AES-256-CBC'
Feb 10 15:28:28 ovpn-client1[4189]: Data Channel: using negotiated cipher 'AES-256-CBC'
Feb 10 15:28:28 ovpn-client1[4189]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 10 15:28:28 ovpn-client1[4189]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 10 15:28:28 ovpn-client1[4189]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 10 15:28:28 ovpn-client1[4189]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 10 15:28:28 ovpn-client1[4189]: TUN/TAP device tun11 opened
Feb 10 15:28:28 ovpn-client1[4189]: TUN/TAP TX queue length set to 1000
Feb 10 15:28:28 ovpn-client1[4189]: /usr/sbin/ip link set dev tun11 up mtu 1500
Feb 10 15:28:28 ovpn-client1[4189]: /usr/sbin/ip link set dev tun11 up
Feb 10 15:28:28 ovpn-client1[4189]: /usr/sbin/ip addr add dev tun11 10.16.0.6/24
Feb 10 15:28:28 ovpn-client1[4189]: ovpn-up 1 client tun11 1500 1570 10.16.0.6 255.255.255.0 init
Feb 10 15:28:31 openvpn-routing: Configuring policy rules for client 1
Feb 10 15:28:31 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Feb 10 15:28:31 ovpn-client1[4189]: Initialization Sequence Completed

 

[bukso]

@Viktor Jaep - before creating this thread I also stumbled upon exactly same article about MTU size and I did play around with modifying mssfix parameter and tested it. Exactly as you found out, it did nothing to my ExpressVPN speed on either firmware.

Generally speaking I should not need to fiddle with OpenVPN client parameters which are published on ExpressVPN website and are directly intended for Asus Merlin firmware. Company running VPN servers should know best what configuration is needed by various clients connecting to their servers to create most effective client-server relationship.

Without deep knowledge of OpenVPN system and ExpressVPN server configuration you can just blindly manipulate one or more of the parameters and hope that your connection speed improves. But most probably you will just end up wasting time.

And I don't know if OpenVPN client 2.5.0 can reach same speeds as OpenVPN client 2.4.9, when connecting to ExpressVPN servers, just by changing one or more client parameters/settings or if ExpressVPN needs to modify settings on their back-end servers. Or maybe they need to upgrade OpenVPN component on their servers first to match client version.
Who knows besides ExpressVPN engineers ... ?

 

[maxbraketorque]

I have used AES-256-CBC both before and after the FW upgrade.
I don't see any errors in the connection log

...
Feb 10 15:28:26 ovpn-client1[4189]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1570'
Feb 10 15:28:26 ovpn-client1[4189]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
...

There's a mismatch somewhere between the server config and client config that's getting automatically resolved, although it doesn't necessarily point to any issues that could cause a slow down. I still wonder about the cipher though because cipher mismatch caused these same warnings for my config. Have you tried using the AES-128-GCM cipher? It is a less processor intensive cipher.

 

[tobifr34k]

Hi all,

i've updated from 384.19 to 386.2_4 and i have exact the same problem with the speed with vpn. My Provider is perfect-privacy. I've asked my provider already if they have a solution, but he means that the problem is not on their side.

Is there any solution clientside already or is the problem my vpn provider? My provider provides OpenVPN 2.4 and not 2.5. Is that the problem?

Thanks in advance!

Regards