VPN SSID SLOW COMPARED TO MANGLE METHOD

[bilboSNB]

Using
ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.51 -j MARK --set-mark 10

I get 30 to 40 mbps throughput over the vpn when tagging particular clients for vpn use.

I have been trying to dedicate an SSID guest network to use the vpn in addition to this and have got it working but throughput is a lot slower and I was wondering if anyone knew why this might be?

These are the commands used:

ifconfig wl0.1 192.168.2.1
iptables -I INPUT -i wl0.1 -j ACCEPT
iptables -I FORWARD -i wl0.1 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE

ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i wl0.1 -p arp -j DROP
ip rule add dev wl0.1 table 10

plus approriate dnsmasq config

many thanks

 

[Puppa]

Which model router? Is it overclocked? Also, what is your non VPN throughput? Is throughput of non VPN traffic slower also?

Sent from my SM-N910V using Tapatalk

 

[Deleted member 28123]

Using
ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.51 -j MARK --set-mark 10

I get 30 to 40 mbps throughput over the vpn when tagging particular clients for vpn use.

I have been trying to dedicate an SSID guest network to use the vpn in addition to this and have got it working but throughput is a lot slower and I was wondering if anyone knew why this might be?

These are the commands used:

ifconfig wl0.1 192.168.2.1
iptables -I INPUT -i wl0.1 -j ACCEPT
iptables -I FORWARD -i wl0.1 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE

ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i wl0.1 -p arp -j DROP
ip rule add dev wl0.1 table 10

plus approriate dnsmasq config

many thanks

I use the admin interface for managing the br0 lan and a combination of scripting and admin interface changes for guest/vpn ssids

Try the following:

- Create a guest wifi network, wl0.1, via the admin interface with access to intranet set to off
- Disable compression in your OpenVPN client config
- Set redirect internet traffic to 'Policy rules' and add a rule for 192.168.2.0/24 with iface VPN
- Edit your firewall script with:

# Wi-Fi Lan Segments
ifconfig wl0.1 192.168.2.1 netmask 255.255.255.0

# Firewall Performance Tweak
iptables -D INPUT `iptables --line-numbers -nL INPUT | grep INVALID | tail -n1 | awk '{print $1}'`
iptables -D INPUT `iptables --line-numbers -nL INPUT | grep ESTABLISHED | tail -n1 | awk '{print $1}'`
iptables -I INPUT -m state --state INVALID -j DROP
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


# Custom Guest Network/s Firewalling
ebtables -t broute -F
ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

iptables -I FORWARD -i wl0.1 -o br0 -j DROP
iptables -I FORWARD -i wl0.1 -o tun11 -j ACCEPT
iptables -I INPUT -i wl0.1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE

- Reboot

*Note: I'm using a custom dnsmasq config with multiple dnscrypt/unbound threads and my mangle list has no entries for wl0.1

 

[bilboSNB]

Thanks I'll try that script tonight.

Its an AC68U overclocked to 1200.
Normal internet 70mbits down
Normal VPN speed using the routers vpn client 30 - 40 mbits
SSID dedicated to vpn usage, the speed is 8mbits using the same vpn server

This is what I do not understand, the speed reduction when connected to the dedicated vpn ssid, I am guessing there is some logic fail in the rules I am using.

I had been having issues with the vpn policy routing method and have not been using it hence using the fwmark method and ip rule add dev wl0.1 table 10 which I think does the same thing anyway.

 

[bilboSNB]

I reverted to policy based vpn and used the script you provided but there is still a substantial speed differential between clients on the dedicated ssid and clients on the normal ssid directed to vpn by policy rules. Any ideas? Could it be something to do with being on a different subnet and extra routing involved?

I can't disable compression with my provider.

 

[Deleted member 28123]

@bilboSNB That's strange as I am saturating both my download/upload speeds at 95~98% of the available capacity 50Mbps/10Mbps over the vpn enabled ssid and I am seeing the exact same speeds via the local subnet (policy-based vpn routing)... I've oc'd the router to 1400/800 stable and am on the .55 firmware.

Do you have hardware acceleration enabled or disabled? Can you also list your iptables main and mangle rules? Did you try testing your download speeds whilst connected to your main wl0/2.4GHz network?

 

[joegreat]

@bilboSNB That's strange as I am saturating both my download/upload speeds at 95~98% of the available capacity 50Mbps/10Mbps over the vpn enabled ssid and I am seeing the exact same speeds via the local subnet (policy-based vpn routing)... I've oc'd the router to 1400/800 stable and am on the .55 firmware.

I have also no speed problems as outlined here by using the standard VPN WLAN routing script as discussed here.

 

[bilboSNB]

Thanks both.
CTF is enabled, and yes was testing on main wifi as well.
I decided to turn off every extra feature I had turned on and get rid of my extra ip rules and speed then stabalized.
After turning things back on one by one I have come to the conclusion it is the block malicious sites setting that was causing me an issue.
Do you happen to have this turned off?

 

[bilboSNB]

@AtAM1 how do you protect from dns leaks for the guest network.

 

[joegreat]

...how do you protect from dns leaks for the guest network.

I setup dnscrypt to protect all my DNS queries as outlined here and here.

 

[bilboSNB]

@AtAM1 how do you protect from dns leaks for the guest network.

I setup dnscrypt to protect all my DNS queries as outlined here and here.

Which server do you use?

 

[Deleted member 28123]

@bilboSNB I setup my router to load balance requests over 3 dnscrypt servers - 2 from dnscrypt.eu and 1 anonymous (private).

For dns leaks from the guest network, I isolated the guest network to its own subnet using iptables and have an unbound instance listening to dns requests on the guest network's gateway which then forwards queries to the load balanced dnscrypt servers resulting in no leaks whatsoever.