I've just setup OpenVPN server with the following config:
daemon
server-bridge
push "route 0.0.0.0 255.255.255.255 net_gateway"
proto udp
port 1194
dev tap21
comp-lzo adaptive
keepalive 15 60
verb 3
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
duplicate-cn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status
When I connect to it with client:
client
dev tap
proto udp
remote <remote IP> 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
resolv-retry infinite
nobind
After connection, when I do ping 192.168.3.12
to the inside network, I've got very erratic latency, like this:
64 bytes from 192.168.3.12: icmp_seq=239 ttl=64 time=730 ms
64 bytes from 192.168.3.12: icmp_seq=240 ttl=64 time=950 ms
64 bytes from 192.168.3.12: icmp_seq=241 ttl=64 time=290 ms
64 bytes from 192.168.3.12: icmp_seq=242 ttl=64 time=236 ms
64 bytes from 192.168.3.12: icmp_seq=243 ttl=64 time=239 ms
64 bytes from 192.168.3.12: icmp_seq=244 ttl=64 time=41.1 ms
64 bytes from 192.168.3.12: icmp_seq=245 ttl=64 time=1585 ms
64 bytes from 192.168.3.12: icmp_seq=246 ttl=64 time=1804 ms
64 bytes from 192.168.3.12: icmp_seq=247 ttl=64 time=1087 ms
64 bytes from 192.168.3.12: icmp_seq=248 ttl=64 time=483 ms
64 bytes from 192.168.3.12: icmp_seq=249 ttl=64 time=864 ms
64 bytes from 192.168.3.12: icmp_seq=250 ttl=64 time=1614 ms
64 bytes from 192.168.3.12: icmp_seq=251 ttl=64 time=1173 ms
64 bytes from 192.168.3.12: icmp_seq=252 ttl=64 time=837 ms
64 bytes from 192.168.3.12: icmp_seq=253 ttl=64 time=834 ms
64 bytes from 192.168.3.12: icmp_seq=254 ttl=64 time=516 ms
64 bytes from 192.168.3.12: icmp_seq=255 ttl=64 time=235 ms
64 bytes from 192.168.3.12: icmp_seq=256 ttl=64 time=94.1 ms
64 bytes from 192.168.3.12: icmp_seq=257 ttl=64 time=573 ms
64 bytes from 192.168.3.12: icmp_seq=258 ttl=64 time=619 ms
64 bytes from 192.168.3.12: icmp_seq=259 ttl=64 time=842 ms
64 bytes from 192.168.3.12: icmp_seq=260 ttl=64 time=943 ms
64 bytes from 192.168.3.12: icmp_seq=261 ttl=64 time=1144 ms
64 bytes from 192.168.3.12: icmp_seq=262 ttl=64 time=711 ms
64 bytes from 192.168.3.12: icmp_seq=263 ttl=64 time=450 ms
64 bytes from 192.168.3.12: icmp_seq=264 ttl=64 time=182 ms
64 bytes from 192.168.3.12: icmp_seq=265 ttl=64 time=314 ms
64 bytes from 192.168.3.12: icmp_seq=266 ttl=64 time=125 ms
64 bytes from 192.168.3.12: icmp_seq=267 ttl=64 time=1519 ms
64 bytes from 192.168.3.12: icmp_seq=268 ttl=64 time=899 ms
64 bytes from 192.168.3.12: icmp_seq=269 ttl=64 time=818 ms
64 bytes from 192.168.3.12: icmp_seq=270 ttl=64 time=991 ms
64 bytes from 192.168.3.12: icmp_seq=271 ttl=64 time=811 ms
64 bytes from 192.168.3.12: icmp_seq=272 ttl=64 time=1082 ms
64 bytes from 192.168.3.12: icmp_seq=273 ttl=64 time=647 ms
64 bytes from 192.168.3.12: icmp_seq=274 ttl=64 time=204 ms
64 bytes from 192.168.3.12: icmp_seq=275 ttl=64 time=361 ms
64 bytes from 192.168.3.12: icmp_seq=276 ttl=64 time=193 ms
64 bytes from 192.168.3.12: icmp_seq=277 ttl=64 time=93.8 ms
64 bytes from 192.168.3.12: icmp_seq=278 ttl=64 time=682 ms
64 bytes from 192.168.3.12: icmp_seq=279 ttl=64 time=1089 ms
64 bytes from 192.168.3.12: icmp_seq=280 ttl=64 time=1212 ms
64 bytes from 192.168.3.12: icmp_seq=281 ttl=64 time=807 ms
64 bytes from 192.168.3.12: icmp_seq=282 ttl=64 time=1191 ms
64 bytes from 192.168.3.12: icmp_seq=284 ttl=64 time=143 ms
64 bytes from 192.168.3.12: icmp_seq=283 ttl=64 time=1523 ms
64 bytes from 192.168.3.12: icmp_seq=285 ttl=64 time=283 ms
64 bytes from 192.168.3.12: icmp_seq=286 ttl=64 time=342 ms
64 bytes from 192.168.3.12: icmp_seq=287 ttl=64 time=1501 ms
64 bytes from 192.168.3.12: icmp_seq=288 ttl=64 time=1181 ms
64 bytes from 192.168.3.12: icmp_seq=289 ttl=64 time=1234 ms
64 bytes from 192.168.3.12: icmp_seq=290 ttl=64 time=940 ms
64 bytes from 192.168.3.12: icmp_seq=291 ttl=64 time=1172 ms
64 bytes from 192.168.3.12: icmp_seq=292 ttl=64 time=1378 ms
64 bytes from 192.168.3.12: icmp_seq=294 ttl=64 time=308 ms
64 bytes from 192.168.3.12: icmp_seq=295 ttl=64 time=456 ms
64 bytes from 192.168.3.12: icmp_seq=293 ttl=64 time=2710 ms
64 bytes from 192.168.3.12: icmp_seq=296 ttl=64 time=1398 ms
64 bytes from 192.168.3.12: icmp_seq=297 ttl=64 time=571 ms
64 bytes from 192.168.3.12: icmp_seq=298 ttl=64 time=864 ms
64 bytes from 192.168.3.12: icmp_seq=299 ttl=64 time=601 ms
64 bytes from 192.168.3.12: icmp_seq=300 ttl=64 time=1515 ms
64 bytes from 192.168.3.12: icmp_seq=301 ttl=64 time=1181 ms
64 bytes from 192.168.3.12: icmp_seq=302 ttl=64 time=1451 ms
64 bytes from 192.168.3.12: icmp_seq=304 ttl=64 time=268 ms
64 bytes from 192.168.3.12: icmp_seq=305 ttl=64 time=479 ms
64 bytes from 192.168.3.12: icmp_seq=306 ttl=64 time=229 ms
64 bytes from 192.168.3.12: icmp_seq=307 ttl=64 time=10.0 ms
64 bytes from 192.168.3.12: icmp_seq=308 ttl=64 time=355 ms
64 bytes from 192.168.3.12: icmp_seq=309 ttl=64 time=175 ms
64 bytes from 192.168.3.12: icmp_seq=310 ttl=64 time=214 ms
64 bytes from 192.168.3.12: icmp_seq=311 ttl=64 time=53.4 ms
64 bytes from 192.168.3.12: icmp_seq=312 ttl=64 time=748 ms
64 bytes from 192.168.3.12: icmp_seq=313 ttl=64 time=2025 ms
64 bytes from 192.168.3.12: icmp_seq=314 ttl=64 time=1581 ms
64 bytes from 192.168.3.12: icmp_seq=315 ttl=64 time=1668 ms
64 bytes from 192.168.3.12: icmp_seq=316 ttl=64 time=1143 ms
64 bytes from 192.168.3.12: icmp_seq=317 ttl=64 time=723 ms
64 bytes from 192.168.3.12: icmp_seq=318 ttl=64 time=673 ms
64 bytes from 192.168.3.12: icmp_seq=319 ttl=64 time=932 ms
64 bytes from 192.168.3.12: icmp_seq=320 ttl=64 time=1152 ms
64 bytes from 192.168.3.12: icmp_seq=321 ttl=64 time=1355 ms
64 bytes from 192.168.3.12: icmp_seq=322 ttl=64 time=1025 ms
64 bytes from 192.168.3.12: icmp_seq=323 ttl=64 time=993 ms
64 bytes from 192.168.3.12: icmp_seq=324 ttl=64 time=69.7 ms
64 bytes from 192.168.3.12: icmp_seq=325 ttl=64 time=73.8 ms
64 bytes from 192.168.3.12: icmp_seq=326 ttl=64 time=1140 ms
64 bytes from 192.168.3.12: icmp_seq=327 ttl=64 time=595 ms
I have a ping over 500ms on the link with latency 40ms. Did I miss something important with the setup, or is it a natural limitation of the OpenVPN?
On both machines I use OpenVPN on Linux. Client has kernel 3.13.0 with OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6]
and server has kernel 2.6.22.19 with OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6]
The problem proved to be totally unrelated to OpenVPN, and the posted OpenVPN configurations are not to blame.
The solution in my case was to disable a misbehaving QoS module from the kernel/ip stack.
After that, the ping in my OpenVPN are in order of 150ms on a link with ping 100ms without OpenVPN.