Topics

1

20.1 Legacy Series / OpenVPN packet loss while user authentication

« on: May 04, 2020, 11:55:54 am »

Hello OPNsense community,

I have a question regarding OpenVPN authentication and packet loss:

We have OPNsense 20.1.6 running on a not so powerful hardware, namely a PCEngine APU2C4 (4 x 1 GHz), but it should be sufficient for our needs.

We have an OpenVPN server with server mode "Remote Access (SSL/TLS + User Auth)". Now when a new user authenticates, we have packet loss (about 1 second) for all connections running the same OpenVPN server. Connections on other OpenVPN servers are not affected. Because there are VoIP calls running over the tunnels, the users hear silence for that period of time. This happens even when the average load is close to 0.

Is anyone experiencing the same issue? Is there anything we can configure to improve the packet loss?

Maybe it has some connection to this discussion:
https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/20150730233727.GW3676%40type.home/#msg34333737


Our OpenVPN settings:
Protocol: UDP
Device mode: tun
TLS Authentication: Enabled
Peer Certificate Authority: Same device
Peer Certificate Revocation List: None
DH Parameters Length: 1024 bit
Encryption algorithm: AES-128-GCM
Auth Digest Algorithm: SHA1
Compression: Disabled
Disable IPv6: Enabled
Dynamic IP: Enabled
Address Pool: Enabled
Topology: Enabled
DNS servers: Enabled
Advanced configuration: None


Thanks for any suggestion.

2

18.1 Legacy Series / IPsec + Traffic Shaper = Slow web interface

« on: June 11, 2018, 03:34:41 pm »

Hello people,

I have an unusual issue regarding the Traffic Shaper and IPsec connections: We have three branches connected with OPNsense boxes over small Internet links (about 4 Mbit/s). When I open the web interface of these boxes and the packets go through the IPsec VPN, then the website loads very slowly (about 15 secs). When I disable Traffic Shaping, then this is not the case. Every other data going through the traffic shaper is always fine.

Now I created a small test scenario. For testing purposes created a simple OPN setup with two VirtualBox VMs:
1. Hostname: OPNsense1
OPNsense version: 18.1.9
LAN: 192.168.56.2/24
WAN: 10.0.0.1/24

2. Hostname: OPNsense2
OPNsense version: 18.1.9
LAN: 192.168.57.2/24
WAN: 10.0.0.2/24


Firewall:
Firewall disabled for testing purposes.


IPsec:
These are the IPsec settings on OPNsense2 (192.168.57.0/24 -> 192.168.56.0/24). Settings on OPNsense1 are similar to this.

Code: [Select]

Type Remote Gateway Mode Phase 1 Proposal Authentication Description
IPv4 IKEv2 WAN 10.0.0.1 AES (128 bits) + AESXCBC + DH Group 19 (256 bit elliptic curve) Mutual PSK 2 -> 1

Code: [Select]

Type Local Subnet Remote Subnet Encryption Protocols Authenticity Protocols PFS
ESP IPv4 tunnel LAN 192.168.56.0/24 AES (auto), Blowfish (auto), 3DES, CAST128 AES-XCBC off

Traffic Shaper:
In Traffic Shaper I created a simple upload shaper. All other settings at default.

Pipes:

Code: [Select]

Enabled Bandwidth Metric Mask Description
[X] 11000 kbit/s - pipe-up
Queues:

Code: [Select]

Enabled Pipe Weight Description
[X] pipe-up 100 queue-up
Rules:

Code: [Select]

# Interface Protocol Source Destination Target Description
1 IPsec ip 192.168.57.0/24 192.168.56.0/24 queue-up rule-up

Routes:
On Windows I added a new route, so that all packets destined at OPNsense2 go to OPNsense1 and through the IPsec VPN.

Code: [Select]

ROUTE ADD 192.168.57.2 MASK 255.255.255.255 192.168.56.2
A packet would go this way:
PC (192.168.56.1) -> OPNsense1 (192.168.56.2) -> IPsec VPN -> OPNsense2 (192.168.57.2)


Testing:
When I set the upload pipe to 11000 kbit/s or below and open the web interface of OPNsense2 on my PC, the web sites opens really slowly. It takes about 15 seconds until it is loaded completely. Ping times are always below 1 ms.
When I change the bandwidth of the upload pipe to 12000 kbit/s, the website opens in about 2 seconds.


What could be the cause?  Is this a bug?


Thanks for any feedback.