rcvbuf , sndbuf OpenVPN setting

[DEC670airp414user]

what is the default settings for Opnsense, since there is no option listed under Clients

typically its advised to increase to 256k+     

I know you can add it manually under advanced configuration.... but that also states I is going away

[benyamin]

I'm pretty sure this was changed some time ago in OpenVPN to rely on the OS default instead. That's what the OpenVPN Reference Manual has said since at least v2.4.

As for defaults, I had a quick look through the code but couldn't see it being set anywhere. Perhaps @AdSchellevis might know...

I'd say the defaults are likely both 64K, with send maybe 32K (unlikely)...

Just wondering if you have tried new values to see if it makes a difference..?
e.g.

Code: [Select]

sndbuf 524288
rcvbuf 524288
Last I checked, OpenVPN uses the setsockopt() system call to set these options, per:
https://man.freebsd.org/cgi/man.cgi?query=setsockopt&sektion=2

Limits are also set by the OS since at least v2.4 anyway...

For FreeBSD, max socket buffer size is determined by:

Code: [Select]

sysctl kern.ipc.maxsockbuf
Where the actual limit on an amd64 platform is something like kern.ipc.maxsockbuf * 0.889.

This value is usually set to 4MB, so the actual limit is near 3.6MB.

Just to be clear, these are socket buffers.
 
That being said, my understanding is the OS will also auto-size protocol buffers.

Some relevant sysctl values (I believe these are defaults on OPNsense):

Code: [Select]

net.inet.tcp.sendspace: 65228
net.inet.tcp.recvspace: 65228
net.inet.tcp.sendbuf_auto_lowat: 0
net.inet.tcp.sendbuf_max: 2097152
net.inet.tcp.sendbuf_inc: 8192
net.inet.tcp.sendbuf_auto: 1
net.inet.tcp.recvbuf_max: 2097152
net.inet.tcp.recvbuf_auto: 1
net.inet.udp.maxdgram: 57344
net.inet.udp.recvspace: 42080
You should definitely review the notes in in tuning(7) before making changes, which I wouldn't recommend as such changes will affect all connections.

[DEC670airp414user]

Notice logs show : 1   Socket Buffers: R=[524288->131072] S=[524288->131072]

With your suggestion


With nothing added:

Socket Buffers: R=[42080->131072] S=[57344->131072]


I am just curious how this is automatically calculated.  And once we move to openvpn 2.6 the custom field will be gone. So there is no possible way to tweak this

[benyamin]

A couple of things to note...

I'm guessing you are using a UDP tunnel(s) as those initial values of 42080 & 57344 match the default values for net.inet.udp.recvspace & net.inet.udp.maxdgram respectively. I suspect a TCP tunnel would default to 64K too (matching net.inet.tcp.sendspace & net.inet.tcp.recvspace).

It seems that your environment + configuration is setting the buffers to 131072 (128K). It's not clear why, but I suspect it is the remote server.

There definitely seems to be a change in behaviour re socket buffers after installing 23.1.7 and OpenVPN 2.6. If you search the log file for "buffers", you might see something similar.

In my case, since the update, my UDP tunnels have consistently been:
Socket Buffers: R=[42080->42080] S=[57344->57344]

Prior to the update, I had a mix of the above and the following:
Socket Buffers: R=[42080->524288] S=[57344->524288]
Socket Buffers: R=[524288->524288] S=[524288->524288]

I don't set sndbuf or rcvbuf, but perhaps the remote server is.

A higher debug log level might reveal a mechanism...

[benyamin]

It seems that your environment + configuration is setting the buffers to 131072 (128K). It's not clear why, but I suspect it is the remote server.

In my case, since the update, my UDP tunnels have consistently been:
Socket Buffers: R=[42080->42080] S=[57344->57344]

Prior to the update, I had a mix of the above and the following:
Socket Buffers: R=[42080->524288] S=[57344->524288]
Socket Buffers: R=[524288->524288] S=[524288->524288]

I don't set sndbuf or rcvbuf, but perhaps the remote server is.

I would say the remote server you are connecting to is PUSHing you the 128K buffer sizes (and likely setting the server to the same buffer size), e.g.:

Code: [Select]

sndbuf 131072
rcvbuf 131072
push "sndbuf 131072"
push "rcvbuf 131072"
I think there is little justification for this because server and client hardware can potentially be very different.

You can probably override with the following client advanced configuration options:

Code: [Select]

pull-filter ignore sndbuf
pull-filter ignore rcvbuf
sndbuf 524288
rcvbuf 524288


I know you can add it manually under advanced configuration.... but that also states [it] is going away

And once we move to openvpn 2.6 the custom field will be gone. So there is no possible way to tweak this

I haven't seen a roadmap for this, but others would know better... @Franco, @AdSchellevis...?