rcvbuf , sndbuf OpenVPN setting

Started by DEC670airp414user, May 06, 2023, 02:11:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 06, 2023, 02:11:10 PM
what is the default settings for Opnsense, since there is no option listed under Clients

typically its advised to increase to 256k+     

I know you can add it manually under advanced configuration.... but that also states I is going away

May 06, 2023, 09:36:17 PM #1
I'm pretty sure this was changed some time ago in OpenVPN to rely on the OS default instead. That's what the OpenVPN Reference Manual has said since at least v2.4.

As for defaults, I had a quick look through the code but couldn't see it being set anywhere. Perhaps @AdSchellevis might know...

I'd say the defaults are likely both 64K, with send maybe 32K (unlikely)...

Just wondering if you have tried new values to see if it makes a difference..?
e.g.
Code Select
sndbuf 524288
rcvbuf 524288

Last I checked, OpenVPN uses the setsockopt() system call to set these options, per:
https://man.freebsd.org/cgi/man.cgi?query=setsockopt&sektion=2

Limits are also set by the OS since at least v2.4 anyway...

For FreeBSD, max socket buffer size is determined by:
Code Select
sysctl kern.ipc.maxsockbuf

Where the actual limit on an amd64 platform is something like kern.ipc.maxsockbuf * 0.889.

This value is usually set to 4MB, so the actual limit is near 3.6MB.

Just to be clear, these are socket buffers.

That being said, my understanding is the OS will also auto-size protocol buffers.

Some relevant sysctl values (I believe these are defaults on OPNsense):
Code Select
net.inet.tcp.sendspace: 65228
net.inet.tcp.recvspace: 65228
net.inet.tcp.sendbuf_auto_lowat: 0
net.inet.tcp.sendbuf_max: 2097152
net.inet.tcp.sendbuf_inc: 8192
net.inet.tcp.sendbuf_auto: 1
net.inet.tcp.recvbuf_max: 2097152
net.inet.tcp.recvbuf_auto: 1
net.inet.udp.maxdgram: 57344
net.inet.udp.recvspace: 42080

You should definitely review the notes in in tuning(7) before making changes, which I wouldn't recommend as such changes will affect all connections.
May 07, 2023, 12:02:40 AM #2
Notice logs show : 1   Socket Buffers: R=[524288->131072] S=[524288->131072]

With your suggestion


With nothing added:

Socket Buffers: R=[42080->131072] S=[57344->131072]


I am just curious how this is automatically calculated.  And once we move to openvpn 2.6 the custom field will be gone. So there is no possible way to tweak this
May 07, 2023, 03:34:57 PM #3
A couple of things to note...

I'm guessing you are using a UDP tunnel(s) as those initial values of 42080 & 57344 match the default values for net.inet.udp.recvspace & net.inet.udp.maxdgram respectively. I suspect a TCP tunnel would default to 64K too (matching net.inet.tcp.sendspace & net.inet.tcp.recvspace).

It seems that your environment + configuration is setting the buffers to 131072 (128K). It's not clear why, but I suspect it is the remote server.

There definitely seems to be a change in behaviour re socket buffers after installing 23.1.7 and OpenVPN 2.6. If you search the log file for "buffers", you might see something similar.

In my case, since the update, my UDP tunnels have consistently been:
Socket Buffers: R=[42080->42080] S=[57344->57344]

Prior to the update, I had a mix of the above and the following:
Socket Buffers: R=[42080->524288] S=[57344->524288]
Socket Buffers: R=[524288->524288] S=[524288->524288]

I don't set sndbuf or rcvbuf, but perhaps the remote server is.

A higher debug log level might reveal a mechanism...
May 08, 2023, 11:35:02 AM #4 Last Edit: May 08, 2023, 06:14:47 PM by benyamin
Quote from: benyamin on May 07, 2023, 03:34:57 PM
It seems that your environment + configuration is setting the buffers to 131072 (128K). It's not clear why, but I suspect it is the remote server.

In my case, since the update, my UDP tunnels have consistently been:
Socket Buffers: R=[42080->42080] S=[57344->57344]

Prior to the update, I had a mix of the above and the following:
Socket Buffers: R=[42080->524288] S=[57344->524288]
Socket Buffers: R=[524288->524288] S=[524288->524288]

I don't set sndbuf or rcvbuf, but perhaps the remote server is.

I would say the remote server you are connecting to is PUSHing you the 128K buffer sizes (and likely setting the server to the same buffer size), e.g.:
Code Select
sndbuf 131072
rcvbuf 131072
push "sndbuf 131072"
push "rcvbuf 131072"

I think there is little justification for this because server and client hardware can potentially be very different.

You can probably override with the following client advanced configuration options:

Code Select
pull-filter ignore sndbuf
pull-filter ignore rcvbuf
sndbuf 524288
rcvbuf 524288


Quote from: DEC670airp414user on May 06, 2023, 02:11:10 PM
I know you can add it manually under advanced configuration.... but that also states [it] is going away

Quote from: DEC670airp414user on May 07, 2023, 12:02:40 AM
And once we move to openvpn 2.6 the custom field will be gone. So there is no possible way to tweak this

I haven't seen a roadmap for this, but others would know better... @Franco, @AdSchellevis...?
Print
Go Up Pages1
User actions