SG-3100 OpenVPN Download slow (and it is SG slowing it)
-
i don't use that provider. but 2 things you can try.
1. change your ncp algorithm to CBC 128 and 256. remove what you have.
2. change compression to LZO compressioni use PIA. and i get i would say 95% of my full download speed.
i am no expert at OpenVPN. but i have been tinkering with it on and off for about 2 years now on my sg 2200 router
also. have you downloaded the configuration files here: https://protonvpn.com/support/linux-vpn-setup/ ? open the file and match your openvpn configuration
-
You should enable fast-io and you can set the buffers using the drop down rather than using custom options (though it does the same thing).
Steve, thank you. I actived fast-io and set the buffers in the drob down to 2MB. This raised the speed from 5 to 7 MB/s
What does OpenVPN status show the the actual negotiated parameters are?
Do you mean the following information? ######## = my IP
Mar 11 07:21:55 openvpn 59802 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Mar 11 07:21:59 openvpn 59802 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Mar 11 07:21:59 openvpn 59802 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Mar 11 07:21:59 openvpn 59802 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Mar 11 07:21:59 openvpn 59802 TCP/UDP: Preserving recently used remote address: [AF_INET]###########2049
Mar 11 07:21:59 openvpn 59802 Socket Buffers: R=[42080->2097152] S=[57344->2097152]
Mar 11 07:21:59 openvpn 59802 UDPv4 link local (bound): [AF_INET]####5:0
Mar 11 07:21:59 openvpn 59802 UDPv4 link remote: [AF_INET]95.211.172.18:2049
Mar 11 07:21:59 openvpn 59802 TLS: Initial packet from [AF_INET]######:2049, sid=e2295144 cce39f60
Mar 11 07:21:59 openvpn 59802 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mar 11 07:21:59 openvpn 59802 VERIFY OK: depth=1, C=MT, ST=Malta, L=Malta, O=IVPN.net, CN=IVPN.net CA, emailAddress=support@ivpn.net
Mar 11 07:21:59 openvpn 59802 VERIFY OK: nsCertType=SERVER
Mar 11 07:21:59 openvpn 59802 VERIFY X509NAME OK: CN=nl8.gw.ivpn.net
Mar 11 07:21:59 openvpn 59802 VERIFY OK: depth=0, CN=nl8.gw.ivpn.net
Mar 11 07:22:00 openvpn 59802 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Mar 11 07:22:00 openvpn 59802 MANAGEMENT: CMD 'state 1'
Mar 11 07:22:00 openvpn 59802 MANAGEMENT: Client disconnected
Mar 11 07:22:00 openvpn 59802 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Mar 11 07:22:00 openvpn 59802 [nl8.gw.ivpn.net] Peer Connection Initiated with [AF_INET]#######:2049
Mar 11 07:22:01 openvpn 59802 SENT CONTROL [nl8.gw.ivpn.net]: 'PUSH_REQUEST' (status=1)
Mar 11 07:22:01 openvpn 59802 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,explicit-exit-notify 3,route-gateway 10.28.16.1,topology subnet,ping 10,ping-restart 60,dhcp-option DNS 10.28.16.1,ifconfig 10.28.16.16 255.255.252.0,peer-id 14,cipher AES-256-GCM'
Mar 11 07:22:01 openvpn 59802 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:2 is ignored by previous <connection>blocks
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: timers and/or timeouts modified
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: explicit notify parm(s) modified
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: –ifconfig/up options modified
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: route options modified
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: route-related options modified
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: peer-id set
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: adjusting link_mtu to 1625
Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: data channel crypto options modified
Mar 11 07:22:01 openvpn 59802 Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 11 07:22:01 openvpn 59802 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Mar 11 07:22:01 openvpn 59802 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 11 07:22:01 openvpn 59802 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 11 07:22:01 openvpn 59802 ROUTE_GATEWAY 91.106.136.1/255.255.248.0 IFACE=mvneta2 HWADDR=00:08:a2:0d:0a:79
Mar 11 07:22:01 openvpn 59802 TUN/TAP device ovpnc2 exists previously, keep at program end
Mar 11 07:22:01 openvpn 59802 TUN/TAP device /dev/tun2 opened
Mar 11 07:22:01 openvpn 59802 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 11 07:22:01 openvpn 59802 /sbin/ifconfig ovpnc2 10.28.16.16 10.28.16.1 mtu 1500 netmask 255.255.252.0 up
Mar 11 07:22:01 openvpn 59802 /sbin/route add -net 10.28.16.0 10.28.16.1 255.255.252.0
Mar 11 07:22:01 openvpn 59802 /usr/local/sbin/ovpn-linkup ovpnc2 1500 1553 10.28.16.16 255.255.252.0 init
Mar 11 07:22:02 openvpn 59802 Initialization Sequence CompletedThank you for you help!</connection>
-
i don't use that provider. but 2 things you can try.
1. change your ncp algorithm to CBC 128 and 256. remove what you have.
2. change compression to LZO compressioni use PIA. and i get i would say 95% of my full download speed.
i am no expert at OpenVPN. but i have been tinkering with it on and off for about 2 years now on my sg 2200 router
also. have you downloaded the configuration files here: https://protonvpn.com/support/linux-vpn-setup/ ? open the file and match your openvpn configuration
Unfortunately this does not change the speed. Maybe I will give PIA a try for non essential VPN stuff
-
Do you have 'BSD Crypto Device' selected in System > Advanced > Miscellaneous.
And also in the OpenVPN client settings?Steve
-
I am running Proton VPN but on a custom built pfsense box.
On my box I can get a little over 300mbps.
I know this isn't exactly what you were looking for but it at least proves out that pfsense\openvpn is capable of the faster speeds.
I am curious to see what the max speed the 3100 will do on proton vpn.
-
It won't do 300Mbps OpenVPN, I would expect to see the full 85Mbps here though. I have tested it at 95-100Mbps. It will do far more using IPSec if the VPN service supports that.
However in the above log we can see:
Mar 11 07:22:01 openvpn 59802 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mar 11 07:22:01 openvpn 59802 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit keyIt's using the NCP Algorithms as they take priority over the specified algorithms. However the cesa hardware crypto in the SG-3100 only accelerates AES-CBC so those should be set in NCP as suggested above by bcruze.
Steve
-
It won't do 300Mbps OpenVPN, I would expect to see the full 85Mbps here though. I have tested it at 95-100Mbps. It will do far more using IPSec if the VPN service supports that.
However in the above log we can see:
Mar 11 07:22:01 openvpn 59802 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mar 11 07:22:01 openvpn 59802 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit keyIt's using the NCP Algorithms as they take priority over the specified algorithms. However the cesa hardware crypto in the SG-3100 only accelerates AES-CBC so those should be set in NCP as suggested above by bcruze.
Steve
I'm learning here but -GCM on my SG-3100 provides about 145Mbps on average. Compared to hardware acceleration with -CBC I think I come out ahead. I have tested both and see about 95Mbps with -CBC as well.
-
Hmm, that's an interesting result. I'll have to retest.
Steve
-
A question not asked
Are you paying for the service or using the free one?
The free service has limited speeds it appears
-
sorry for beeing quite but did not have the time to test. I now bought PIA and tested several of their nodes and was able to get full 100 Mbit download with the tipps from above but only when disabeling hardware crypto. If I could post something to help development please drop me a message!
-
Disabling it in OpenVPN or in System > Advanced > Misc?
Did you end up using AES-CBC or -GCM?
Steve
-
I should add that my comments above with CBC vs GCM are my experience running the OpenVPN server on my SG-3100. I do use PIA as well but do not use it via config within the 3100. That said, when I connect to PIA I am using their OpenVPN option and it does now look like they are using GCM but so far as I know I have no control or option to decide what is used. Its certificate based. Is there a choice? A different server maybe based on the settings I want?
-
i've always followed the directions and use CBC:
Mar 24 21:08:24 openvpn 15361 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 24 21:08:24 openvpn 15361 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mar 24 21:08:24 openvpn 15361 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit keyOK so a line above i do see this: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
but i enabled 128 and 256 GCM for NCP Algorithms and it still connected as CBC
shrug
-
Disabling it in OpenVPN or in System > Advanced > Misc?
In the OpenVPN client settings
Did you end up using AES-CBC or -GCM?
I can use both in the settings and get full speed (10,5 MB/s) as long as I do NOT enable Hardware Crypto. If I enable it I do not get more the 7 to 8 MB/s
