Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how to improve openvpn performance/ Am I doing this right way

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 373 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shetu
      last edited by shetu

      Hello
      I want to access my local lan from outside. But I have no real ip at WAN. So i buy cheap oepnvz vps and install openvpn server there. I configure pfsense as vpn client. Now I try to reach home lan via vps ip.
      I can ping 192.168.1.100. When I try log on server (a) I was hangup at middle point or console did not fully load.
      I can access ss server (b) but webpage show FIN_WAIT_2:FIN_WAIT_2 and getting very low speed when try to browse windows share (c).
      There are a unknown interface (tap2). I do not understand where does it come from.

      
      Lan Subnet : 192.168.1.0/24
      Wan :  192.168.25.40
      cent os vpn server subnet : 10.8.0.0/24
      Pfsense vpn client : 10.8.0.2
      Target ssh/asterisk server (a) : 192.168.1.100 
      ssh server (b) : 192.168.1.101
      Windows share folder (c) : 192.168.1.22
      
      ------
      Centos 6.9 (vps server)
      -----------
      Iptables rules for port forward
      iptables -t nat -A PREROUTING -j LOG --log-prefix "PREROUTING:" --log-level 6
      iptables -t nat -I PREROUTING -d "VPS Real IP" -p tcp --dport 1196:65535 -j DNAT --to-destination 10.8.0.2:1196-65535
      iptables -t nat -A PREROUTING -d "VPS Real IP" -p udp -m udp --dport 1196:65535 -j DNAT --to-destination 10.8.0.2:1196-65535 
      iptables -t nat -A POSTROUTING -j LOG --log-prefix "MASQUERADE:" --log-level 6
      iptables -t nat -I POSTROUTING -d 10.8.0.2 -p tcp --dport 1196:65535 -j SNAT --to-source 10.8.0.1
      iptables -t nat -I POSTROUTING -d 10.8.0.2 -p udp --dport 1196:65535 -j SNAT --to-source 10.8.0.1
      iptables -A FORWARD -j LOG --log-prefix "FORWARD:" --log-level 6
      iptables -I FORWARD 1 -d 10.8.0.2 -p tcp --dport 1196:65535 -j ACCEPT
      
      -------------
      Openvpn Server Conf (From centos VPS)
      
      port 1194
      proto udp
      dev tun
      user nobody
      group nobody
      persist-key
      persist-tun
      keepalive 10 120
      topology subnet
      server 10.8.0.0 255.255.255.0
      client-to-client
      push "route 192.168.1.0 255.255.255.0"
      ifconfig-pool-persist ipp.txt
      push "dhcp-option DNS 8.8.8.8"
      push "dhcp-option DNS 8.8.4.4"
      push "redirect-gateway def1 bypass-dhcp" 
      crl-verify crl.pem
      ca ca.crt
      cert server_g9hq31FXVL3AsXq0.crt
      key server_g9hq31FXVL3AsXq0.key
      tls-auth tls-auth.key 0
      dh dh.pem
      auth SHA256
      cipher AES-128-CBC
      tls-server
      tls-version-min 1.2
      tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
      status openvpn.log
      verb 3
      
      Pfsense Openvpn server 
      dev ovpns2
      dev-type tun
      tun-ipv6
      dev-node /dev/tun2
      writepid /var/run/openvpn_server2.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      auth SHA512
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local 10.8.0.2
      tls-server
      server 192.168.92.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc/server2
      username-as-common-name
      auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TG9jYWwgRGF0YWJhc2U= false server2 1198" via-env
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsense_openvpn_server_Certificate_1198' 1"
      lport 1198
      management /var/etc/openvpn/server2.sock unix
      push "route 192.168.1.0 255.255.255.0"
      push "dhcp-option DNS 8.8.8.8"
      push "dhcp-option DNS 8.8.4.4"
      client-to-client
      ca /var/etc/openvpn/server2.ca
      cert /var/etc/openvpn/server2.cert
      key /var/etc/openvpn/server2.key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server2.tls-auth 0
      comp-lzo adaptive
      passtos
      persist-remote-ip
      float
      topology subnet
      

      4_1542567784055_vpn interface.jpg 3_1542567784055_unknow interface.jpg
      0_1542568495927_ssh state_finwait.jpg
      2_1542567784055_ssh state.jpg 1_1542567784055_ssh performance slow.jpg 0_1542567784054_Openvpn Status.jpg

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.