OpenVPN VoIP interrupts after pfSense 2.5.1 release installed

dennis_w

Hello community

Maybe one of you can help me. I am a little desperate here.

Two weeks ago we installed the major release upgrade to version 2.5.1. Before that we were using 2.4.4. Since then we do not have a stable OpenVPN connection.
There are irregular interruptions during the VoIP connection that last up to 3 seconds. At the same time, during an endless ping of the VPN client to the VoIP server, a high latency (3000ms) up to a timeout can be measured.

A downgrade to the previously used version solves the problem.
A test with a changed hardware appliance, which has much more performance, leads to the same interruptions but with lower latency. (around 1500ms)

No settings were changed after the release upgrade. The OpenVPN server was updated with the pfSense release upgrade from 2.4.6 to 2.5.1. There are certainly some major changes there but I couldn't find the bug with it so far.

Our installation runs on a PCengines apu3b4 (3 i211AT LAN / AMD GX-412TC CPU / 4 GB DRAM).

this is our config

I hope it is alright to put the same request translated in the german part of the forum.

Thanks for the support.
Dennis

djurg

Hey Dennis,

I'm facing the exact same problem as you even with the latest 2.5.2 release. Reverting back to 2.4.5 fixes it. Did you find a solution?

Thanks!

dennis_w

Hi djurg

A real solution I did not find. Complicated the matter seems. :)

We found out, that the hardware acceleration in encrypting and decrypting the tunnel was at its limits. So despite the better hardware we tested in between there was no change in behaviour.
Meanwhile I upgrqaded to a new firewall hardware with far better hardware acceleration. The ping latency could still be found and I have the feeling at some points some telephone calls are still influenced but users are happy and so I am happy too.

Use the ssh command: openssl speed -elapsed -evp aes-256-gcm to determine the max processed byte your hardware can handle. In the end that is no solution but a workaround. With that much more calculation power the flaw has less impact. We will see if more users and more tunnel traffic will nullify that situation again.

cheers
Dennis

dennis_w

@djurg

This should be switched on.

djurg

Thanks Dennis.

I made more diagnostics since and we noticed that packet loss is only occurring when there are at least 3 calls active. Seems like the VPN Server gets overwhelmed by 'so many' UDP packets... We ended up creating 10 VPN server instances with the same configuration (different UDP ports) and the VPN client just randomly connects to one of them thus splitting the traffic and not reaching more than 3 simultaneous calls in one VPN server instance.

Hopefully it's just temporary and whatever got broken in OpenVPN 2.5 will get fixed.

But I will try changing the crypto hardware to see if there's a difference.

jfassad

We are having the same problem here... We have around 70 ppl connected through OpenVPN and after the upgrade from 2.4.5 to 21.05.1-RELEASE we have been all experiencing lots of interrupts and slowdowns in Discord, Google Meet, Zoom, etc

Our hardware is Netgate SG-4860

jfassad

@dennis_w @djurg

Disabling certificate depth check fixed the issue for us.

More information

djurg

@jfassad Thanks a lot for the info. I'll give it a shot!