networking – OpenVPN using UDP is terrible slow over cellular networks

I have a weird problem with OpenVPN for around two weeks now. I am running the OpenVPN server on a Virtual Server (German Hoster netcup) on UDP port 1194. Using this setup clients connecting through a mobile network have an extremely slow downstream (!) through the VPN tunnel (Less than 1 Mbit/s). The upstream speed is close to the general upstream capacity of the client (verified by doing a standard internet speed test without VPN). This problem doesn’t occur by connecting through a “normal” home internet connection.

If I run the OpenVPN on TCP instead of UDP everything is fine, but the general performance is slightly lower than over UDP. Additionally a lot of clients would have to change their configuration. So if possible I would like to continue using UDP. It also seems to be best practice to run an OpenVPN tunnel over UDP.

What could cause this problem? I’ve tried to play with mssfix, fragment, mtu, tun-mtu, sndbuf and rcvbuf options of OpenVPN server already- The performance got even worst. So now I am using no of these options.

I am using OpenVPN 2.4.4 on Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-53-generic x86_64) (Ubuntu Server)

Prevent any direct internet traffic when OpenVPN is down

If OpenVPN down how to prevent any direct internet traffic (http or whole tcp) on MacOS except local network?

vpn – OpenVPN: How to issue client IP on the same subnet as the server LAN

Is it possible to issue a client an IP address on the same subnet as the server LAN? For example, if the server’s IP address is 10.50.1.5, I would like to assign the connecting clients an IP on the same subnet. Something like 10.50.1.200. I’m hoping this will help with routing as I have a need to connect to an internal system (10.50.1.20) that is having trouble routing packets back to the connected VPN client machine.

My current conf:

dev tun
proto tcp
port 443
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/key.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.50.1.248 255.255.255.248
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Prevent DNS leaks on Windows
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3

Once connected, I’m being issued an IP of 10.50.1.250 which is what I would expect but I’m not able to ping 10.50.1.1 or access the internet.

When I had the server configured with a server 10.8.0.0 255.255.255.0 and an iptables NAT route like

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

that worked, but I was still having a routing issue from an internal system back to the client. Again, was hoping that could be resolved by placing the client on the same subnet as the internal systems.

linux – Routing to a pair of active redundant openvpn tunnels so that periodically the "main tunnel" can be switched for all new connections

I have a network with the following basic architecture:
1) clients connect via openvpn, entering on a single subnet (10.10.10.0/24)
2) If the client's ultimate destination is the Internet, there is a pair of openvpn client-server tunnels using separate network paths. The two openvpn clients reside on the incoming machine from (1) and the two servers reside on a machine to send traffic to the Internet. This machine uses a MASQUERADE rule to give the source a public IP address.

ascii-art diagram

All traffic reaches the exit, keeping its address 10.10.10.0/24. I can periodically switch the traffic section to tun1 or tun2 by replacing a custom routing table (ip rule added from the table 10.10.10.0/24 tun1 (or tun2).

The purpose of this is, once it has passed to tun2, to allow all traffic to terminate on tun1 and then restart tun1. Restarting changes the internal routing of the tunnel for security purposes.

Am I not correct in assuming that since traffic arrives at the exit with the same src / dst IP regardless of the tunnel, it shouldn't matter if the tunnel used changes? Yes, during the transition, packets could eventually arrive out of sequence, but in the worst case, there would be a few retransmissions, which is acceptable.

The current problem I have is with the iptable MASQUERADE rule on output:
iptables -t nat POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

The rule is there and works correctly on tun1. However, it seems to be ignored on tun2. I can't understand why it won't fire for the second tunnel. Since it is POSTROUTING, the incoming device should not be relevant, right?

Is it possible to configure openvpn on a vps server with windows 2012 r2 for a smartphone client with ios?

I recently hired a vps server with Windows Server 2012r2 as the operating system. The servers' IP is from another country. I wondered if I could use the server as a VPN channel to connect and access the Internet from my iOS device so that I could bypass regional IP filtering. I have heard that this could be possible by installing and configuring openvpn on the server. From the following tutorial, I was able to proceed with the installation and configuration steps.

However, when it comes to running the VPN server, I encounter an error regarding the Windows TAP adapter not found. Its icon is actually available in network connections and it is enabled. But this is not connected. After the above explanation, I have two questions. First of all, is openvpn the simplest and best approach to reach the goal that I declared !?
The second question is this: how can I deepen the problem of Windows TAP v9 adapter and find a solution ?!

networking – Connect servers to the Internet via OpenVPN

I am trying to connect multiple servers (Ubuntu Server 20.04) to the Internet so that they are in the same private network and can share services that are only accessible through this private network (like administration of the waiter, etc.). I did some research before but no answer satisfied my scenario.

The scenario is as follows: I have a server with OpenVPN Server operational and I have generated client certificates for two other servers to connect to the OpenVPN server.

The script I used for this is here on github. That works well.

It is now the problem that I am able to connect clients to the OpenVPN server but I cannot connect to any of the clients via SSH or otherwise. On VPN no problem.

Question: How to make customers accessible via the Internet? As far as I know, the problem seems to be that the OpenVPN server propagates a new default gateway for clients so that traffic can only go through VPN. Thanks to advise. Configuration as follows:

server.conf

port 1194
proto udp6
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

client.conf

client
proto udp
explicit-exit-notify
remote {server IP} 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name {server name} name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

Is it acceptable to configure openvpn on a vps server with windows 2012 r2 for a smartphone client with ios?

I recently hired a vps server with Windows Server 2012r2 as the operating system. The servers' IP is from another country. I wondered if I could use the server as a VPN channel to connect and access the Internet from my iOS device so that I could bypass regional IP filtering. I have heard that this could be possible by installing and configuring openvpn on the server. From the following tutorial, I was able to proceed with the installation and configuration steps.

However, when it comes to running the VPN server, I encounter an error regarding the Windows TAP adapter not found. Its icon is actually available in network connections and it is enabled. But this is not connected. After the above explanation, I have two questions. First of all, is openvpn the simplest and best approach to reach the goal that I declared !?
The second question is this: how can I deepen the problem of Windows TAP v9 adapter and find a solution ?!

Thank you

OpenVPN uses Ip alias for outbound traffic [Debian 10]

I have an OpenVPN server which I can connect to using IP alias. However, if I check the IP address, the primary IP of the server is displayed, so I was wondering how I could change this so that the alias ip is outgoing traffic.

Integrate Samba Active Directory users with openvpn

Can anyone tell me if the integration of samba AD users and groups with OpenVPN works?
So that samba AD and OpenVPN share the same users.

vpn – TLS key negotiation failed – OpenVPN

Yesterday, I cannot use OpenVPN to connect because I am having problems with TLS handshakes. The negotiation fails after 60 seconds and I can't figure out what the problem is. Ironically, everything worked fine until yesterday and even if I hadn't changed anything in my system, it doesn't seem to make sense to me. Anyone can connect to the same remote IP except me.

Tue Apr 14 10:22:01 2020 OpenVPN 2.4.8 x86_64-w64-mingw32 (SSL (OpenSSL)) (LZO) (LZ4) (PKCS11) (AEAD) built on Oct 31 2019
Tue Apr 14 10:22:01 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Apr 14 10:22:01 2020 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Tue Apr 14 10:22:05 2020 TCP/UDP: Preserving recently used remote address: (AF_INET):1197
Tue Apr 14 10:22:05 2020 UDP link local (bound): (AF_INET)(undef):1194
Tue Apr 14 10:22:05 2020 UDP link remote: (AF_INET):1197
Tue Apr 14 10:23:05 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr 14 10:23:05 2020 TLS Error: TLS handshake failed
Tue Apr 14 10:23:05 2020 SIGUSR1(soft,tls-error) received, process restarting
//// Repeats the same log messages

Config:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote  1197 udp
verify-x509-name "vpn-server" name
auth-user-pass
pkcs12 firewall-UDP4-1197-INSERTHERE.p12
tls-auth firewall-UDP4-1197-INSERTHERE-tls.key 1
remote-cert-tls server

I tried restarting the PC and the router (lol), allowing OpenVPN to go through the Windows Defender firewall, allowing connections on both 1194 and 1197 via the rules related to Windows firewall, modifying my DNS in 1.1.1.1 and 8.8.8.8 and checking if my time is correct via time.is (yes, it is). I tried the same thing on my laptop which connects to the local router, to no avail.

Yesterday, the factory reset of the router allowed me to connect properly until I restart the PC, after which the same problem returned. Then some time later, almost at random, I was able to reconnect without any problems for the rest of the day … Until this morning, of course.

EDIT: I tried to share my phone's 4G connection via USB connection sharing and I managed to connect without any problems. It is, however, a temporary workaround. Since it's for work (and neither I nor the SA are able to understand the problem), this forces me to stay connected for about 8 hours a day, which takes up a good chunk of my limited monthly plan. 8 GB (a better one not really available).