dbuero 10 Posted ... EDIT: I've edited the title for future searchers to better find the answers below. Cheers db. Hi i have Gigabit and maximum i can get out of AirVPN is ~300 mbps -> Is there a way to couple multiple servers with open vpn? It doesn't work simply connecting to two servers in parallel. Any suggestions? Quote Share this post Link to post
OpenSourcerer 1435 Posted ... It's not possible, simple as that. If you are only getting 300 Mbit/s you should look if you can optimize it instead. Couple of things to watch for are OpenVPN config and router settings. The forums provide some hints if you search a bit around. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
dbuero 10 Posted ... 23 minutes ago, giganerd said: It's not possible, simple as that. If you are only getting 300 Mbit/s you should look if you can optimize it instead. Couple of things to watch for are OpenVPN config and router settings. The forums provide some hints if you search a bit around. Would you mind elaborating a bit on what to look for, i've already choosen a fitting mtu. I wouldn't know what is to configure on the ovpn files. I'm already using udp 443 which should be the best option. tcp 443 is limited to pretty much exactly 100mbps. Quote Share this post Link to post
dbuero 10 Posted ... allright, so i've learned OpenVPN is actually garbage for high speed connections and the only way to get proper bandwith is to run it without crypto. Whew crap. So maybe there is a chance to get an unencrypted vpn server by airvpn? 1 JimDandy reacted to this Quote Share this post Link to post
Flx 76 Posted ... 10 hours ago, dbuero said: I wouldn't know what is to configure on the ovpn files. Increase the buffer level sort of like this: ------------ rcvbuf 562144 sndbuf 562144 ------------ 9 hours ago, dbuero said: So maybe there is a chance to get an unencrypted vpn server by airvpn? unencrypted vpn server? Where did you learn that? NEVER. 1 dbuero reacted to this Quote Hide Flx's signature Hide all signatures Guide - EMBY Block ALL interfaces except tap/vpn Windows OS - Configuring your operating system Windows OS - Multi Session/Tunnel Share this post Link to post
dbuero 10 Posted ... 2 hours ago, Flx said: Increase the buffer level sort of like this: ------------ rcvbuf 562144 sndbuf 562144 ------------ unencrypted vpn server? Where did you learn that? NEVER. thank you for the reply, I've tried all the tricks with modifying the config yesterday and all I managed was going from 300 to 315 mbps. Especially the following setting had a good impact : mssfix 0 The unencrypted connection would be ok for me as i only need the exit ip for torrenting. Of course this should be clearly marked as an unencrypted line, however it would suit my needs and i guess a lot of other people's needs as well (as about every fifth post here is about torrent speed ) Thank you again for your help. Quote Share this post Link to post
Staff 9973 Posted ... 12 hours ago, dbuero said: allright, so i've learned OpenVPN is actually garbage for high speed connections Where have you read such idiotic nonsense? Quote Share this post Link to post
dbuero 10 Posted ... 5 minutes ago, Staff said: Where have you read such idiotic nonsense? It is my (admittedly ignorantly shortened) summary of the following post :https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux Proper high speeds seem only to be achievable with jumbo frames (or equivalent huge mtu sizes). None of which we can use here. I have no way to change either the servers mtu or the used encryption algo. So my hands are bound. Quote Share this post Link to post
Staff 9973 Posted ... @dbuero Understood. The article does not say that OpenVPN is crap for high speed lines, quite the contrary in fact. About getting 315 Mbit/s on our infrastructure (i.e. 630 Mbit/s on the server) well, that's a good outcome, hands down, because our servers are connected to 1 Gbit/s ports and lines. Anyway increase your buffers again, try 2 MB buffers: rcvbuf 2097152 sndbuf 2097152 Kind regards 1 dbuero reacted to this Quote Share this post Link to post
dbuero 10 Posted ... 14 minutes ago, Staff said: @dbuero Understood. The article does not say that OpenVPN is crap for high speed lines, quite the contrary in fact. About getting 315 Mbit/s on our infrastructure (i.e. 630 Mbit/s on the server) well, that's a good outcome, hands down, because our servers are connected to 1 Gbit/s ports and lines. Anyway increase your buffers again, try 2 MB buffers: rcvbuf 2097152 sndbuf 2097152 Kind regards thank you very much for your answer, I have tried bigger buffers and it didn't change a thing. I didn't calculate that the server has twice the load (I thought it had two interfaces or full duplex) and there is also other traffic happening, this all makes sense. Thank you once again for your explanation and help. I'm open for any other suggestions /ideas or tests etc. But let's face it 300mbps ain't really slow Quote Share this post Link to post
dbuero 10 Posted ... According to this study the AES GCM also performs better than the currently used cbc mode :https://www.google.com/url?q=https://www.net.in.tum.de/fileadmin/bibtex/publications/theses/2018-pudelko-vpn-performance.pdf&sa=U&ved=2ahUKEwjhqoSQoPTnAhXF-KQKHV9jBuYQFjAAegQIARAB&usg=AOvVaw2eQkUbubVQ78253SzXhdH5 Quote Share this post Link to post
Staff 9973 Posted ... @dbuero In AES New Instructions supporting systems AES-GCM encryption and decryption is indeed faster than AES-CBC. In our service the default cipher for OpenVPN Data Chanell is AES-256-GCM, not CBC. If you see that the core which OpenVPN runs in is at capacity while your system approaches the peak performance consider to use a lighter cipher, for example AES-128-GCM. Add the following directives: ncp-disable cipher AES-128-GCM Of course if your system does not support AES-NI then CHACHA20-POLY1305 should be preferred. Kind regards 1 dbuero reacted to this Quote Share this post Link to post
dbuero 10 Posted ... 5 hours ago, Staff said: @dbuero In AES New Instructions supporting systems AES-GCM encryption and decryption is indeed faster than AES-CBC. In our service the default cipher for OpenVPN Data Chanell is AES-256-GCM, not CBC. If you see that the core which OpenVPN runs in is at capacity while your system approaches the peak performance consider to use a lighter cipher, for example AES-128-GCM. Add the following directives: ncp-disable cipher AES-128-GCM Of course if your system does not support AES-NI then CHACHA20-POLY1305 should be preferred. Kind regards I've downloaded a fresh config for Frankfurt ogma yesterday and it was configured to use aes 256 cbc. That's why i assumed it was standard everywhere. I've tried changing the crypto algo and got an error message about conflicting crypto between client and server (also if configuring cypher none I'll try again though, thank you very much. What does ncp-disable do? -edit : it disabled the automatic upgrade to aes256gcm and is required to run a deprecated encryption. Btw I'm running an i7 with aes-ni support. Quote Share this post Link to post
Staff 9973 Posted ... @dbueroncp-disable directive disables “negotiable crypto parameters” for the Data Channel. Therefore, the client becomes free to pick a cipher for the Data Channel in the cipher directive, if such cipher is supported on the server side. Without ncp-disable it's expected that you get the error you mention, except for the 1st "favorite" cipher the VPN server wants to negotiate (AES-256-GCM). That's also the reason why we say that AES-GCM has priority over CBC: the CG will generate "cipher AES-256-CBC" for backward compatibility with those OpenVPN old versions that don't support ncp and/or AES-GCM, but newer OpenVPN versions will negotiate AES-GCM. cipher none is not available in any case, as our servers are not configured to admit unencrypted connections for obvious reasons. Anyway, unless your system is loaded by other tasks, a single i7 core (which implements AES New Instructions) can perfectly handle your peak bandwidth, especially when AES-NI is supported by the system. If you see anyway that a core is at capacity (it can happen if your system is loaded by other tasks), try our suggestion: ncp-disable cipher AES-128-GCM Don't bother with CHACHA20-POLY1305 if your system supports AES-NI. Kind regards 1 dbuero reacted to this Quote Share this post Link to post
dbuero 10 Posted ... 1 hour ago, Staff said: Don't bother with CHACHA20-POLY1305 if your system supports AES-NI. Just for shits and giggle I've tried chacha and it was declined as unsupported. The attempt to downgrade to aes128 was also not successful (i think) according to these warnings: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-GCM', remote='cipher AES-256-CBC' WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1' WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256' Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Aslo please note the "remote='cipher AES-256-CBC'" yes CBC - entry! on Ogma. Quote Share this post Link to post
Staff 9973 Posted ... @dbuero Hello! CHACHA20-POLY1305 is available only on the servers running OpenVPN 2.5 beta, you can recognize them marked in yellow with the sentence "Experimental ChaCha20" (one in Canada, one in the USA, two in the Netherlands and one in Singapore). You can safely ignore those warnings - it's important however that you run OpenVPN 2.4 or higher version. Kind regards 1 dbuero reacted to this Quote Share this post Link to post
dbuero 10 Posted ... 5 minutes ago, Staff said: CHACHA20-POLY1305 is available only on the servers running OpenVPN 2.5 beta, you can recognize them marked in yellow with the sentence "Experimental ChaCha20" (one in Canada, one in the USA, two in the Netherlands and one in Singapore). You can safely ignore those warnings - it's important however that you run OpenVPN 2.4 or higher version. I'm running the latest openVpn version. I'll ry these servers (but don't expect much, as they are further away) Quote Share this post Link to post
Staff 9973 Posted ... @dbuero Yes, on top of that CHACHA20 will not give you any boost if your system supports AES-NI. About AES-128-GCM, it can be beneficial for performance only if the conditions we specified were met. Kind regards 1 dbuero reacted to this Quote Share this post Link to post
dbuero 10 Posted ... Concluding my Tests: Worst crypto to choose: AES-128-CFB1 brutally bad performance. Best crypto setting: ncp-disable cipher AES-128-GCM (pretty much identical to CBC performance wise) Send and receife buffers where best at around 500k like Flx suggested (2m and 1m were slightly worse, no idea why) sndbuf 524288 rcvbuf 524288 These settings also helped performance: fragment 0 mssfix 0 Also I've just checked the stats and the German servers don't seem to go above 300mbps at all. The only exception I found where some of the Alblasserdam NL servers that seem to reach 600mbps. Edit: but that has absolutely no effect on my connection to these servers. No chance of reching anything (signifficantly) above 300mbps (which also is visible in the user stats, as noone is reaching more). Quote Share this post Link to post
dbuero 10 Posted ... Ladies and gentlement: Thanks to @Flx i was able to up the speeds a bit more: Using the new wintun beta of openVPN 2.5 I'm now at slightly above 500mbps. -Link to openVPN 2.5: http://staging.openvpn.net/openvpn2/ See here: Basically you just need to install the new 2.5 openvpn version, start openVPN as administrator (!) and add the following line to the conf file: windows-driver wintun - i some how had to put it as one of the last point or it would give me some cryptic errormessage, also it didn't work in combination with "auth sha512" as suggested in the forementioned post. So thank you again @Flx! EDIT: Completely Idle Frankfurt Mirfak delivered >570mbps: https://deutsche-glasfaser.speedtestcustom.com/result/7cea7f20-5c60-11ea-8fed-e3d7efa295ff Neat 😎 1 1 Lee47 and Flx reacted to this Quote Share this post Link to post
Staff 9973 Posted ... @dbuero Outstanding throughput for Windows, congratulations! You did not mention in this thread that you were running Windows, so we assumed that you ran a different system, sorry, we could have made you save a lot of time. Finally Windows should have a driver for a virtual network interface that allows throughput more in line to what you can get with other systems. Eddie 2.18 beta 8 has been planned to support Wintun. We are also following OpenVPN Linux kernel module (currently closed source, but they could decide to release it under some open source license during 2020). Although our servers can already reach line capacity, higher than 1 Gbit/s throughput is achieved only via multiple OpenVPN daemons, one per core. Spread the word about the performance you can get now with AirVPN and Windows! Kind regards 1 1 JimDandy and dbuero reacted to this Quote Share this post Link to post
dbuero 10 Posted ... 2 hours ago, Staff said: @dbuero Spread the word about the performance you can get now with AirVPN and Windows! Already did before, for anything but Netflix airvpn is absolutely awesome. I'm a long time customer and already got a 3 year subscription 😎 Plus I've already got a buddy to also sign up to your service. So far I'm very happy. Cheers 🤘 4 1 Staff, JimDandy, Flx and 2 others reacted to this Quote Share this post Link to post
dbuero 10 Posted ... On 3/2/2020 at 11:00 AM, Staff said: @dbuero Spread the word about the performance you can get now with AirVPN and Windows! Kind regards @Staff Guys, honest question: Do you guys limit my VPN Downstream to 70mbps while torrenting? Vodafone swears to god it's not them Since my Torrent Speedtests which also peaked at around 40mb/s my speed is heavily reduced as soon as torrent traffic is running :'D - yup it's reproducible EDIT: Without VPN i get unthrottled torrent speeds, guuuuys whats going on? Did i earn a rank on some black list? Quote Share this post Link to post
Staff 9973 Posted ... @dbuero Hello, no, we don't throttle anything. In most cases throttling is self-inflicted, with or without awareness (strange but true). Second most common cause is traffic shaping by ISP. Kind regards 2 JimDandy and dbuero reacted to this Quote Share this post Link to post
OpenSourcerer 1435 Posted ... 2 hours ago, dbuero said: Since my Torrent Speedtests which also peaked at around 40mb/s my speed is heavily reduced as soon as torrent traffic is running :'D - yup it's reproducible How many torrents are doing what (seeding/downloading)? What are your connection settings? Client? Are you by any chance using a rotating drive for storage? Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post