Jump to content
Not connected, Your IP: 3.235.66.217
dbuero

ANSWERED [SOLVED] Howto: Optimize AirVPN for Gigabit Win10

Recommended Posts

EDIT: I've edited the title for future searchers to better find the answers below. Cheers db.

Hi
i have Gigabit and maximum i can get out of AirVPN is ~300 mbps
-> Is there a way to couple multiple servers with open vpn? It doesn't work simply connecting to two servers in parallel.

Any suggestions?

Share this post


Link to post

It's not possible, simple as that. If you are only getting 300 Mbit/s you should look if you can optimize it instead. Couple of things to watch for are OpenVPN config and router settings. The forums provide some hints if you search a bit around.


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post
23 minutes ago, giganerd said:

It's not possible, simple as that. If you are only getting 300 Mbit/s you should look if you can optimize it instead. Couple of things to watch for are OpenVPN config and router settings. The forums provide some hints if you search a bit around.

Would you mind elaborating a bit on what to look for, i've already choosen a fitting mtu. I wouldn't know what is to configure on the ovpn files. I'm already using udp 443 which should be the best option. tcp 443 is limited to pretty much exactly 100mbps. 

Share this post


Link to post

allright, so i've learned OpenVPN is actually garbage for high speed connections and the only way to get proper bandwith is to run it without crypto. Whew crap.

So maybe there is a chance to get an unencrypted vpn server by airvpn?

Share this post


Link to post
10 hours ago, dbuero said:

I wouldn't know what is to configure on the ovpn files.

Increase the buffer level sort of like this:
------------
rcvbuf 562144
sndbuf 562144
------------
9 hours ago, dbuero said:

So maybe there is a chance to get an unencrypted vpn server by airvpn?

unencrypted vpn server? Where did you learn that?
NEVER.

Share this post


Link to post
2 hours ago, Flx said:
Increase the buffer level sort of like this:
------------
rcvbuf 562144
sndbuf 562144
------------ unencrypted vpn server? Where did you learn that?
NEVER.

thank you for the reply, I've tried all the tricks with modifying the config yesterday and all I managed was going from 300 to 315 mbps. Especially the following setting had a good impact :
mssfix 0

The unencrypted connection would be ok for me as i only need the exit ip for torrenting. Of course this should be clearly marked as an unencrypted line, however it would suit my needs and i guess a lot of other people's needs as well (as about every fifth post here is about torrent speed :D)

Thank you again for your help.

Share this post


Link to post
12 hours ago, dbuero said:

allright, so i've learned OpenVPN is actually garbage for high speed connections


Where have you read such idiotic nonsense?

Share this post


Link to post
5 minutes ago, Staff said:

Where have you read such idiotic nonsense?

 It is my (admittedly ignorantly shortened) summary of the following post :
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

Proper high speeds seem only to be achievable with jumbo frames (or equivalent huge mtu sizes).

None of which we can use here.
I have no way to change either the servers mtu or the used encryption algo. So my hands are bound.

Share this post


Link to post
@dbuero

Understood. The article does not say that OpenVPN is crap for high speed lines, quite the contrary in fact.

About getting 315 Mbit/s on our infrastructure  (i.e. 630 Mbit/s on the server) well, that's a good outcome, hands down, because our servers are connected to 1 Gbit/s ports and lines. Anyway increase your buffers again, try 2 MB buffers:
rcvbuf 2097152
sndbuf 2097152
Kind regards
 

Share this post


Link to post
14 minutes ago, Staff said:
@dbuero

Understood. The article does not say that OpenVPN is crap for high speed lines, quite the contrary in fact.

About getting 315 Mbit/s on our infrastructure  (i.e. 630 Mbit/s on the server) well, that's a good outcome, hands down, because our servers are connected to 1 Gbit/s ports and lines. Anyway increase your buffers again, try 2 MB buffers:

rcvbuf 2097152
sndbuf 2097152
Kind regards
 

thank you very much for your answer, I have tried bigger buffers and it didn't change a thing.

I didn't calculate that the server has twice the load (I thought it had two interfaces or full duplex) and there is also other traffic happening, this all makes sense.
Thank you once again for your explanation and help.

I'm open for any other suggestions /ideas or tests etc.

But let's face it 300mbps ain't really slow ;)

Share this post


Link to post
@dbuero

In AES New Instructions supporting systems AES-GCM encryption and decryption is indeed faster than AES-CBC.

In our service the default cipher for OpenVPN Data Chanell is AES-256-GCM, not CBC.

If you see that the core which OpenVPN runs in is at capacity while your system approaches the peak performance consider to use a lighter cipher, for example AES-128-GCM. Add the following directives:
ncp-disable
cipher AES-128-GCM

Of course if your system does not support AES-NI then CHACHA20-POLY1305 should be preferred.

Kind regards
 

Share this post


Link to post
5 hours ago, Staff said:
@dbuero

In AES New Instructions supporting systems AES-GCM encryption and decryption is indeed faster than AES-CBC.

In our service the default cipher for OpenVPN Data Chanell is AES-256-GCM, not CBC.

If you see that the core which OpenVPN runs in is at capacity while your system approaches the peak performance consider to use a lighter cipher, for example AES-128-GCM. Add the following directives:

ncp-disable
cipher AES-128-GCM

Of course if your system does not support AES-NI then CHACHA20-POLY1305 should be preferred.

Kind regards
 

I've downloaded a fresh config for Frankfurt ogma yesterday and it was configured to use aes 256 cbc. That's why i assumed it was standard everywhere.

I've tried changing the crypto algo and got an error message about conflicting crypto between client and server (also if configuring
cypher none

I'll try again though, thank you very much.

What does ncp-disable do?
-edit : it disabled the automatic upgrade to aes256gcm and is required to run a deprecated encryption.

Btw I'm running an i7 with aes-ni support.

Share this post


Link to post
@dbuero

ncp-disable directive disables “negotiable crypto parameters” for the Data Channel. Therefore, the client becomes free to pick a cipher for the Data Channel in the cipher directive, if such cipher is supported on the server side.

Without ncp-disable it's expected that you get the error you mention, except for the 1st "favorite" cipher the VPN server wants to negotiate (AES-256-GCM).

That's also the reason why we say that AES-GCM has priority over CBC: the CG will generate "cipher AES-256-CBC" for backward compatibility with those OpenVPN old versions that don't support ncp and/or AES-GCM, but newer OpenVPN versions will negotiate AES-GCM. cipher none is not available in any case, as our servers are not configured to admit unencrypted connections for obvious reasons.

Anyway, unless your system is loaded by other tasks, a single i7 core (which implements AES New Instructions) can perfectly handle your peak bandwidth, especially when AES-NI is supported by the system. If you see anyway that a core is at capacity (it can happen if your system is loaded by other tasks), try our suggestion:
 
ncp-disable
cipher AES-128-GCM

Don't bother with CHACHA20-POLY1305 if your system supports AES-NI.

Kind regards
 

Share this post


Link to post
1 hour ago, Staff said:
Don't bother with CHACHA20-POLY1305 if your system supports AES-NI.
 
Just for shits and giggle I've tried chacha and it was declined as unsupported.

The attempt to downgrade to aes128 was also not successful (i think) according to these warnings:
 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-GCM', remote='cipher AES-256-CBC'
 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA


Aslo please note the "remote='cipher AES-256-CBC'" yes CBC - entry! on Ogma.

Share this post


Link to post
@dbuero

Hello!

CHACHA20-POLY1305 is available only on the servers running OpenVPN 2.5 beta, you can recognize them marked in yellow with the sentence "Experimental ChaCha20" (one in Canada, one in the USA, two in the Netherlands and one in Singapore).


You can safely ignore those warnings - it's important however that you run OpenVPN 2.4 or higher version.

Kind regards
 

Share this post


Link to post
5 minutes ago, Staff said:
CHACHA20-POLY1305 is available only on the servers running OpenVPN 2.5 beta, you can recognize them marked in yellow with the sentence "Experimental ChaCha20" (one in Canada, one in the USA, two in the Netherlands and one in Singapore).

You can safely ignore those warnings - it's important however that you run OpenVPN 2.4 or higher version.
I'm running the latest openVpn version. I'll ry these servers (but don't expect much, as they are further away)

Share this post


Link to post
@dbuero

Yes, on top of that CHACHA20 will not give you any boost if your system supports AES-NI.

About AES-128-GCM, it can be beneficial for performance only if the conditions we specified were met.

Kind regards
 

Share this post


Link to post

Concluding my Tests:
Worst crypto to choose: AES-128-CFB1 brutally bad performance. :D
Best crypto setting:
ncp-disable
cipher AES-128-GCM
(pretty much identical to CBC performance wise)

Send and receife buffers where best at around 500k like Flx suggested (2m and 1m were slightly worse, no idea why)

sndbuf 524288
rcvbuf 524288

These settings also helped performance:
fragment 0
mssfix 0

Also I've just checked the stats and the German servers don't seem to go above 300mbps at all. The only exception I found where some of the Alblasserdam NL servers that seem to reach 600mbps. Edit: but that has absolutely no effect on my connection to these servers. No chance of reching anything (signifficantly) above 300mbps (which also is visible in the user stats, as noone is reaching more). 

Share this post


Link to post

Ladies and gentlement:
Thanks to @Flx i was able to up the speeds a bit more:

Using the new wintun beta of openVPN 2.5 I'm now at slightly above 500mbps. 
-Link to openVPN 2.5: http://staging.openvpn.net/openvpn2/

See here: 



Basically  you just need to install the new 2.5 openvpn version, start openVPN as administrator (!) and add the following line to the conf file:
windows-driver wintun

- i some how had to put it as one of the last point or it would give me some cryptic errormessage, also it didn't work in combination with "auth sha512" as suggested in the forementioned post.

So thank you again @Flx!

EDIT: Completely Idle Frankfurt Mirfak delivered >570mbps: https://deutsche-glasfaser.speedtestcustom.com/result/7cea7f20-5c60-11ea-8fed-e3d7efa295ff
Neat 😎

Share this post


Link to post
@dbuero

Outstanding throughput for Windows, congratulations! You did not mention in this thread that you were running Windows, so we assumed that you ran a different system, sorry, we could have made you save a lot of time.

Finally Windows should have a driver for a virtual network interface that allows throughput more in line to what you can get with other systems. Eddie 2.18 beta 8 has been planned to support Wintun. We are also following OpenVPN Linux kernel module (currently closed source, but they could decide to release it under some open source license during 2020). Although our servers can already reach line capacity, higher than 1 Gbit/s throughput is achieved only via multiple OpenVPN daemons, one per core.

Spread the word about the performance you can get now with AirVPN and Windows! :D

Kind regards
 

Share this post


Link to post
2 hours ago, Staff said:
@dbuero

Spread the word about the performance you can get now with AirVPN and Windows! :D
 

Already did before, for anything but Netflix airvpn is absolutely awesome. I'm a long time customer and already got a 3 year subscription 😎
 Plus I've already got a buddy to also sign up to your service. So far I'm very happy.

Cheers 🤘

Share this post


Link to post
On 3/2/2020 at 11:00 AM, Staff said:
@dbuero

Spread the word about the performance you can get now with AirVPN and Windows! :D

Kind regards
 
@Staff Guys, honest question: Do you guys limit my VPN Downstream to 70mbps while torrenting? Vodafone swears to god it's not them :D
Since my Torrent Speedtests which also peaked at around 40mb/s my speed is heavily reduced as soon as torrent traffic is running :'D - yup it's reproducible

EDIT: Without VPN i get unthrottled torrent speeds, guuuuys whats going on? Did i earn a rank on some black list?

Share this post


Link to post
@dbuero

Hello,

no, we don't throttle anything. In most cases throttling is self-inflicted, with or without awareness (strange but true). Second most common cause is traffic shaping by ISP.

Kind regards
 

Share this post


Link to post
2 hours ago, dbuero said:

Since my Torrent Speedtests which also peaked at around 40mb/s my speed is heavily reduced as soon as torrent traffic is running :'D - yup it's reproducible


How many torrents are doing what (seeding/downloading)? What are your connection settings? Client?
Are you by any chance using a rotating drive for storage?

Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...