Jump to content
Not connected, Your IP: 18.219.47.239
nan0tEch

ANSWERED high latency and packet loss on active torrent download

Recommended Posts

Anyone any idea how to troubleshoot my vpn connections on why they get high(er) latency and packet loss. I'm running pfsense+ v22.05 and openvpn to connect to airvpn. I used the configuration generator from airvpn and imported via the openvpn client tool on pfsense. After a few tests its seems to be only on the torrent file transfer, normal http upload don't effect the packet loss and or latency. the fire wall is setup via port forward on the airvpn port and outgoing via a 3vpn load balanced connection. 

On the idle moments or low traffic there seems nothing going on.

819325347_Screenshot2023-02-09at20_52_54.thumb.png.ac733329c4739f6d54cf29d7f349e44d.png

On moderated load its starts to get the packet losses
647747057_Screenshot2023-02-09at20_48_33.thumb.png.5120f3cbdf9c5fb2c0abd7dd9c3921f1.png

the torrent and normal traffic is going over a load ballanced gateway that uses the first 3 connections

1189414213_Screenshot2023-02-09at20_49_41.thumb.png.6213c14915244d72336be7d987d522dc.png

1861482166_Screenshot2023-02-09at21_38_19.thumb.png.700b440960731d46787116965bc67f56.png


This is a log from restarting a vpn connection to airvpn (my local ip is redacted)

Feb  9 21:40:36 starbase openvpn[52488]: VERIFY WARNING: depth=0, unable to get certificate CRL: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Situla, emailAddress=info@airvpn.org
Feb  9 21:40:36 starbase openvpn[52488]: VERIFY WARNING: depth=1, unable to get certificate CRL: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Feb  9 21:40:36 starbase openvpn[52488]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Feb  9 21:40:36 starbase openvpn[52488]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Situla, emailAddress=info@airvpn.org
Feb  9 21:40:36 starbase openvpn[52488]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Feb  9 21:40:36 starbase openvpn[52488]: Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
Feb  9 21:40:36 starbase openvpn[52488]: Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
Feb  9 21:40:41 starbase openvpn[90773]: event_wait : Interrupted system call (fd=-1,code=4)
Feb  9 21:40:41 starbase openvpn[90773]: SIGTERM received, sending exit notification to peer
Feb  9 21:40:43 starbase openvpn[56406]: AEAD Decrypt error: bad packet ID (may be a replay): [ #77157 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Feb  9 21:40:44 starbase openvpn[56406]: AEAD Decrypt error: bad packet ID (may be a replay): [ #77431 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Feb  9 21:40:45 starbase openvpn[95325]: OpenVPN 2.6_git amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Sep  8 2022
Feb  9 21:40:45 starbase openvpn[95325]: library versions: OpenSSL 1.1.1n-freebsd  15 Mar 2022, LZO 2.10
Feb  9 21:40:45 starbase openvpn[95554]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2/sock
Feb  9 21:40:45 starbase openvpn[95554]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb  9 21:40:45 starbase openvpn[95554]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb  9 21:40:45 starbase openvpn[95554]: Initializing OpenSSL support for engine 'rdrand'
Feb  9 21:40:45 starbase openvpn[95554]: WARNING: experimental option --capath /var/etc/openvpn/client2/ca
Feb  9 21:40:45 starbase openvpn[95554]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb  9 21:40:45 starbase openvpn[95554]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb  9 21:40:45 starbase openvpn[95554]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Feb  9 21:40:45 starbase openvpn[95554]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb  9 21:40:45 starbase openvpn[95554]: TCP/UDP: Preserving recently used remote address: [AF_INET]194.187.251.93:443
Feb  9 21:40:45 starbase openvpn[95554]: Socket Buffers: R=[42080->524288] S=[57344->524288]
Feb  9 21:40:45 starbase openvpn[95554]: UDPv4 link local (bound): [AF_INET]xx.xx.xxx.100:0  <- redacted ip adress
Feb  9 21:40:45 starbase openvpn[95554]: UDPv4 link remote: [AF_INET]194.187.251.93:443
Feb  9 21:40:45 starbase openvpn[95554]: TLS: Initial packet from [AF_INET]194.187.251.93:443, sid=6f658bd1 a82fb51a
Feb  9 21:40:45 starbase openvpn[95554]: VERIFY WARNING: depth=0, unable to get certificate CRL: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Capricornus, emailAddress=info@airvpn.org
Feb  9 21:40:45 starbase openvpn[95554]: VERIFY WARNING: depth=1, unable to get certificate CRL: C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Feb  9 21:40:45 starbase openvpn[95554]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Feb  9 21:40:45 starbase openvpn[95554]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Capricornus, emailAddress=info@airvpn.org
Feb  9 21:40:45 starbase openvpn[95554]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Feb  9 21:40:45 starbase openvpn[95554]: [Capricornus] Peer Connection Initiated with [AF_INET]194.187.251.93:443
Feb  9 21:40:45 starbase openvpn[56406]: AEAD Decrypt error: bad packet ID (may be a replay): [ #77648 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Feb  9 21:40:45 starbase openvpn[95554]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway  def1 bypass-dhcp,dhcp-option DNS 10.12.178.1,route-gateway 10.12.178.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.12.178.2 255.255.255.0,peer-id 2,cipher CHACHA20-POLY1305'
Feb  9 21:40:45 starbase openvpn[95554]: ROUTE_GATEWAY xx.xx.xxx.1/255.255.248.0 IFACE=igb0 HWADDR=a0:36:9f:05:dd:74.       <- redacted ip adress
Feb  9 21:40:45 starbase openvpn[95554]: TUN/TAP device ovpnc2 exists previously, keep at program end
Feb  9 21:40:45 starbase openvpn[95554]: TUN/TAP device /dev/tun2 opened
Feb  9 21:40:45 starbase openvpn[95554]: /sbin/ifconfig ovpnc2 10.12.178.2 10.12.178.1 mtu 1500 netmask 255.255.255.0 up
Feb  9 21:40:45 starbase openvpn[95554]: /sbin/route add -net 10.12.178.0 10.12.178.1 255.255.255.0
Feb  9 21:40:45 starbase openvpn[95554]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 0 10.12.178.2 255.255.255.0 init
Feb  9 21:40:45 starbase openvpn[95554]: OPTIONS IMPORT: timers and/or timeouts modified
Feb  9 21:40:45 starbase openvpn[95554]: OPTIONS IMPORT: compression parms modified
Feb  9 21:40:45 starbase openvpn[95554]: OPTIONS IMPORT: --ifconfig/up options modified
Feb  9 21:40:45 starbase openvpn[95554]: OPTIONS IMPORT: route options modified
Feb  9 21:40:45 starbase openvpn[95554]: OPTIONS IMPORT: route-related options modified
Feb  9 21:40:45 starbase openvpn[95554]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb  9 21:40:45 starbase openvpn[95554]: OPTIONS IMPORT: peer-id set
Feb  9 21:40:45 starbase openvpn[95554]: OPTIONS IMPORT: data channel crypto options modified
Feb  9 21:40:45 starbase openvpn[95554]: Data Channel: using negotiated cipher 'CHACHA20-POLY1305'
Feb  9 21:40:45 starbase openvpn[95554]: Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
Feb  9 21:40:45 starbase openvpn[95554]: Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
Feb  9 21:40:45 starbase openvpn[95554]: Initialization Sequence Completed






 

Share this post


Link to post
@nan0tEch

Hello!

Try the following:
  1. enforce mssfix n directive (n is in bytes). This directive tells OpenVPN to split TCP packets (inside the UDP tunnel) larger than n bytes. This directive may resolve MTU size problems. Try for example with mssfix 1320 if your connection is via Ethernet or WiFi
  2. if you have an asymmetric line (ADSL etc.), make sure that the maximum allowed upload bandwidth of the torrent software does not "choke" the throughput. To stay on the safe side, limit (from its own settings) the torrent software to use at most 66% of your available upload bandwidth
Check any combination of the above attempts (only 1, only 2 and both 1 and 2).

Kind regards
 

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...