[HELP] OpenVPN Massive Packet Loss...

kwagga · September 20, 2015, 12:05pm

Hi Guys,

I setup an OpenVPN server on a Ubuntu VPS of mine. Everything seems fine, and the client worked fine when I used certificate based auth on Windows. But since I had to use user-pass-auth to get the Mikrotik RB working, I changed my server settings drastically to get the Mikrotik router to connect , such as LZO compression disabled, set auth-pass-auth, etc.

The result is below:

It's worth noting, now that I changed to user-pass-auth, my Windows OVPN client doesn't get a gateway automagically, which is strange. But for the most part, for a couple seconds after the VPN dialled on the Mikrotik, sites load.. almost. The packet loss is a killer. I've tested for the correct MTU, all the way from 1600 down to 28... packet loss remains erratic, until it fails completely.

These are my settings:

[kwagga@kwagganet] /interface ovpn-client> print
Flags: X - disabled, R - running
0 X name="VPN-OVPN-server.fqdn.com" mac-address=02:D6:1A:0E:E6:D3 max-mtu=1450
connect-to=OVPN-server.fqdn.com port=1194 mode=ip user="kwagga"
password="PASSWORD" profile=OVPN certificate=none auth=sha1
cipher=blowfish128 add-default-route=no

...and on the server:

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
#comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

What I want is, a seperate WLAN, that routes only to the VPN.

This is partially working,

[kwagga@kwagganet] > /interface bridge print
Flags: X - disabled, R - running
0 R name="BRIDGE-VLAN20-USA" mtu=auto actual-mtu=1500 l2mtu=2290 arp=enabled mac-address=D6:CA:6D:6D:0D:7B
protocol-mode=rstp priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m

Ports:
6 I WLAN_USA BRIDGE-VLAN20-USA 0x80 10 none
7 I VPN-OVPN-server.fqdn.com BRIDGE-VLAN20-USA 0x80 10 none

[kwagga@kwagganet] > /ip rou pri
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 VPN-OVPN-... 1
1 A S 0.0.0.0/0 192.168.1.1 1
2 ADC 10.8.0.1/32 10.8.0.10 VPN-OVPN-... 0
3 ADC 192.168.1.0/24 192.168.1.2 WAN-Bridge 0
4 X S 192.168.2.1/32 WAN 1
5 ADC 192.168.168.80/28 192.168.168.91 bridge-local 0
6 ADC 192.168.169.80/28 192.168.169.81 BRIDGE-VLAN20-USA 0

with the OVPN interface bein masqueraded, and route marking being applied to route all WLAN 192.168.169.80/28 traffic to the OVPN interface.