-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/03/10 13:04, booyakasha wrote: > Hello, > there are so many complains about openvpn performance in proto tcp mode > that it is almost unbelievable that nobody took care of it. I am using two > 20/20 MB connections and openvpn > tunnel in tcp mode. without vpn my ping is about 10ms but with vpn it jumps > to 520ms. What is most interesting when i use ping -l 1472 which is maximum > packet size for MTU 1500 ping is OK and about 13ms. Any other size than 1472 > (which means 1500 = 1472 + 28 overhead) causes ping to take values about > 500-600ms. And it is not acceptable to use UDP for me because of my company > policy. I think that it is very common problem and not yet answered. I am > taking wild guess that everything works OK with proper packet size = MTU but > when packet is smaller or larger (with fragmentation) it causes lags. Looking > forward to your answers. >
Could this be related to this? <http://sites.inka.de/~bigred/devel/tcp-tcp.html> And in the moment you exceed the MTU size (1500) in your ping requests, you will produce more TCP packets. You might even hit some issues with the Nagle algorithm as well? (have you tried with --socket-flags TCP_NODELAY ?) ... As you have a strict firewall policy, could it be that this causes some issues? Or it might be that you need some tuning on the --link-mtu, --tun-mtu or - --tun-mtu-extra? Have you tried running an OpenVPN client with --mtu-test? Providing more information about your configuration and what you have tried so far would also be helpful, and not just a rather nasty accusation. In many cases, what you complain about here are often connected to configuration issues. Even though, TCP will never ever be as efficient as UDP. You also don't state if you are using TUN or TAP mode (again, configuration file would help), where TUN is known for having better performance and less overhead than TAP. So, to sum it up ... you don't provide much information for us to work on ... and to be frankly, this discussion sounds to more belong to the openvpn-us...@lists.sourceforge.net list and not the development list, at this point. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuLtkQACgkQDC186MBRfrqaCQCgjHzVkAtIc0cESk5m3ZH0kVoP 29kAn3RB5l08St31BlZSMQb0xdVKVpD4 =uU94 -----END PGP SIGNATURE-----
