Hi,
On 09/11/17 11:08, Gof via Openvpn-users wrote:
you're using bridging + tap + proto tcp + port sharing on a VPS and are
expecting good latency? hmmm.... there are many reasons why that combination
will NOT give you any performance.
Bridge is used only to link TCP and UDP clients. All client machines are
mine and used by me alone, and 99% of the time don't generate any traffic,
they're only there so I can log into them. During my tests I used only these
two machines I did the test on.
Why tap might be a worse idea than tun?
tap has a slightly higher overhead compared to tun, but it would not
explain the high latency during a transfer.
As to port sharing, I can disable it, but isn't it used only during initial
handshake?
As to the bridge, TAP and VPS, it performs very well with UDP-connected
clients, so I suspect TCP alone...
However, I see an increase in ping time in my setup as well:
- udp
- tun
This increase (from 0.6ms to 4ms) is normal and perfectly acceptable... but
not to 3000ms, it definitely isn't only encryption/decryption latency...
as Gert was pointing out already, it's mostly related to the nature of
TCP traffic.
The good news is: I can reproduce what you are seeing at home (ADSL) as
well:
- I'm connecting to a server at work over TCP
- without any load the ping times are ~ 7 ms , which is actually quite
good for ADSL
- when I run a long iperf session and then do a ping in the background,
the ping times go up to 800+ ms, then once the iperf is done, the ping
times go down again
The bad news: that's just the way it is with OpenVPN over TCP, I guess.
There are no parameters to tweak that would help (--tcp-nodelay makes
things *worse*, for example). I also suspect that you (and I ) are being
hit with TCP congestion&recovery delays: when the transfer is
"interrupted" by an ICMP packet then the TCP window is reset to a much
lower value and the transfer is throttled. This is normal TCP behaviour.
However, I suspect that this throttling leads to some form of
TCP-over-TCP congestion which then blows out the entire link, causing
ping times to go through the roof.
The only thing you can do, is to run something like Traffic Control (tc)
on the link to prioritize low latency traffic compared to bulk
downloads. If I throttle my iperf session to use 80% of the maximum link
speed then the ping times remain much lower. When the link is "100%
full" with TCP traffic then the ping times increase 100fold.
HTH,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
