problem s vykonem openvpn tunelu

[ntz_reloaded]

ahoj,

mam problem ze ktereho jsem uz docela zoufalej a resim ho asi 3 dny .. mam server s verejnou ip, na kterem bezi openvpn a kterej je konfigurovanej jako router .. vypada to tedy takto:

Client <---internet---> Router <---LAN---> Hosts

kdyz se pripojim pres ssh z Clienta na server (na verejnou ip) a nebo na Hosta (kdyz tuneluju pomoci ssh -L pres router) tak bezi vse v pohode, ale kdyz navazu openvpn spojeni a:

a) pripojim se z Clienta na LAN adresu Routeru (pres vpn tunel), tak je vse v pohode
b) kdyz se pripojim pomoci ssh na lan adresu libovolneho Hosta (a nebo nejdriv ssh na Router na lan a odtud ssh na Hosta) tak mam nejakou degradovanou performance

tzn mam degradovanou performance pokud server forwarduje/masqueradi z LAN do tun0 (eg VPN tunnel) .. zkousel jsem si hrat s MTU a fragmentaci a bez vysledku ..

jak se prosim tuni ten tun tunnel ? co tam nastavit v ramci tcp/ip stacku ?

- openvpn bezi na udp (proto udp)
- v etc/sysctl.conf je navic:

Kód: [Vybrat]

net.ipv6.conf.all.disable_ipv6 = 1
vm.swappiness = 10
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.core.netdev_max_backlog = 2500
net.ipv4.tcp_sack = 0
net.ipv4.tcp_window_scaling = 1
diky, ntz

[jmp]

mno, to jsem zvědavej, jestli se někdo schopnej poradit vůbec najde...

btw: tohle je SW záležitost (okolo tun0) - jak to zvládá procesor, když pro jeden provoz počítá několik šifrování?

EDIT: netuším, jestli to bude přínosné...
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

[ntz_reloaded]

no, vzhledem k tomu, ze zatim jedu v testovacim rezimu tak k tomu neni pripojeno moc useru a cpu by nemel bejt problem ..

Kód: [Vybrat]

13:14:01.207186 IP 192.168.68.1 > cpcertifikace-db: ICMP 10.168.68.6 unreachable - need to frag (mtu 1500), length 556
13:14:01.415941 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 224342:225698, ack 4198, win 56, options [nop,nop,TS val 506277366 ecr 196780644], length 1356
13:14:01.419068 IP 10.168.68.6.60197 > cpcertifikace-db.ssh: Flags [.], ack 225698, win 947, options [nop,nop,TS val 196780855 ecr 506277366], length 0
13:14:01.626940 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 225698:227054, ack 4198, win 56, options [nop,nop,TS val 506277577 ecr 196780855], length 1356
13:14:01.630052 IP 10.168.68.6.60197 > cpcertifikace-db.ssh: Flags [.], ack 227054, win 947, options [nop,nop,TS val 196781066 ecr 506277577], length 0
13:14:01.630160 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 232478:235190, ack 4198, win 56, options [nop,nop,TS val 506277580 ecr 196781066], length 2712
13:14:01.630174 IP 192.168.68.1 > cpcertifikace-db: ICMP 10.168.68.6 unreachable - need to frag (mtu 1500), length 556
13:14:01.836928 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 227054:228410, ack 4198, win 56, options [nop,nop,TS val 506277787 ecr 196781066], length 1356
13:14:01.839783 IP 10.168.68.6.60197 > cpcertifikace-db.ssh: Flags [.], ack 228410, win 947, options [nop,nop,TS val 196781276 ecr 506277787], length 0
13:14:02.045958 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 228410:229766, ack 4198, win 56, options [nop,nop,TS val 506277996 ecr 196781276], length 1356
13:14:02.048768 IP 10.168.68.6.60197 > cpcertifikace-db.ssh: Flags [.], ack 229766, win 947, options [nop,nop,TS val 196781485 ecr 506277996], length 0
13:14:02.048875 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 235190:237902, ack 4198, win 56, options [nop,nop,TS val 506277998 ecr 196781485], length 2712
13:14:02.048889 IP 192.168.68.1 > cpcertifikace-db: ICMP 10.168.68.6 unreachable - need to frag (mtu 1500), length 556
13:14:02.253960 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 229766:231122, ack 4198, win 56, options [nop,nop,TS val 506278204 ecr 196781485], length 1356
13:14:02.256907 IP 10.168.68.6.60197 > cpcertifikace-db.ssh: Flags [.], ack 231122, win 947, options [nop,nop,TS val 196781693 ecr 506278204], length 0
13:14:02.462927 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 231122:232478, ack 4198, win 56, options [nop,nop,TS val 506278413 ecr 196781693], length 1356
13:14:02.466101 IP 10.168.68.6.60197 > cpcertifikace-db.ssh: Flags [.], ack 232478, win 947, options [nop,nop,TS val 196781902 ecr 506278413], length 0
13:14:02.466198 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 237902:240614, ack 4198, win 56, options [nop,nop,TS val 506278416 ecr 196781902], length 2712
13:14:02.466212 IP 192.168.68.1 > cpcertifikace-db: ICMP 10.168.68.6 unreachable - need to frag (mtu 1500), length 556
13:14:02.670957 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 232478:233834, ack 4198, win 56, options [nop,nop,TS val 506278621 ecr 196781902], length 1356
13:14:02.673990 IP 10.168.68.6.60197 > cpcertifikace-db.ssh: Flags [.], ack 233834, win 947, options [nop,nop,TS val 196782111 ecr 506278621], length 0
13:14:02.878974 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 233834:235190, ack 4198, win 56, options [nop,nop,TS val 506278829 ecr 196782111], length 1356
13:14:02.881770 IP 10.168.68.6.60197 > cpcertifikace-db.ssh: Flags [.], ack 235190, win 947, options [nop,nop,TS val 196782318 ecr 506278829], length 0
13:14:02.881882 IP cpcertifikace-db.ssh > 10.168.68.6.60197: Flags [.], seq 240614:243326, ack 4198, win 56, options [nop,nop,TS val 506278831 ecr 196782318], length 2712
13:14:02.881909 IP 192.168.68.1 > cpcertifikace-db: ICMP 10.168.68.6 unreachable - need to frag (mtu 1500), length 556
^^ kousek z tcpdumpu na serveru

je tam pomerne hodne tomo ICMP unreachable .. nechapu proc .. tohle je na serveru ``tcpdump -i $LAN_DEV host 192.168.68.3'' kde 192.168.68.3 == cpcertifikace-db .. na samotnem hostu cpcertifikace delam onen ``cat /nejakej/1MB/plaintext'' .. 10.168.68.6 je samozrejme vpn adresa klienta

moc nechapu, proc tam tak divne na konci skace ta delka ..

[ntz_reloaded]

podle me tam je nejakej specifickej problem s tim tun0 ..

jo, jeste dulezita vec, cela infra je v ESX:

Kód: [Vybrat]

##server:

# lspci | grep net
02:00.0 Ethernet controller: Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) (rev 01)
0b:00.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)


##host za routerem
$ /sbin/lspci  | grep net
0b:00.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
^^ pokud by te zajimalo proc ma server kazdou sitovku jinou, tak ono nam to prasilo s tou vmxnet pripojenou do fyzicky site, proto to e1000 na druhem rozhrani .. to vmxnet je dobre mezi sebou, ne bindovane na fyzickej NIC

[jmp]

imho stejné příznaky
http://www.vyatta.org/node/3985

EDIT: případně může být původcem VMware
http://www.astaro.org/gateway-products/essential-firewall-edition-free-business-use/38918-dnat-issue-mtu.html

[ntz_reloaded]

asi to uz mam .. to urcite dela ta devka (esx):

Kód: [Vybrat]

# traceroute -n 192.168.68.3
traceroute to 192.168.68.3 (192.168.68.3), 30 hops max, 40 byte packets using UDP
 1  10.168.68.1 (10.168.68.1)  2.520 ms   2.064 ms   2.065 ms
 2  192.168.68.3 (192.168.68.3)(H!)  2.359 ms (H!)  2.077 ms (H!)  2.119 ms


# traceroute -n 192.168.68.3
traceroute to 192.168.68.3 (192.168.68.3), 30 hops max, 40 byte packets using UDP
 1  10.168.68.1 (10.168.68.1)  2.181 ms   2.372 ms   2.683 ms
 2  192.168.68.3 (192.168.68.3)(H!)  2.938 ms * *

###### using ICMP

# traceroute -In 192.168.68.3
Note: the -i and -I options were exchangedfor compability with LBL traceroute
Use -I for ICMP, and -i <ifname> to specify the interface name
traceroute to 192.168.68.3 (192.168.68.3), 30 hops max, 40 byte packets using ICMP
 1  10.168.68.1 (10.168.68.1)  5.691 ms   4.654 ms   3.581 ms
 2  192.168.68.3 (192.168.68.3)  3.590 ms   2.510 ms   2.527 ms


# traceroute -In 192.168.68.3
Note: the -i and -I options were exchangedfor compability with LBL traceroute
Use -I for ICMP, and -i <ifname> to specify the interface name
traceroute to 192.168.68.3 (192.168.68.3), 30 hops max, 40 byte packets using ICMP
 1  10.168.68.1 (10.168.68.1)  2.561 ms   2.548 ms   2.333 ms
 2  192.168.68.3 (192.168.68.3)  7.316 ms   6.261 ms   5.394 ms
^^ to je z Clenta na Host pres Router .. tady vidis u udp H! == host unreachable .. kdyz zaroven dam na klientu tcpdump tak vidim:

Kód: [Vybrat]

# tcpdump -i tun0 host 192.168.68.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
15:29:02.570099 IP 10.168.68.6.64000 > 192.168.68.3.traceroute: UDP, length 40
15:29:02.571186 IP 10.168.68.6.64001 > 192.168.68.3.33435: UDP, length 40
15:29:02.572259 IP 10.168.68.6.64002 > 192.168.68.3.33436: UDP, length 40
15:29:02.573342 IP 10.168.68.6.64003 > 192.168.68.3.33437: UDP, length 40
15:29:02.574427 IP 10.168.68.6.64004 > 192.168.68.3.33438: UDP, length 40
15:29:02.575517 IP 10.168.68.6.64005 > 192.168.68.3.33439: UDP, length 40
15:29:02.576603 IP 10.168.68.6.64006 > 192.168.68.3.33440: UDP, length 40
15:29:02.577102 IP 10.168.68.6.64007 > 192.168.68.3.33441: UDP, length 40
15:29:02.578131 IP 10.168.68.6.64008 > 192.168.68.3.33442: UDP, length 40
15:29:02.579234 IP 10.168.68.6.64009 > 192.168.68.3.33443: UDP, length 40
15:29:02.579341 IP 10.168.68.6.64010 > 192.168.68.3.33444: UDP, length 40
15:29:02.580371 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:02.580427 IP 10.168.68.6.64011 > 192.168.68.3.33445: UDP, length 40
15:29:02.581103 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:02.581156 IP 10.168.68.6.64012 > 192.168.68.3.33446: UDP, length 40
15:29:02.582102 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:02.583778 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:02.584126 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:02.584588 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:06.975088 IP 10.168.68.6.64000 > 192.168.68.3.traceroute: UDP, length 40
15:29:06.976171 IP 10.168.68.6.64001 > 192.168.68.3.33435: UDP, length 40
15:29:06.977248 IP 10.168.68.6.64002 > 192.168.68.3.33436: UDP, length 40
15:29:06.978333 IP 10.168.68.6.64003 > 192.168.68.3.33437: UDP, length 40
15:29:06.979415 IP 10.168.68.6.64004 > 192.168.68.3.33438: UDP, length 40
15:29:06.980500 IP 10.168.68.6.64005 > 192.168.68.3.33439: UDP, length 40
15:29:06.981612 IP 10.168.68.6.64006 > 192.168.68.3.33440: UDP, length 40
15:29:06.981830 IP 10.168.68.6.64007 > 192.168.68.3.33441: UDP, length 40
15:29:06.982850 IP 10.168.68.6.64008 > 192.168.68.3.33442: UDP, length 40
15:29:06.983802 IP 10.168.68.6.64009 > 192.168.68.3.33443: UDP, length 40
15:29:06.984900 IP 10.168.68.6.64010 > 192.168.68.3.33444: UDP, length 40
15:29:06.985069 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:06.985154 IP 10.168.68.6.64011 > 192.168.68.3.33445: UDP, length 40
15:29:06.986027 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:06.986096 IP 10.168.68.6.64012 > 192.168.68.3.33446: UDP, length 40
15:29:06.987181 IP 10.168.68.6.64013 > 192.168.68.3.33447: UDP, length 40
15:29:06.987334 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:06.988338 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:07.961920 IP 10.168.68.6.64000 > 192.168.68.3.traceroute: UDP, length 40
15:29:07.963007 IP 10.168.68.6.64001 > 192.168.68.3.33435: UDP, length 40
15:29:07.964081 IP 10.168.68.6.64002 > 192.168.68.3.33436: UDP, length 40
15:29:07.965166 IP 10.168.68.6.64003 > 192.168.68.3.33437: UDP, length 40
15:29:07.966251 IP 10.168.68.6.64004 > 192.168.68.3.33438: UDP, length 40
15:29:07.967336 IP 10.168.68.6.64005 > 192.168.68.3.33439: UDP, length 40
15:29:07.968414 IP 10.168.68.6.64006 > 192.168.68.3.33440: UDP, length 40
15:29:07.968613 IP 10.168.68.6.64007 > 192.168.68.3.33441: UDP, length 40
15:29:07.969631 IP 10.168.68.6.64008 > 192.168.68.3.33442: UDP, length 40
15:29:07.970576 IP 10.168.68.6.64009 > 192.168.68.3.33443: UDP, length 40
15:29:07.971663 IP 10.168.68.6.64010 > 192.168.68.3.33444: UDP, length 40
15:29:07.971955 IP 192.168.68.3 > 10.168.68.6: ICMP host 192.168.68.3 unreachable - admin prohibited, length 76
15:29:07.972031 IP 10.168.68.6.64011 > 192.168.68.3.33445: UDP, length 40
15:29:07.973119 IP 10.168.68.6.64012 > 192.168.68.3.33446: UDP, length 40
15:29:07.974205 IP 10.168.68.6.64013 > 192.168.68.3.33447: UDP, length 40
15:29:07.975291 IP 10.168.68.6.64014 > 192.168.68.3.33448: UDP, length 40
15:29:07.976378 IP 10.168.68.6.64015 > 192.168.68.3.33449: UDP, length 40
15:29:07.977469 IP 10.168.68.6.64016 > 192.168.68.3.33450: UDP, length 40
15:29:07.978554 IP 10.168.68.6.64017 > 192.168.68.3.33451: UDP, length 40
15:29:07.979634 IP 10.168.68.6.64018 > 192.168.68.3.33452: UDP, length 40
15:29:07.980712 IP 10.168.68.6.64019 > 192.168.68.3.33453: UDP, length 40
15:29:07.981788 IP 10.168.68.6.64020 > 192.168.68.3.33454: UDP, length 40
^C
59 packets captured
59 packets received by filter
0 packets dropped by kernel
^^ takze tady nejak *sucks patrne layer 2 filtering (mozna spatna VLAN - zarezava to udp)  .. ze zacatku mi to prislo jak duplicita na urovni MAC adresy ..

uz jsem napsal request na provozovatele esx severu at se koukne na ten layer 2 a nastaveni VLAN ..

no to je hnus

ntz

ps. jinak diky jmp++

[ntz_reloaded]

btw .. JFYI ted jsem hledal nejake sve drivejsi vpn pribuzne prispevky a zde jsem ani nenapsal reseni ..

moje problemy s vykonem byly zpusobeny tim, ze v tom ESX to delalo neco spatne s tema virtualnima sitovkama a bylo nutno vypnout "tso" a "gso" pomoci ethtool ..

Kód: [Vybrat]

# ethtool -k eth0 | grep segmentation-off
tcp-segmentation-offload: on
generic-segmentation-offload: on
^^ tedy tohle .. zde je to zapnute, bylo potreba to dat na off pokud to melo komunikovat z ESX virtualniho segmentu do fyzickeho segmentu pouze na tech interfaces, ktere jdou "ven" z ESX ..

[jmp]

u těch vm je to nezávisle na tom, zda se emuluje intel nebo se použije vmxnet3?

[ntz_reloaded]

u těch vm je to nezávisle na tom, zda se emuluje intel nebo se použije vmxnet3?

pokud si dobre pamatuju tak ano .. je to nejakou dobu dozadu ale vzpominam si, ze jsem zkousel obe e1000 i vxnet

[jmp]

to je pěkně záludné...
dík za info

[Petr Merlin Vaněček]

Hmhm, tenhle thread jsem přehlédl