Yeri Tiete

OpenVPN packet drops

I recently started to notice following error messages on my openVPN server.

ovpn-server[6306]: vpn.rootspirit.com/85.234.x.y:62068 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)

This basically means that the TUN or TAP interface is making more packets than the real (TCP) interface can handle.

As I need to run OpenVPN using the TCP protocol (instead of the faster UDP protocol; as UDP is often blocked in networks I use my VPN in) I experimented by increasing the tcp-queue-limit. The default is 64, and I’ve set it to 256. So far, everything still seems to be working fine (but more packets will be queued before being dropped by OpenVPN, requiring less retransmissions).

Add this to the OpenVPN server config:

tcp-queue-limit 256

And restart the daemon.

Posted by

Yeri Tiete

in

, , ,
Tags: ,

Comments

4 responses to “OpenVPN packet drops”

  1. Oso avatar
    Oso

    Hi, Tuinslak – I was having your very same problem on a L2 vpn –apparently because of a misbalance between both links. I followed your suggestion, for queue lengths ranging from 256 to 1024…

    Now the link is a bit more stable, but I keep seeing (snip heavily applied)

    MBUF: mbuf packet dropped
    –mute triggered…
    Connection reset, restarting [-1] …
    SIGUSR1[soft,connection-reset] received, client-instance restarting

    When this shows up, some 5 to 15 pings through the link are dropped, and then the VPN reconnects. Better than before but it still could get better.

    I can’t find any reference to this message. How did you do with tcp-queue-limit?

    Thank you in advance

    Reply
  2. Tuinslak avatar
    Tuinslak

    Hi Oso,

    I’m now using OpenVPN for 10ish clients without any issues now. However, I did move from a Xen Ubuntu virtual machine to a Debian virtual machine in a different location.

    I had mayor connection issues with OpenVPN on that Ubuntu server over an UDP link. Random disconnects; http://serverfault.com/questions/163879/openvpn-randomly-disconnects-refuses-to-reconnect.

    I’m not quite sure about your issue, if it’s the same as my issue on serverfault or not. However, that issue on serverfault I never managed to resolve, but I have not been able to reproduce it on a different machine.

    I also vaguely remember having issues with certain clients when running OpenVPN over TCP. A lot of 3G/ADSL clients had issues with speed (<10kb/s). It had something to do with MTU size problems and packets being dropped, but I don’t think it was that error.

    Sorry I could not be of more help though.

    Regards,
    Yeri

    Reply
  3. Ewald van Geffen avatar
    Ewald van Geffen

    I’ve been experimenting with two tcp openvpns over a provider with an ecmp enabled kernel and some additional prerouting and output mangling to make traffic interface sticky. Currently I’m experiencing this, for the other side this gets logged as:
    /: [] Inactivity timeout (–ping-restart), restarting
    That is; with a pretty short keepalive (5 15 iirc). I’m considering stepping over to UDP since even with tcp-queue-window 2048 it dies at 25Mbit.

    Reply
  4. Yeri Tiete avatar
    Yeri Tiete

    Yes, I’m using UDP now more often as well. TCP causes issues.

    Reply

Leave a Reply…