Boosting speed of OpenVPN connections

This year (2016) and last year, a few new laws were introduced by Cameron’s government, so I decided to get myself VPN. First, I tried a lifetime TigerVPN for 30$, nice deal. Unfortunately, TigerVPN doesn’t fully support Linux OpenVPN implementation. Connection is dropped when reaching ~900kb/s upload+download; network-manager tells that server time outed and it never reconnects due to… an authentication problem.

So I started looking for other affordable solutions. Two biggest competitors are PIA and TorGuard. I started reading discussions on reddit about those two, and it seems, there are very little differences. I was given a rolling promotion code for TorGuard, a 50% discount code that can be used after my 2 years long service comes to an end. It’s good.

After I started using TorGuard on my Arch setup, I found it problematic, first I thought TalkTalk might be throttling my connection speed, as it’s known to be one of the worst providers. The problem exited when I tested my VPS; pings still high, increased from 40ms to 240ms. So the problem could lie in TorGuard service, but… well… It’s known to be one of the best, so I doubted it. I started to dig into the OpenVPN client configuration. First in Network-Managers, but its UI is really poor, so it was not worth it. The default .conf file from TorGuard is very generic. Too generic, I think.

So first, check what is your MTU. It’s important to make it not too long:

➜  ~  ping -M do -s 1600 gr.torguardvpnaccess.com
PING gr.torguardvpnaccess.com (195.122.150.131) 1600(1628) bytes of data.
ping: local error: Message too long, mtu=1500
ping: local error: Message too long, mtu=1500
^C
--- gr.torguardvpnaccess.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
 
➜  ~  ping -M do -s 1472 gr.torguardvpnaccess.com
PING gr.torguardvpnaccess.com (195.122.150.131) 1472(1500) bytes of data.
^C
--- gr.torguardvpnaccess.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2007ms

1472 works for me.

tun-mtu 1472

If you can sacrifice a bit of CPU usage for data compression, then add:

comp-lzo

If you care about encryption level, TCP will offer a better one, but UDP will work faster, so it’s up to you to change
proto udp line to proto tcp . Also, if you choose TCP, add this line:

tcp-nodelay

Another important thing is to setup buffers for incoming and outgoing data transfers using sndbuf and rcvbuf. Those buffers can drastically decrease speed limits, especially on WiFi, which I’m using.

Adding those two lines decreased my pings from ~240ms back to ~55ms, which I think is pretty good.

sndbuf 0
rcvbuf 0

When those two fields are set to 0, OpenVPN will use system buffers for data transmission instead of its own. You can also try getting bigger buffers from the server if such configuration is available, using:

sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push "rcvbuf 393216"

My full config for TorGuard looks like this:

client
dev tun
proto udp
tls-version-min 1.2
remote YOUR OPENVPN SERVER PORT
resolv-retry infinite
remote-cert-tls server
nobind
tun-mtu 1472
tun-mtu-extra 32
sndbuf 0
rcvbuf 0
persist-tun
tcp-nodelay
mssfix 1450
ca ca.crt
auth-user-pass
comp-lzo
fast-io
ping-restart 0
route-delay 2
route-method exe
script-security 3 system
mute-replay-warnings
verb 3

While you’re still here, I would like to recommend you the list of security tips for OpenVPN.

[Total: 0    Average: 0/5]
  • why using a VPN why spending ur money on a worthless deal. VPN is not a good nor the best solutions , and the main problem of it = u cant know if the VPN provider will delete ur logs or not. and many other issues regarding privacy/anonymity…

    so i wonder why dont u use Tor ? for example if u want to use a Torified OS u can have Whonix for persistent work , or if u r moving from place to place between different countries and cities u can also have Tails as torified amnesic OS live DVD or USB.

    or use basic TBB (Tor Browser Bundle) inside ur OS

    or install Tor (not TBB) and use proxychains with it = u can torify any app

    or install Tor and use it with privoxy

    if u dont like Torproject at all (maybe u have problems with it) u can use I2P .

    and all of these option r for FREE and FOREVER.

    im TNT BOM BOM from Whonix community.

    if u need any help regarding anonymity , dont be shy to ask. ;)

    • agilob

      I know quite a lot about Tor and I2P (my website is available on Tor) and my Tor node takes ~4TB each month, so I don’t have any question ;)

      I’m fully aware of problems with VPNs and I read a lot about it in many places, but the real question is who do you trust more? A company that you can sue or anonymous people/government who setup exit nodes? A lot of exit nodes inject JS into your http traffic, malware to binary files and listen to your traffic. Even more governments are more interested in exit nodes traffic than anything else, so if you use Tor daily, you ask to be under surveillance. Tor browser is crap for daily usage, it’s worse than browsers in 2002. If you use https-everywhere, darkweb-everywhere, µblock or any other add-on, your traffic is different than other traffic, which means, it’s easier to identify and track you. I2P is a separate networked eco-system, that’s quite close to what the internet looked like in 1997. So… thanks, but no thanks.

  • > but the real question is who do you trust more? A company that you can sue or anonymous people/government who setup exit nodes? A lot of exit nodes inject JS into your http traffic, malware to binary files and listen to your traffic. Even more governments are more interested in exit nodes traffic than anything else, so if you use Tor daily, you ask to be under surveillance.

    of curse ppl/governments/aliens maybe animals who setup exit nodes , traffics which is reaching to the exit node is encrypted and not a big problem if the government even controlled the exit node.

    and regarding the exit node could be used to manipulate ur traffic or injecting this and that. well if u said that before 2-3 year i will tell u yes u r right but not today , Tor project came up with many ideas&solutions regarding how to secure nodes for users. one of the simplest solutions which is friendly information gathering from each node , publicly viewing ur nodes , impossibility to connect to the same place within one chain of connection , increasing the guardian encryption ………….etc

    these enhancements mostly came up after 2014 specially silk-road down and untill now and they r still in continuous improvement.

    e.g:-

    Exonera Tor
    https://exonerator.torproject.org/

    Tor Metrics
    https://metrics.torproject.org/

    Compass
    https://compass.torproject.org/

    Atlas
    https://atlas.torproject.org/

    ……………..etc.

    so comparing Tor networks to VPN is really miss-understanding to what is Tor capabilities r. i dont think i need to give some info about VPN anonymity bizarre protection.

    > Tor browser is crap for daily usage, it’s worse than browsers in 2002. If you use https-everywhere, darkweb-everywhere, µblock or any other add-on, your traffic is different than other traffic, which means, it’s easier to identify and track you.

    yes u mean fingerprints , thats correct but why even using all these add-ons? using the default add-ons r good to make u safe through surfing (https-everywhere , noscript).

    in conclusion: Tor has many developers working on it (some of them with experience of 30 years) , millions using it = so its the safest tool created for anonymity in the history of development.

    BUT be aware that u r using human made tool not god tool , which mean for sure there r usage limitations , attacks that Tor cant defend , bugs ….etc and this is expected and accepted in the field of technology.

    an advise:- if u r insisting on using a VPN , then use openvpn.

    pleasure talking to u (f)

    • agilob

      Yes, quality of Tor network is increasing but there are still problems of malicious nodes, and yes, they still exist: https://threatpost.com/researcher-finds-tor-exit-node-adding-malware-to-binaries/109008/ (Nov 2014).

      > traffics which is reaching to the exit node is encrypted and not a big problem if the government even controlled the exit node.

      I didn’t mean HS (end-to-end encrypted traffic), but clearnet traffic leaving exit node. Unless it’s https, it’s not encrypted and can be easily manipulated, tracked and monitored.

      >yes u mean fingerprints , thats correct but why even using all these add-ons? using the default add-ons r good to make u safe through surfing (https-everywhere , noscript).

      Yes, default addons are good, but they miss (any) adblocker, fun fact, once my sister got notification from antivirus that youtube.com contained malware, a few weeks later I read a new that 3rd party company had malicious ads on youtube. adblocker is essential in clearnet since 2013 for me, it’s a pity that TBB doesn’t come with µmatrix, µblock or adb+. It would speed up tor->cleanet connections by removing a lot of useless content that no one wants to see.

      >an advise:- if u r insisting on using a VPN , then use openvpn.

      The post is about OpenVPN on tcp ;)

      Tor is getting better, but it needs a lot work dedicated to humans, not technical people, we need more blogs, news sites, forums (no CP) in the darknet. I think (no measures) I2P has more personal blogs on I2P than Tor, I2P is tens times smaller than Tor and they did better job. You have personal blogs about IT, cooking, travelling, security, forums, torrent trackers and more… EFF has a campaign where they payed with tshirts for setting up tor nodes, in fact, they should make a campaign for setting up own websites on Tor. People would contribute to both, number of relaying nodes + more SFW stuff.

      Thanks for commenting :)

  • > Yes, quality of Tor network is increasing but there are still problems of malicious nodes, and yes, they still exist: https://threatpost.com/researcher-finds-tor-exit-node-adding-malware-to-binaries/109008/ (Nov 2014).

    yeah correct , in 2014 it was a missy year regarding nodes.

    > I didn’t mean HS (end-to-end encrypted traffic), but clearnet traffic leaving exit node. Unless it’s https, it’s not encrypted and can be easily manipulated, tracked and monitored.

    oh i c , then yes u r correct because Tor has limitation regarding this issue. but this issue doesnt count on Tor only , but also on the clearnet idiots providers who r rejecting to encrypt the clearnet. (btw letsEncrypt project is meant to solve this issue inside the clearnet websites)

    > Yes, default addons are good, but they miss (any) adblocker, fun fact, once my sister got notification from antivirus that youtube.com contained malware, a few weeks later I read a new that 3rd party company had malicious ads on youtube. adblocker is essential in clearnet since 2013 for me, it’s a pity that TBB doesn’t come with µmatrix, µblock or adb+. It would speed up tor->cleanet connections by removing a lot of useless content that no one wants to see.

    then use Tails , their TBB (Tor Browser Bundle) is modified and it comes with adblock plus by default. and ur fingerprints will match every Tails user (but not basic TBB/Whonix).
    and i c that u r using the king of viruses Windows OS = which is very bad idea to think about anonymity inside it.

    > The post is about OpenVPN on tcp ;)

    yeah i meant stick to openvpn , dont try alternatives. (u can even use it with Tor)

    > I think (no measures) I2P has more personal blogs on I2P than Tor, I2P is tens times smaller than Tor and they did better job.

    both Tor & I2P having advantages and disadvantages regarding useability , anonymity , load-ability…etc

    i have read a lot of debates which is better I2P or Tor , in conclusion = u cant say this one is better than this one regarding major things. but with minors yes correct.

    > Thanks for commenting :)

    you welcome :)