This year (2016) and last year, a few new laws were introduced by Cameron’s government, so I decided to get myself VPN. First, I tried a lifetime TigerVPN for 30$, nice deal. Unfortunately, TigerVPN doesn’t fully support Linux OpenVPN implementation. Connection is dropped when reaching ~900kb/s upload+download; network-manager tells that server time outed and it never reconnects due to… an authentication problem.
So I started looking for other affordable solutions. Two biggest competitors are PIA and TorGuard. I started reading discussions on reddit about those two, and it seems, there are very little differences. I was given a rolling promotion code for TorGuard, a 50% discount code that can be used after my 2 years long service comes to an end. It’s good.
After I started using TorGuard on my Arch setup, I found it problematic, first I thought TalkTalk might be throttling my connection speed, as it’s known to be one of the worst providers. The problem exited when I tested my VPS; pings still high, increased from 40ms to 240ms. So the problem could lie in TorGuard service, but… well… It’s known to be one of the best, so I doubted it. I started to dig into the OpenVPN client configuration. First in Network-Managers, but its UI is really poor, so it was not worth it. The default .conf file from TorGuard is very generic. Too generic, I think.
So first, check what is your MTU. It’s important to make it not too long:
➜ ~ ping -M do -s 1600 gr.torguardvpnaccess.com PING gr.torguardvpnaccess.com (18.104.22.168) 1600(1628) bytes of data. ping: local error: Message too long, mtu=1500 ping: local error: Message too long, mtu=1500 ^C --- gr.torguardvpnaccess.com ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms ➜ ~ ping -M do -s 1472 gr.torguardvpnaccess.com PING gr.torguardvpnaccess.com (22.214.171.124) 1472(1500) bytes of data. ^C --- gr.torguardvpnaccess.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2007ms
1472 works for me.
If you can sacrifice a bit of CPU usage for data compression, then add:
If you care about encryption level, TCP will offer a better one, but UDP will work faster, so it’s up to you to change
proto udp line to proto tcp . Also, if you choose TCP, add this line:
Another important thing is to setup buffers for incoming and outgoing data transfers using sndbuf and rcvbuf. Those buffers can drastically decrease speed limits, especially on WiFi, which I’m using.
Adding those two lines decreased my pings from ~240ms back to ~55ms, which I think is pretty good.
sndbuf 0 rcvbuf 0
When those two fields are set to 0, OpenVPN will use system buffers for data transmission instead of its own. You can also try getting bigger buffers from the server if such configuration is available, using:
sndbuf 0 rcvbuf 0 push "sndbuf 393216" push "rcvbuf 393216"
My full config for TorGuard looks like this:
client dev tun proto udp tls-version-min 1.2 remote YOUR OPENVPN SERVER PORT resolv-retry infinite remote-cert-tls server nobind tun-mtu 1472 tun-mtu-extra 32 sndbuf 0 rcvbuf 0 persist-tun tcp-nodelay mssfix 1450 ca ca.crt auth-user-pass comp-lzo fast-io ping-restart 0 route-delay 2 route-method exe script-security 3 system mute-replay-warnings verb 3
While you’re still here, I would like to recommend you the list of security tips for OpenVPN.