Boosting speed of OpenVPN connections

This year (2016) and last year, a few new laws were introduced by Cameron’s government, so I decided to get myself VPN. First, I tried a lifetime TigerVPN for 30$, nice deal. Unfortunately, TigerVPN doesn’t fully support Linux OpenVPN implementation. Connection is dropped when reaching ~900kb/s upload+download; network-manager tells that server time outed and it never reconnects due to… an authentication problem.

So I started looking for other affordable solutions. Two biggest competitors are PIA and TorGuard. I started reading discussions on reddit about those two, and it seems, there are very little differences. I was given a rolling promotion code for TorGuard, a 50% discount code that can be used after my 2 years long service comes to an end. It’s good.

After I started using TorGuard on my Arch setup, I found it problematic, first I thought TalkTalk might be throttling my connection speed, as it’s known to be one of the worst providers. The problem exited when I tested my VPS; pings still high, increased from 40ms to 240ms. So the problem could lie in TorGuard service, but… well… It’s known to be one of the best, so I doubted it. I started to dig into the OpenVPN client configuration. First in Network-Managers, but its UI is really poor, so it was not worth it. The default .conf file from TorGuard is very generic. Too generic, I think.

So first, check what is your MTU. It’s important to make it not too long:

➜  ~  ping -M do -s 1600 gr.torguardvpnaccess.com
PING gr.torguardvpnaccess.com (195.122.150.131) 1600(1628) bytes of data.
ping: local error: Message too long, mtu=1500
ping: local error: Message too long, mtu=1500
^C
--- gr.torguardvpnaccess.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
 
➜  ~  ping -M do -s 1472 gr.torguardvpnaccess.com
PING gr.torguardvpnaccess.com (195.122.150.131) 1472(1500) bytes of data.
^C
--- gr.torguardvpnaccess.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2007ms

1472 works for me.

tun-mtu 1472

If you can sacrifice a bit of CPU usage for data compression, then add:

comp-lzo

If you care about encryption level, TCP will offer a better one, but UDP will work faster, so it’s up to you to change
proto udp line to proto tcp . Also, if you choose TCP, add this line:

tcp-nodelay

Another important thing is to setup buffers for incoming and outgoing data transfers using sndbuf and rcvbuf. Those buffers can drastically decrease speed limits, especially on WiFi, which I’m using.

Adding those two lines decreased my pings from ~240ms back to ~55ms, which I think is pretty good.

sndbuf 0
rcvbuf 0

When those two fields are set to 0, OpenVPN will use system buffers for data transmission instead of its own. You can also try getting bigger buffers from the server if such configuration is available, using:

sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push "rcvbuf 393216"

My full config for TorGuard looks like this:

client
dev tun
proto udp
tls-version-min 1.2
remote YOUR OPENVPN SERVER PORT
resolv-retry infinite
remote-cert-tls server
nobind
tun-mtu 1472
tun-mtu-extra 32
sndbuf 0
rcvbuf 0
persist-tun
tcp-nodelay
mssfix 1450
ca ca.crt
auth-user-pass
comp-lzo
fast-io
ping-restart 0
route-delay 2
route-method exe
script-security 3 system
mute-replay-warnings
verb 3

While you’re still here, I would like to recommend you the list of security tips for OpenVPN.