How we reduced ping with OpenVPN
Hi,% username%. It all started with a midnight skype call. The bottom line was: “In-law, I have a high ping in the game, help.” And so I decided to help. Help tool has become OpenVPN . Under the cut there will be a lot of text, some configs and an explanation of the problem. And although there are already a lot of similar manuals, some of the pitfalls are not described in them, which was the reason to write this one.
So, the problem of high ping is relevant for all customers of the Ukrainian provider UkrTelecom (I note right away, changing the provider is not an option to solve the problem, due to the private sector, where there are no alternatives for reasonable money). From Kharkov to Moscow, ping takes a little more than 100 ms. As a result of the trace, it was clear that the connection was through, either Germany, or Switzerland, which had a loss of about 50 ms. "Hmm" - I thought, and decided to fix this thing. Letters and calls to the provider did not give anything, the answer was one: "The route can not be changed." Well, where is our not disappeared? Resolved: OpenVPN server in Kiev (direct connection to it) with a direct route to Moscow. Looking ahead, I will report that the ping has decreased by 2 times, from 100-120 to 50-60 ms.
Task :
All settings relate to Ubuntu 11.04 on the server side and Windows 7 on the client.
So, for the beginning we make out an application for a test VDS or VPS server. As it turned out, technical support is better to clarify right away that the tun module in the Ubuntu core is enabled on their VDS or VPS. And then I had to set up a second server from scratch, since in the first one there was a banal “restriction of the OpenVZ technology”, as the support told me. Although I did not see this nuance in any manual. As a result, -4 hours of time (2 waiting for confirmation of the application for the test server, another 1 to set up and another 1 to "why it does not work").
')
The basics of setting up a server running Ubuntu are not writing, this stuff is already on the network. Therefore, immediately to the point.
First, install the OpenVPN itself:
After that, we proceed to creating certificates for the server and client.
You can change variables (which is not necessary, in principle)
Next, we generate several certificates. Immediately I warn you, if certificates do not want to be generated, check if there is a file with the name specified in the “KEY_CONFIG” parameter in this directory. And then I had “openssl.cnf” in the parameter, and in the directory there were several files “openssl-0-9-0.cnf”, “openssl-1.0.0-old.cnf” and so on. I just took and renamed "openssl-1.0.0.cnf" to "openssl.cnf" and, oh, a miracle, it worked.
Getting started setting up the server itself
Next, create a verify.sh script which performs the verification of the login and password.
Under the spoiler script text
And the final chord - setting up NAT and adding to autorun
Well, the server is ready, we can restart it and configure the client.
To get started, install OpenVPN for Win. Since the end user of our “service” (aka “Test”) is poorly versed in computer-related topics, we set “Run as administrator” in the shortcut settings, so that PCM is not clicked every time (otherwise routes are not registered)
We pull files via SSH or FTP from our server:
And copy them to
In the same place we create a file plain text config.ovpn with the following content:
Well, everything is ready, reboot the server, and try to connect to it via the OpenVPN icon in the client's tray and the corresponding “Connect” item. Enter the password from the certificate, login, password and voila:
Check before and after connecting to our server:
Everyone is happy, ping dropped from 107 ms to 55 ms.
What we got :
Spent :
Conclusion : Everyone is happy, everything has been working for 2 weeks, without a single failure.
PS: I ask you to point out to my mistakes (both grammatical and all other) made in this post.
UPD : As psyX noted, to add the ability to simultaneously connect clients with the same certificates, you need to add a line to the server.conf file:
<
So, the problem of high ping is relevant for all customers of the Ukrainian provider UkrTelecom (I note right away, changing the provider is not an option to solve the problem, due to the private sector, where there are no alternatives for reasonable money). From Kharkov to Moscow, ping takes a little more than 100 ms. As a result of the trace, it was clear that the connection was through, either Germany, or Switzerland, which had a loss of about 50 ms. "Hmm" - I thought, and decided to fix this thing. Letters and calls to the provider did not give anything, the answer was one: "The route can not be changed." Well, where is our not disappeared? Resolved: OpenVPN server in Kiev (direct connection to it) with a direct route to Moscow. Looking ahead, I will report that the ping has decreased by 2 times, from 100-120 to 50-60 ms.
Task :
- OpenVPN server with basic settings
- An OpenVPN client on a Windows machine, configured so that all traffic goes along the standard route and only traffic to a specific subnet goes through the server (so as not to litter the server channel with any torrents, because we will add something to it later)
- To organize authentication not only by certificates, but also by the pair “login: password”. Well, our father-in-law does not believe in the reliability of “some sort of” certificates, and [sarcasm] login-password is yes, it is reliable [/ sarcasm]
All settings relate to Ubuntu 11.04 on the server side and Windows 7 on the client.
So, for the beginning we make out an application for a test VDS or VPS server. As it turned out, technical support is better to clarify right away that the tun module in the Ubuntu core is enabled on their VDS or VPS. And then I had to set up a second server from scratch, since in the first one there was a banal “restriction of the OpenVZ technology”, as the support told me. Although I did not see this nuance in any manual. As a result, -4 hours of time (2 waiting for confirmation of the application for the test server, another 1 to set up and another 1 to "why it does not work").
')
Server
The basics of setting up a server running Ubuntu are not writing, this stuff is already on the network. Therefore, immediately to the point.
First, install the OpenVPN itself:
apt-get install openvpn After that, we proceed to creating certificates for the server and client.
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/ You can change variables (which is not necessary, in principle)
vi ./vars # export KEY_SIZE=1024 # , -, , export KEY_EXPIRE=3650 # . , 10 # set KEY_COUNTRY=UA set KEY_PROVINCE=KH set KEY_CITY=Kharkov set KEY_ORG=Zadrot`s_Home set KEY_EMAIL=mail@host.domain # , , ( , … ) KEY_CONFIG=***.cnf Next, we generate several certificates. Immediately I warn you, if certificates do not want to be generated, check if there is a file with the name specified in the “KEY_CONFIG” parameter in this directory. And then I had “openssl.cnf” in the parameter, and in the directory there were several files “openssl-0-9-0.cnf”, “openssl-1.0.0-old.cnf” and so on. I just took and renamed "openssl-1.0.0.cnf" to "openssl.cnf" and, oh, a miracle, it worked.
./build-ca ./build-key-server server ./build-dh # /etc/openvpn/ mv ./keys/ca.crt /etc/openvpn mv ./keys/server.crt /etc/openvpn mv ./keys/server.key /etc/openvpn mv ./keys/dh1024.pem /etc/openvpn # ./build-key-pkcs12 gamer # gamer , Export password, Getting started setting up the server itself
# ““ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gzip –d server.conf.gz # Vi server.conf # local _ip_ push "redirect-gateway def1 bypass-dhcp" # , # dns , ( Windows , , ) push "dhcp-option DNS *.*.*.*" push "dhcp-option DNS *.*.*.*" verb 6 # , . # - , - auth-user-pass-verify /etc/openvpn/verify.sh via-file # #client-cert-not-required # , -, username-as-common-name # , - tmp-dir /etc/openvpn/tmp # “mkdir tmp” script-security 2 Next, create a verify.sh script which performs the verification of the login and password.
Under the spoiler script text
verify.sh
And make it executable: chmod + x verify.sh
Create a file user.pass in the format “user1: pass1 user2: pass2, etc.” separated by a space.
#!/bin/sh ## format: username:password username:password ... ## you can even have same usernames with different passwords # USERS='user1:pass1 user2:pass2 user3:pass3' ## you could put username:password in ## a separate file and read it like this USERS=`cat /etc/openvpn/user.pass` vpn_verify() { if [ ! $1 ] || [ ! $2 ]; then #echo "No username or password: $*" exit 1 fi ## it can also be done with grep or sed for i in $USERS; do if [ "$i" = "$1:$2" ]; then ## you can add here logging of users ## if you have enough space for log file #echo `date` $1:$2 >> your_log_file exit 0 fi done } if [ ! $1 ] || [ ! -e $1 ]; then #echo "No file" exit 1 fi ## $1 is file name which contains ## passed username and password vpn_verify `cat $1` #echo "No user with this password found" exit 1 And make it executable: chmod + x verify.sh
Create a file user.pass in the format “user1: pass1 user2: pass2, etc.” separated by a space.
And the final chord - setting up NAT and adding to autorun
vi /etc/sysctl.conf net.ipv4.ip_forward=1 # vi /etc/rc.local # : iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # , ifconfig Well, the server is ready, we can restart it and configure the client.
Customer
To get started, install OpenVPN for Win. Since the end user of our “service” (aka “Test”) is poorly versed in computer-related topics, we set “Run as administrator” in the shortcut settings, so that PCM is not clicked every time (otherwise routes are not registered)
We pull files via SSH or FTP from our server:
/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/gamer.crt /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/gamer.csr /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/gamer.key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/gamer.p12 And copy them to
%ProgramFiles%\OpenVPN\config In the same place we create a file plain text config.ovpn with the following content:
# 123123 Client # dev tun proto udp remote *.*.*.* 1194 # ip ( ) resolv-retry infinite nobind persist-key persist-tun ca ca.crt # cert client.crt # key client.key # comp-lzo verb 3 remote-cert-tls server pull route 109.105.0.0 255.255.0.0 # , , OpenVPN, auth-user-pass # -, Well, everything is ready, reboot the server, and try to connect to it via the OpenVPN icon in the client's tray and the corresponding “Connect” item. Enter the password from the certificate, login, password and voila:
Check before and after connecting to our server:
It was
Packet exchange with pointblank.ru [109.105.130.101] with 32 data bytes:
Answer from 109.105.130.101: number of bytes = 32 time = 107ms TTL = 245
Answer from 109.105.130.101: number of bytes = 32 time = 111ms TTL = 245
Answer from 109.105.130.101: number of bytes = 32 time = 104 ms TTL = 245
Answer from 109.105.130.101: number of bytes = 32 time = 108 ms TTL = 245
Ping statistics for 109.105.130.101:
Packets: sent = 4, received = 4, lost = 0
(0% loss)
Approximate round-trip time in ms:
Minimum = 104 ms, Maximum = 111 ms, Medium = 107 ms
Answer from 109.105.130.101: number of bytes = 32 time = 107ms TTL = 245
Answer from 109.105.130.101: number of bytes = 32 time = 111ms TTL = 245
Answer from 109.105.130.101: number of bytes = 32 time = 104 ms TTL = 245
Answer from 109.105.130.101: number of bytes = 32 time = 108 ms TTL = 245
Ping statistics for 109.105.130.101:
Packets: sent = 4, received = 4, lost = 0
(0% loss)
Approximate round-trip time in ms:
Minimum = 104 ms, Maximum = 111 ms, Medium = 107 ms
It became
Packet exchange with pointblank.ru [109.105.130.101] with 32 data bytes:
Answer from 109.105.130.101: number of bytes = 32 time = 55ms TTL = 248
Answer from 109.105.130.101: number of bytes = 32 time = 55ms TTL = 248
Answer from 109.105.130.101: number of bytes = 32 time = 58ms TTL = 248
Answer from 109.105.130.101: number of bytes = 32 time = 55ms TTL = 248
Ping statistics for 109.105.130.101:
Packets: sent = 4, received = 4, lost = 0
(0% loss)
Approximate round-trip time in ms:
Min = 55 ms, Max = 58 ms, Medium = 55 ms
Answer from 109.105.130.101: number of bytes = 32 time = 55ms TTL = 248
Answer from 109.105.130.101: number of bytes = 32 time = 55ms TTL = 248
Answer from 109.105.130.101: number of bytes = 32 time = 58ms TTL = 248
Answer from 109.105.130.101: number of bytes = 32 time = 55ms TTL = 248
Ping statistics for 109.105.130.101:
Packets: sent = 4, received = 4, lost = 0
(0% loss)
Approximate round-trip time in ms:
Min = 55 ms, Max = 58 ms, Medium = 55 ms
Everyone is happy, ping dropped from 107 ms to 55 ms.
Results
What we got :
- Ping down to Moscow 2 times
- OpenVPN server, which we can use not only for initial purposes, but also as a private encrypted channel
- Pleased as a plasticine elephant test.
Spent :
- Hour 2 clean time (provided that you do not come across some of the rakes described in the post)
- 6 $ / month on VDS server
Conclusion : Everyone is happy, everything has been working for 2 weeks, without a single failure.
PS: I ask you to point out to my mistakes (both grammatical and all other) made in this post.
UPD : As psyX noted, to add the ability to simultaneously connect clients with the same certificates, you need to add a line to the server.conf file:
duplicate-cn <
Source: https://habr.com/ru/post/162539/
All Articles