search

Ysurac / openmptcprouter

OpenMPTCProuter is an open source solution to aggregate multiple internet connections using Multipath TCP (MPTCP) on OpenWrt
https://www.openmptcprouter.com/
GNU General Public License v3.0
1.86k stars 269 forks source link

OMR VPS 0.1029-TEST - OpenVPN Enhancement #3099

Closed Kalimeiro closed 6 months ago

Kalimeiro commented 10 months ago

Is your enhancement proposal related to a problem? Please describe.

Improve tunnel configuration of OpenVPN TCP/UDP on VPS Parts

Describe the solution you'd like

This is a working great configuration for VPS :

for OpenVPN TCP (force disable-dco) : /etc/openvpn/tun0.conf 

topology subnet
dev tun0
user nobody
group nogroup
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
disable-dco
proto tcp-server
port 65301
persist-tun
persist-key
verb 3
server 10.255.250.0 255.255.255.0
ca /etc/openvpn/ca/pki/ca.crt
cert /etc/openvpn/ca/pki/issued/server.crt
key /etc/openvpn/ca/pki/private/server.key
dh /etc/openvpn/server/dh2048.pem
crl-verify /etc/openvpn/ca/pki/crl.pem
keepalive 10 240
txqueuelen 1000
sndbuf 262144
push "sndbuf 262144"
rcvbuf 262144
push "rcvbuf 262144"
tun-mtu 1420
tls-server
tls-version-min 1.2
push "route 10.255.250.1 255.255.255.255"
client-config-dir ccd
ifconfig-pool-persist ccd/ipp_tcp.txt
passtos

/etc/openvpn/ccd/ipp_tcp.txt

openmptcprouter,10.255.250.2,

for OpenVPN UDP (DCO enabled) : /etc/openvpn/tun1.conf

topology subnet
dev tun1
user nobody
group nogroup
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
proto udp
port 65301
persist-tun
persist-key
verb 3
server 10.255.252.0 255.255.255.0
ca /etc/openvpn/ca/pki/ca.crt
cert /etc/openvpn/ca/pki/issued/server.crt
key /etc/openvpn/ca/pki/private/server.key
dh /etc/openvpn/server/dh2048.pem
crl-verify /etc/openvpn/ca/pki/crl.pem
keepalive 10 240
txqueuelen 1000
sndbuf 262144
push "sndbuf 262144"
rcvbuf 262144
push "rcvbuf 262144"
tun-mtu 1420
tls-server
tls-version-min 1.2
push "route 10.255.252.1 255.255.255.255"
client-config-dir ccd
ifconfig-pool-persist ccd/ipp_udp.txt
fast-io
passtos

/etc/openvpn/ccd/ipp_udp.txt

openmptcprouter,10.255.252.2,

modify OpenVPN service script /usr/lib/systemd/system/openvpn@.service to add CAPT_SETPCAP in CapabilityBoundingSet variable due to dropping root privilege.

It's important to configure pool-persitent because IP change when disconnect/reconnect and omr-admin not take the new IP lease by OpenVPN with consequence firewall/forwarding rules not working.

UDP dont work with aggregation (and it's normal) but performance and latency is very great with DCO and it's better stable than glorytun and other VPN. For now DCO don't work with TCP but a fix is WIP.

Kalimeiro commented 6 months ago

I have abandoned OpenMPTCProuter for several weeks/months due to major flaws in its development.