树莓派上的 openvpn(pivpn):连接成功但速度慢得无法使用

tag-icon tag-icon vpn openvpn raspberry-pi
树莓派上的 openvpn(pivpn):连接成功但速度慢得无法使用

openvpn我使用设置了一台 2GB 的 Raspberry Pi 4 作为服务器pivpn。使用我的手机进行测试,我获得了连接,但速度太慢,甚至无法加载页面(<100 Bit/s)。我正在尝试查找设置中的错误。

手机显示已连接,但当我关闭 pi 的电源时,却没有连接,因此路由和身份验证似乎正在正常工作:

在此处输入图片描述

我不知道从哪里开始,所以我只写下一些可能相关的信息:

  • 手机和树莓派的互联网连接速度足够快(树莓派:ping 33ms,下载 75 MBit/s,上传 50;手机:ping 17 ms,下载 20 MBit/s,上传 12)。树莓派通过 Wifi 连接,手机使用其移动数据连接。

  • 我在端口 1194 上使用端口转发,并使用 更新的 ddns 服务ddclient。LAN 使用 DHCP,并为 pi 保留 IP。

  • 设置使用隧道选项V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client和协议选项cipher: AES-256-GCM, digest: NONE, compress: NONE, peer ID: 0

  • 使用tcpdump( port not 22),在我连接之前会有一些流量(与路由器的后台通信,一些广播),当我连接客户端时,流量会大幅增加。我看到 whatsapp 和 facebook 出现在一些流量中,但主要还是

  • pi 专用于此任务,并安装了全新精简版的 raspian。其上的内容由ddclient和/或pivpn脚本需要/安装。top显示 CPU 使用率 <1% 和 RAM 使用率 <1% openvpn

  • .ovpn对于此客户端来说,在服务器上创建的文件的标题:

client
dev tun
proto udp
remote xxxx.chickenkiller.com 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypivpn_xxxxxxx-24e8-42a0-ac2b-xxxxxxxxx name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
  • 文件/etc/openvpn/server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypivpn_xxxxx.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypivpn_xxxxx.key
dh none
ecdh-curve prime256v1
topology subnet
server 20.9.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3

  • 该手机是一部运行openvpn 客户端应用程序

  • 手机和 pi 上的 openvpn 日志没有显示任何错误。

  • 我还无法在我的笔记本电脑或任何其他设备上进行测试。

我可能做错了什么吗?请告诉我我的设置是否有帮助。

非常感谢!

tcpdump连接之前(我已经审查/更改/删除了我认为可能需要的内容):

13:23:03.651388 ff:ff:37:ef:1b:c4 (oui Unknown) > Broadcast, ethertype Unknown (0x6970), length 74: 
    0x0000:  010e 58dd dddd b8e9 37ef 1bc4 6970 0101  ..X.....7...ip..
    0x0020:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5  ................
    0x0030:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5            ............
13:23:04.471171 IP 192.168.1.200.41997 > 192.168.1.255.21027: UDP, length 480
13:23:08.771313 ff:ff:37:ef:1b:c4 (oui Unknown) > Broadcast, ethertype Unknown (0x6970), length 74: 
    0x0000:  010e 58dd dddd b8e9 37ef 1bc4 6970 0101  ..X.....7...ip..
    0x0020:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5  ................
    0x0030:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5            ............
13:23:13.686614 ff:ff:37:ef:1b:c4 (oui Unknown) > Broadcast, ethertype Unknown (0x6970), length 74: 
    0x0000:  010e 58dd dddd b8e9 37ef 1bc4 6970 0101  ..X.....7...ip..
    0x0020:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5  ................
    0x0030:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5            ............
13:23:14.178749 ARP, Request who-has 192.168.1.150 tell 192.168.1.101, length 28
13:23:14.178792 ARP, Reply 192.168.1.150 is-at ff:ff:01:37:e4:b1 (oui Unknown), length 28
13:23:14.507295 IP 192.168.1.101.47687 > 192.168.1.255.21027: UDP, length 477
13:23:18.806609 ff:ff:37:ef:1b:c4 (oui Unknown) > Broadcast, ethertype Unknown (0x6970), length 74: 
    0x0000:  010e 58dd dddd b8e9 37ef 1bc4 6970 0101  ..X.....7...ip..
    0x0020:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5  ................
    0x0030:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5            ............
13:23:20.650068 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 70:3a:cb:75:ce:7b (oui Unknown), length 244
13:23:23.721742 ff:ff:37:ef:1b:c4 (oui Unknown) > Broadcast, ethertype Unknown (0x6970), length 74: 
    0x0000:  010e 58dd dddd b8e9 37ef 1bc4 6970 0101  ..X.....7...ip..
    0x0020:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5  ................
    0x0030:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5            ............
13:23:23.722287 ARP, Request who-has 192.168.1.150 (ff:ff:01:37:e4:b1 (oui Unknown)) tell 192.168.1.1, length 46
13:23:23.722342 ARP, Reply 192.168.1.150 is-at ff:ff:01:37:e4:b1 (oui Unknown), length 28

tcpdump连接后的最初几秒内:

13:28:11.877479 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 54
13:28:11.878677 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 66
13:28:11.992044 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 339
13:28:11.992858 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 62
13:28:11.993104 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 153
13:28:12.004387 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 378
13:28:12.013758 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 1128
13:28:12.014035 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 503
13:28:12.019489 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 62
13:28:12.022810 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 1316
13:28:12.026282 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 355
13:28:12.033375 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 224
13:28:12.034349 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 287
13:28:12.038947 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 62
13:28:12.040022 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 62
13:28:12.041430 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 89
13:28:12.042633 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 62
13:28:12.042836 IP 192.168.1.150.openvpn > 192.168.1.1.43448: UDP, length 300
13:28:12.078304 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 62
13:28:12.079115 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 140
13:28:12.079177 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 72
13:28:12.079214 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 140
13:28:12.161953 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:12.163013 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:12.167330 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:12.167365 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:12.171647 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 100
13:28:12.171840 IP 20.9.0.3.54810 > dns.google.domain: 37821+ A? infinitedata-pa.googleapis.com. (48)
13:28:12.172282 IP 192.168.1.150.52627 > 192.168.1.1.domain: 36332+ PTR? 3.0.8.10.in-addr.arpa. (39)
13:28:12.174861 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 102
13:28:12.175040 IP 20.9.0.3.16393 > dns.google.domain: 59285+ A? digitalassetlinks.googleapis.com. (50)
13:28:12.175944 IP 192.168.1.1.domain > 192.168.1.150.52627: 36332 NXDomain* 0/0/0 (39)
13:28:12.176222 IP 192.168.1.150.47687 > 192.168.1.1.domain: 2044+ PTR? 8.8.8.8.in-addr.arpa. (38)
13:28:12.191657 IP 192.168.1.1.domain > 192.168.1.150.47687: 2044 1/0/0 PTR dns.google. (62)
13:28:12.282279 IP 192.168.1.22.mdns > 224.0.0.251.mdns: 1 [2q] PTR (QU)? _CC32E753._sub._googlecast._tcp.local. PTR (QU)? _googlecast._tcp.local. (61)
13:28:12.358935 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 85
13:28:12.359554 IP 20.9.0.3.37234 > dns.google.domain: 61029+ NAPTR? rbm.mavenir.com. (33)
13:28:12.386618 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:12.390037 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:12.508233 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 84
13:28:12.508746 IP 20.9.0.3.49488 > 57.74.98.34.bc.googleusercontent.com.https: Flags [S], seq 72412679, win 65535, options [mss 1361,sackOK,TS val 2637578 ecr 0,nop,wscale 8], length 0
13:28:12.509118 IP 192.168.1.150.42940 > 192.168.1.1.domain: 11656+ PTR? 57.74.98.34.in-addr.arpa. (42)
13:28:12.533377 IP 192.168.1.1.domain > 192.168.1.150.42940: 11656 1/0/0 PTR 57.74.98.34.bc.googleusercontent.com. (92)
13:28:12.626709 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:12.630095 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:12.660407 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:12.761745 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 140
13:28:12.792873 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 84
13:28:12.793170 IP 20.9.0.3.4176 > dns.google.domain: 36977+ A? g.whatsapp.net. (32)
13:28:12.873592 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 140
13:28:12.894501 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:13.011053 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 88
13:28:13.011355 IP 20.9.0.3.26958 > dns.google.domain: 28809+ AAAA? dealer.spotify.com. (36)
13:28:13.012418 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 88
13:28:13.012701 IP 20.9.0.3.53255 > dns.google.domain: 34834+ A? dealer.spotify.com. (36)
13:28:13.088709 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:13.092741 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:13.134467 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:13.176740 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:13.177032 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:13.309546 IP 192.168.1.22.mdns > 224.0.0.251.mdns: 2 [2q] PTR (QM)? _CC32E753._sub._googlecast._tcp.local. PTR (QM)? _googlecast._tcp.local. (61)
13:28:13.521911 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 84
13:28:13.522240 IP 20.9.0.3.49488 > 57.74.98.34.bc.googleusercontent.com.https: Flags [S], seq 72412679, win 65535, options [mss 1361,sackOK,TS val 2637880 ecr 0,nop,wscale 8], length 0
13:28:13.594254 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:13.972678 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:13.975944 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 211
13:28:14.128750 ff:ff:37:ef:1b:c4 (oui Unknown) > Broadcast, ethertype Unknown (0x6970), length 74: 
    0x0000:  010e 58dd dddd b8e9 37ef 1bc4 6970 0101  ..X.....7...ip..
    0x0020:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5  ................
    0x0030:  a5a5 a5a5 a5a5 a5a5 a5a5 a5a5            ............
13:28:14.315567 IP 192.168.1.22.mdns > 224.0.0.251.mdns: 3 [2q] PTR (QM)? _CC32E753._sub._googlecast._tcp.local. PTR (QM)? _googlecast._tcp.local. (61)
13:28:14.321486 IP 192.168.1.101.47687 > 192.168.1.255.21027: UDP, length 477
13:28:14.480595 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:14.973356 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 84
13:28:14.973631 IP 20.9.0.3.49178 > 25.224.186.35.bc.googleusercontent.com.https: Flags [S], seq 1821028633, win 65535, options [mss 1361,sackOK,TS val 2638316 ecr 0,nop,wscale 8], length 0
13:28:14.974283 IP 192.168.1.150.41045 > 192.168.1.1.domain: 13203+ PTR? 25.224.186.35.in-addr.arpa. (44)
13:28:14.993607 IP 192.168.1.1.domain > 192.168.1.150.41045: 13203 1/0/0 PTR 25.224.186.35.bc.googleusercontent.com. (96)
13:28:15.267765 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:15.268366 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 76
13:28:15.409468 IP 192.168.1.1.43448 > 192.168.1.150.openvpn: UDP, length 93
13:28:15.409698 IP 20.9.0.3.24907 > dns.google.domain: 25615+ A? spclient.wg.spotify.com. (41)

答案1

在汤姆的帮助下,问题最终出在iptables配置上。

sudo iptables-save返回:

# Generated by xtables-save v1.8.2 on Sun Jun 20 15:47:29 2021
*filter
:INPUT ACCEPT [1308:157588]
:FORWARD ACCEPT [483:31962]
:OUTPUT ACCEPT [431:1989618]
COMMIT
# Completed on Sun Jun 20 15:47:29 2021
# Generated by xtables-save v1.8.2 on Sun Jun 20 15:47:29 2021
*nat
:PREROUTING ACCEPT [291:34883]
:INPUT ACCEPT [50:18696]
:POSTROUTING ACCEPT [252:17084]
:OUTPUT ACCEPT [11:897]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
COMMIT

注意-o eth0。我实际上正在使用无线接口。

将其移除/etc/iptables/rules.v4并重新启动后,vpn 连接现在可按预期工作。我可以访问 LAN 中的 IP 地址,并且连接速度很快:

在此处输入图片描述

一些评论:

  • android 上的 openvpn 客户端仍然显示速度很慢,即使在观看 YouTube 时也是如此。这让我有点不知所措,但我猜这只是 vpn 隧道本身的开销,即加密。

在此处输入图片描述

  • 我没有手动输入该-o eth0选项iptables- 我认为它是通过pivpn脚本添加的。我做过短暂尝试使用以太网端口,但在最近设置/重新配置时无法使用pivpn。不确定这是否是一个错误,但至少在设置 vpn 服务器时需要记住这一点。

我希望这对遇到这个问题的其他人有所帮助。再次感谢汤姆

答案2

吞吐量问题可能是由于配置选项不理想(特别是 AES256)、未指定 TLS EC 密码以及缺乏调整造成的(不正确tun-mtu,可能接收/发送缓冲区等)

  • AES128 至少在 2030 年之前仍将无法破解,因此吞吐量严重阻碍并未获得额外的安全性
  • 最佳吞吐量来自调优配置例子:连接可靠性和速度)
    • tun-mtu应该〜48000使用AES-NI,可能〜24000没有

解决:

  • server.conf
    # SSL:
  cipher      AES-128-CBC

# TLS: (generate supported ciphers via: openvpn --show-tls)
  tls_cipher  'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256'
  • client.ovpn
    # SSL:
  cipher      AES-128-CBC

附加信息:

  • tls-crypt建议确保 PFS [完美F奥沃德年代保密: 
    # server.conf: (generate via: openvpn --genkey --secret tls-crypt.psk)

tls-crypt   /etc/openvpn/tc.psk

    # client.ovpn:

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
# PASTE KEY HERE #
-----END OpenVPN Static key V1-----
</tls-crypt>

  • 用户/组应该是nobody/nogroup除非操作系统/固件另有配置
  • SHA512如果使用 x64 CPU,建议使用(x64 CPU 处理 SHA512 比 SHA256 更快)
  • 将服务器设置为verb 4和客户端更有效verb 5,因为它可以避免在需要进行故障排除时更改它们(服务器防火墙规则应该是tcp udp出于同样的原因)
  • 我总是推荐适用于 Android 的 OpenVPN因为它提供更好的定制

相关内容