On Mon, Apr 30, 2018 at 10:54:22AM +0200, mailmantinc at mobfunk.de wrote:
> I´m using Tinc for several years, but I didn´t fix a performance problem.
>
> There a about 20 nodes in this network.
>
> Master:
>
> 10.0.0.12 (dedicated host in a datacenter, debian, 100mBit port)
>
> tinc.conf:
>
> Name = TincKnoten12
> AddressFamily = ipv4
> Interface = tun
> ProcessPriority=high
> mode = router
> #DirectOnly = no
> Compression=0
> PMTUDiscovery = yes
> #IndirectData = yes
> #ReplayWindow = 64
> #ConnectTo = TincKnoten1
> GraphDumpFile = /tmp/tinc-graph
> LocalDiscovery = yes
> ClampMSS = yes
> PMTU = 1400
> #DirectOnly=yes
> #IndirectData=yes
> Cipher=AES-128-CBC
> #TCPOnly=yes
>
>
> mac:10.0.0.20 (1gig directly to our backbone via mpls from out office-vlan)
>
> Name=TincKnoten20
> AddressFamily = ipv4
> Device = /dev/tap0
> ConnectTo = TincKnoten12
> ProcessPriority=high
> mode = router
> #DirectOnly = no
> Compression=0
> Cipher=AES-128-CBC
> IndirectData = yes
> #ReplayWindow = 64
> ClampMSS = yes
> PMTU = 1400
> PMTUDiscovery = yes
>
> frechly installed debian 10.0.0.27 (50/10MBit DSL Access):
>
> Name=TincKnoten27
> AddressFamily=ipv4
> Device=/dev/net/tun
> ConnectTo = TincKnoten12
> LocalDiscovery = yes
> AddressFamily = ipv4
> Compression=0
> ClampMSS = yes
> Cipher=AES-128-CBC
> ProcessPriority=high
> mode = router
> PMTUDiscovery = yes
>
>
> Test with scp:
>
> 10.0.0.20->10.0.0.12 7.8MegaByte/s (good enough)
> 10.0.0.20->10.0.0.27 700kByte (slow)
> 10.0.0.12-> 10.0.0.20 26MegaByte
> 10.0.0.12 -> 10.0.0.27 700kByte (slow, should be 10mBit)
> 10.0.0.27 -> 10.0.0.20 700kByte (slow)
> 10.0.0.27 -> 10.0.0.12 1MegaByte/s (Linespeed 10mBit->fine)
There are several possible reasons why you may not get the full speed
that you think you should get.
For DSL: the quality of your line might not have a constant quality.
Unless your line is rated for much higher speeds, don't expect to get
the full speed promised by your ISP. However, since you are getting the
full 10 Mbit/s to the datacenter, it might be that this is not the
problem.
Another reason for lower speeds is packet loss. With a single TCP
connection (like you have with scp), packet loss might be mistaken
for/caused by congestion, and the speed will drop. Some ISPs might also
drop packets on purpose, especially if it looks like undesired traffic.
It is not uncommon for some ISPs to drop a significant percentage of UDP
packets, in order to make the quality of VoIP calls go down.
As you hinted, MTU might be a problem. But tinc tries to detect the path
MTU and will normally adjust the size of packets accordingly.
Lastly, tinc will normally use UDP between peers, but if that is not
possible for some reason (because of firewalls or some forms of NAT), it
will fall back to using TCP. This can be much slower.
All the slow connections you listed involve 10.0.0.27, so it seems like
the issue is there, or with an ISP somewhere along the path to
10.0.0.27.
There is nothing in your configuration that I can see that is wrong. You
might try to change the MTU, the best way to force a lower MTU is to set
a lower MTU value on the tun interface, for example by adding this to
your tinc-up script:
ip link set $INTERFACE mtu 1400
You can also check with tcpdump on your LAN interface if packets from
tinc are being fragmented or not, and whether tinc is predominantly
using UDP or TCP when you are running scp.
> There a much more nodes (with the same master 10.0.0.12) and the same
> speed-problemes on different sites (with 1-2 old openwrt-routers with very
> old tinc-versions).
>
> I think the problem is mtu related.
>
> How can I improve the speed? The cpu-speed on the computers should by high
> enough.
Well, for OpenWRT routers the CPU speed might not be enough; you will
have both tinc and scp doing encryption. The easy way to check this is
to run top and check the CPU usage of tinc and scp.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20180430/4e677398/attachment-0001.sig>