Nick Howitt wrote:

OK. What is the output of:
For my site<->site connections I use this doc. It does not use certificates or:I wonder if that makes any difference. I guess I could try setting up some sort of internal test. I can't set up an external test as one end has an up-link speed of 3Mbps and the other of about 9Mbps.

I wonder also if you are hardware limited, but I don't know what sort of speeds to expect.

Here is the result of the lspci:

00:12.0 Ethernet controller: Intel Corporation 82540EM Gigabit Ethernet Controller (rev 03)
Subsystem: Red Hat, Inc. QEMU Virtual Machine
Kernel driver in use: e1000
Kernel modules: e1000
00:13.0 Ethernet controller: Intel Corporation 82540EM Gigabit Ethernet Controller (rev 03)
Subsystem: Red Hat, Inc. QEMU Virtual Machine
Kernel driver in use: e1000
Kernel modules: e1000

Clearos is running on a Proxmox OS (Virtualization). I don't think i'm hardware limited, as I can get the 60M with clearos, but with openvpn stopped.

Also, I don't think that the certificate or encryption (TLS) is doing a difference, because i took the clearos certificate, and clearos config to connect to the VPS using my Archlinux PC (bypassing clearos gateway) and I get the 60M.

Thanks for the help by the way !

No, i'm not using QOS. As i mentioned, i did the speedtest under Ip setting of the webmin page (little RPM logo) and saved the result.

Here is the network.conf file:

[root@pingouin ~]# cat /etc/clearos/network.conf
# Network mode
MODE="gateway"

# Network interface roles
EXTIF="ens18"
LANIF="ens19"
DMZIF=""
HOTIF=""

# Domain and Internet Hostname
DEFAULT_DOMAIN="xxxxx.ca"
INTERNET_HOSTNAME="xxxxx.ca"

# Extra LANS
EXTRALANS=""

# ISP Maximum Speeds
ENS18_MAX_DOWNSTREAM=66000
ENS18_MAX_UPSTREAM=10930

Also, I forgot to mention that when i shutdown the openvpn service, all my device get the 60M, passing through the clearos gateway

Bandwidth problem when using openvpn

Hi !

I'm using openvpn as a client on clearos since couple of years. Clearos is set as a Gateway for my LAN, but connect as a client to a VPS from DigitalOcean in Toronto, to be able to have all my devices behind a VPN. I also have a Cisco ASA5505 Firewall between my internet connection and the eth0 of clearos.

Everything was going very well on my 30 Mbit internet connection. Then i decided to upgrade it to 60 Mbit. I noticed that when openvpn is connected to the VPS, my speed is limited to 30M (speedtest.net). I did the speedtest on the IP Setting page of Clearos, then saved the result on eth0, but it still cap at 30Mbit.

To make sure where was the problem, i installed openvpn on my Archlinux PC, then put the pc behind the ASA5505, but before ClearOS eth0. With openvpn client connected to the same VPS on my Archlinux PC, i can reach the 60 Mbit on speedtest.net. So the problem is not the ASA, not the Digitalocean server. It look like openvpn on clearos is limiting the bandwitdth to 30M.

Here is a basic overview of the current routing. All my devices goes on the internet from DigitalOcean IP.

Internet --> ASA5505 --> Clearos eth0 [ ] Clearos eth1 --> Cisco 48 port gig switch --> All my devices
|
|
Clearos openvpn client --> My Toronto VPS --> DigitalOcean Internet

Here is the clearos openvpn.conf :

# Mode et protocol

client
remote xxxxxxx.ca 1443
proto udp
dev tun

# Option du VPN

topology subnet
comp-lzo
persist-key
keepalive 10 120
verb 3
log digitalocean.log

# Encryption et TLS

cipher AES-256-CBC
auth SHA256
tls-client
remote-cert-tls server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

# Certificats

tls-crypt /etc/openvpn/keys/do-vps.tlsauth
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/pingouin.crt
key /etc/openvpn/keys/pingouin.key




Here is the server side config:

# Mode et protocol

port 1443
proto udp
dev tun

# Option du VPN

topology subnet
tls-server
ifconfig-pool-persist ipp.txt
comp-lzo
max-clients 3
persist-key
user nobody
group nobody
client-to-client
client-config-dir ccd
keepalive 10 120
chroot /var/empty/openvpn_server
verb 3
log server.log

# Encryption et TLS

cipher AES-256-CBC
auth SHA256
remote-cert-eku "TLS Web Client Authentication"
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

# Certificats

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/do-vps.crt
key /etc/openvpn/easy-rsa/keys/do-vps.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-crypt /etc/openvpn/easy-rsa/keys/do-vps.tlsauth

# Config IP

server 10.9.0.0 255.255.255.0
route 10.195.198.0 255.255.255.0 10.9.0.2 (10.195.198.0 is my LAN subnet)
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Here is the routing table, when connected to the VPS:

[root@pingouin ~]# ip route
0.0.0.0/1 via 10.9.0.1 dev tun0
default via 172.16.24.1 dev ens18
10.9.0.0/24 dev tun0 proto kernel scope link src 10.9.0.2
10.195.198.0/24 dev ens19 proto kernel scope link src 10.195.198.2 (ens19 is the LAN interface of clearos, which is set to 10.195.198.2)
128.0.0.0/1 via 10.9.0.1 dev tun0
159.203.27.104 via 172.16.24.1 dev ens18
172.16.24.0/24 dev ens18 proto kernel scope link src 172.16.24.2 (172.16.24.1 is the ASA5505, 172.16.24.2 is clearos External interface (ens18))

Nick Howitt wrote:

This is to run ClearOS as an AP, so on the LAN, and not to connect the ClearOS WAN by WiFi to an external AP.

My ap is on the lan. Its for the home ssid. It currently get its IP from clearos, then create 2.4 and 5 network.

I was just asking if its for a kind of wireless nic connected straight to clearos box through PCI or USB.

This is for directly connected wireless interface ? I do have a Cisco AIR-CAP2602I AP at home... Can i do something with this app ?

is this problem fixed ? i was dealing with the same problem last week. you have to enter a new entry on both side for MASQUERADE.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno33557248 -j MASQUERADE

i used custom firewall app within the Marketplace, to be able to easily add rules to my iptables



Also, you have to make sure that both side have packet forwarding enabled. You can check with this command: cat /proc/sys/net/ipv4/ip_forward It will return 0 or 1.
If it's currently 0, you have to add these line in /etc/sysctl.conf and reboot:

# Packet forwarding
net.ipv4.ip_forward = 1
net.inet.ip.fastforwarding = 1

Dave Loper wrote:

For those wanting to try out the package in testing and can provide me with feedback, please test the package by running:

yum --enablerepo=clearos-updates-testing upgrade app-radius

You should be getting version 2.2.0-2.v7

Let me know so we can generally release this and then put it back in the marketplace.

it's still not starting. i uninstalled the old version, then, from the marketplace, it installed 2.2.0-2 without having to specify repository.

then i added a client, and can't start it .

here is the /var/log/message:

May 2 22:28:03 pingouin webconfig: Redirecting to /bin/systemctl start radiusd.service
May 2 22:28:03 pingouin systemd: Starting FreeRADIUS high performance RADIUS server....
May 2 22:28:03 pingouin systemd: radiusd.service: control process exited, code=exited status=1
May 2 22:28:03 pingouin systemd: Failed to start FreeRADIUS high performance RADIUS server..
May 2 22:28:03 pingouin systemd: Unit radiusd.service entered failed state.
May 2 22:28:03 pingouin systemd: radiusd.service failed.
May 2 22:28:03 pingouin webconfig: Job for radiusd.service failed because the control process exited with error code. See "systemctl status radiusd.service" and "journalctl -xe" for details.

here is /var/log/radius/radius.log

Mon May 2 22:32:29 2016 : Warning: No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.195.198.3. Please fix your configuration
Mon May 2 22:32:29 2016 : Warning: Support for old-style clients will be removed in a future release
Mon May 2 22:32:29 2016 : Warning: rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
Mon May 2 22:32:29 2016 : Info: rlm_ldap: libldap vendor: OpenLDAP version: 20439
Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
Mon May 2 22:32:29 2016 : Info: Loaded virtual server <default>
Mon May 2 22:32:29 2016 : Info: Loaded virtual server default
Mon May 2 22:32:29 2016 : Info: Loaded virtual server clearos-inner-tunnel
Mon May 2 22:32:29 2016 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Mon May 2 22:32:29 2016 : Info: Loaded virtual server inner-tunnel
Mon May 2 22:32:29 2016 : Warning: No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.195.198.3. Please fix your configuration
Mon May 2 22:32:29 2016 : Warning: Support for old-style clients will be removed in a future release
Mon May 2 22:32:29 2016 : Warning: rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
Mon May 2 22:32:29 2016 : Info: rlm_ldap: libldap vendor: OpenLDAP version: 20439
Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Opening additional connection (0)
Mon May 2 22:32:29 2016 : Error: rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
Mon May 2 22:32:29 2016 : Error: rlm_ldap (ldap): Opening connection failed (0)
Mon May 2 22:32:29 2016 : Error: /etc/raddb/mods-enabled/ldap[1]: Instantiation failed for module "ldap"


in /etc/raddb/clearos-client, it seems that the web interface is entering the ip address in the name...

client 10.195.198.3 {
secret = wifi5630
shortname = AP
}

even when i change the file to this:

client AP {
ipaddr = 10.195.198.3
secret = wifi5630
}

i still got :


Mon May 2 22:38:29 2016 : Warning: rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
Mon May 2 22:38:29 2016 : Info: rlm_ldap: libldap vendor: OpenLDAP version: 20439
Mon May 2 22:38:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
Mon May 2 22:38:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
Mon May 2 22:38:29 2016 : Info: Loaded virtual server <default>
Mon May 2 22:38:29 2016 : Info: Loaded virtual server default
Mon May 2 22:38:29 2016 : Info: Loaded virtual server clearos-inner-tunnel
Mon May 2 22:38:29 2016 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Mon May 2 22:38:29 2016 : Info: Loaded virtual server inner-tunnel
Mon May 2 22:38:30 2016 : Warning: rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
Mon May 2 22:38:30 2016 : Info: rlm_ldap: libldap vendor: OpenLDAP version: 20439
Mon May 2 22:38:30 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
Mon May 2 22:38:30 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
Mon May 2 22:38:30 2016 : Info: rlm_ldap (ldap): Opening additional connection (0)
Mon May 2 22:38:30 2016 : Error: rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
Mon May 2 22:38:30 2016 : Error: rlm_ldap (ldap): Opening connection failed (0)
Mon May 2 22:38:30 2016 : Error: /etc/raddb/mods-enabled/ldap[1]: Instantiation failed for module "ldap"


thanks

Thanks for the update. I was waiting for the fix before trying to install my cisco ap.

[root@pingouin Torrent]# cat /etc/clearos-release
ClearOS release 7.1.0 (Final)


Well.... don't need to re-install then !

Thanks for the tips !

repo id repo name status
clearos/7 ClearOS 7 - x86_64 - OS enabled: 712
clearos-centos/7/x86_64 CentOS-7 - Base enabled: 8,574+78
clearos-centos-extras/7/x86_64 CentOS-7 - Extras enabled: 214
clearos-centos-fasttrack/7/x86_64 CentOS-7 - fasttrack enabled: 109
clearos-centos-updates/7/x86_64 CentOS-7 - Updates enabled: 1,395+108
clearos-centosplus/7/x86_64 CentOS-7 - Plus enabled: 63
clearos-contribs/7 ClearOS 7 - x86_64 - Contribs enabled: 58
clearos-contribs-testing/7 ClearOS 7 - x86_64 - Contribs (Testing) enabled: 14
clearos-developer/7/x86_64 ClearOS Developer 7 - x86_64 - Developer Tools enabled: 2
clearos-epel/7/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 enabled: 8,569+31
clearos-epel-testing/7/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 disabled
clearos-fast-updates/7/x86_64 ClearOS 7 - x86_64 - Fast Updates enabled: 4
clearos-infra/7 ClearOS 7 - x86_64 - Infrastructure enabled: 17
clearos-infra-testing/7 ClearOS 7 - x86_64 - Infrastructure (Testing) enabled: 0
clearos-updates/7 ClearOS 7 - x86_64 - Updates enabled: 375
clearos-updates-testing/7 ClearOS 7 - x86_64 - Updates (Testing) disabled
clearos-zfs/7/x86_64 ZFS on Linux for EL7 disabled
clearos-zfs-testing/7/x86_64 ZFS on Linux for EL7 - Testing disabled
private-clearcenter-dyndns ClearCenter Dynamic DNS enabled: 2
repolist: 20,108


Maybe i'm already on 7.1 Final ? But i know i did install RC1 few weeks ago