网络工程 - 调整 Sophos Firewall SSL VPN 配置以实现高吞吐量和低延迟 - 吾爱随笔录

Sophos Firewall XG 连接到 OpenVPN 2.3.8 ( i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017)

client
dev tun
proto tcp
verify-x509-name "OU=Domain Control Validated, CN=*.domain.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
Bag Attributes: <No Attributes>
subject=/C=BE/O=GlobalSign nv-sa/CN=XXXSSL CA - SHA256 - G2
issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
auth-user-pass pass.txt
cipher AES-128-CBC
auth SHA256
comp-lzo no
route-delay 4
verb 3
reneg-sec 86400

remote xxx.xx.xxx.xx 8443
remote xxx.xx.xxx.xx 8443
remote xxx.xx.xxx.xx 8443
remote xxx.xxx.xxx.xx 8443
remote xxx.xxx.xxx.xx 8443

所以通过添加下面的配置有什么不同吗

cipher none
#;cipher AES-128-CBC
ncp-disable
sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push "rcvbuf 393216"
tun-mtu 8192
fragment 0
mssfix 0 #1360
txqueuelen 4000
remote-cert-tls server
auth-nocache
setenv opt block-outside-dns # Prevent Windows 10 DNS leak

检查 MTU

netsh int ipv4 show int

启用巨型帧

netsh interface ipv4 show subinterface
netsh interface ipv4 set subinterface “TheNameOfYourInterface” mtu=8192 store=persistent
Get-NetAdapterAdvancedProperty "TheNameOfYourInterface" -DisplayName "Jumbo*" | Set-NetAdapterAdvancedProperty -RegistryValue "8192"

验证

ping `-f -l 8192 [host IP]`