From 25f191677e06bd1c22e678f97f797189ce8b9ff2 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Fri, 18 Nov 2022 16:09:17 -0500
Subject: [PATCH] openvpn: increase conntrack values to better serve vpn gws

The default nf_conntrack values were too small for more heavy gateway use. This
increases these values according to the methodology that is recommended.
---
 config/roles/openvpn/defaults/main.yml |  1 +
 config/roles/openvpn/tasks/openvpn.yml | 29 ++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 config/roles/openvpn/defaults/main.yml

diff --git a/config/roles/openvpn/defaults/main.yml b/config/roles/openvpn/defaults/main.yml
new file mode 100644
index 00000000..83730011
--- /dev/null
+++ b/config/roles/openvpn/defaults/main.yml
@@ -0,0 +1 @@
+nf_conntrack_max: 262144
diff --git a/config/roles/openvpn/tasks/openvpn.yml b/config/roles/openvpn/tasks/openvpn.yml
index 605f4282..7269689e 100644
--- a/config/roles/openvpn/tasks/openvpn.yml
+++ b/config/roles/openvpn/tasks/openvpn.yml
@@ -11,6 +11,17 @@
     dest: "/etc/firewall/filter.d/50openvpn"
   notify: "reload firewall"
 
+# Ensure the conntrack module is loaded before systemd-sysctl tries to set parameters
+# Without this, systemd-sysctl will try to load on boot conntrack settings before the module
+# is loaded, and fail to adjust them.
+- name: Set conntrack to load before systemd-sysctl does its operations
+  copy:
+    dest: '/etc/modules-load.d/conntrack.conf'
+    content: |
+      # in order for sysctl to adjust some nf_conntrack settings shortly after boot
+      # we load the module early
+      nf_conntrack
+
 # Set ip forwarding necessary for openvpn ipv4
 - sysctl:
     name: net.ipv4.ip_forward
@@ -46,6 +57,24 @@
     - net.core.wmem_max
     - net.core.wmem_default
 
+# Increase the conntrack buckets
+- sysctl:
+    name: net.netfilter.nf_conntrack_buckets
+    value: '65536'
+    sysctl_set: yes
+
+# Increase conntrack established timeouts
+- sysctl:
+    name: net.netfilter.nf_conntrack_tcp_timeout_established
+    value: '172800'
+    sysctl_set: yes
+
+# Decreate conntrack time_wait
+- sysctl:
+    name: net.netfilter.nf_conntrack_tcp_timeout_time_wait
+    value: '60'
+    sysctl_set: yes
+
 - name: Install firewall nat config for vpnweb
   template:
     src: "50openvpn_nat.firewall.j2"
-- 
GitLab