diff --git a/roles/srv_prepare/defaults/main.yml b/roles/srv_prepare/defaults/main.yml index 39a588c..8eabf15 100644 --- a/roles/srv_prepare/defaults/main.yml +++ b/roles/srv_prepare/defaults/main.yml @@ -41,8 +41,13 @@ srv_prepare_apps_list_alpine: - openssl - ca-certificates -# Default sysctl settings +# Default sysctl settings — TCP performance + conntrack capacity for VPN workload. +# Default Ubuntu values are dangerously low for a multi-thousand-connection VPN +# box: nf_conntrack_max=8192 fills under load, packets get silently dropped, +# and tcp_timeout_established=432000 (5d) holds VPN slots forever even after +# clients disconnect. Cause of "TLS handshake fails from new source IP" symptom. srv_prepare_bbr_settings: + # BBR + buffers net.ipv4.tcp_congestion_control: bbr # Enable BBR net.core.default_qdisc: fq # Set default queue discipline to fq net.core.rmem_max: 67108864 # Maximum receive buffer size @@ -50,6 +55,13 @@ srv_prepare_bbr_settings: net.ipv4.tcp_rmem: 4096 87380 67108864 # Minimum, default, and maximum receive buffer sizes net.ipv4.tcp_wmem: 4096 65536 67108864 # Minimum, default, and maximum send buffer sizes net.core.netdev_max_backlog: 250000 # Maximum number of packets queued on the input side - net.core.somaxconn: 65535 # Maximum number of connections that can be queued for acceptance + net.core.somaxconn: 65535 # Maximum connection backlog net.ipv4.tcp_tw_reuse: 1 # Allow reusing TIME-WAIT sockets for new connections - net.ipv4.tcp_fin_timeout: 15 # Reduce the time a socket stays in TIME-WAIT state + net.ipv4.tcp_fin_timeout: 15 # Reduce TIME-WAIT duration + # SYN backlog — protect bursty handshake bursts + net.ipv4.tcp_max_syn_backlog: 4096 + # Conntrack capacity — VPN workload generates lots of short-lived flows + net.netfilter.nf_conntrack_max: 131072 + net.netfilter.nf_conntrack_buckets: 131072 + # Reduce VPN slot retention — 5 days default is too generous for short flows + net.netfilter.nf_conntrack_tcp_timeout_established: 3600