Skip to content

srv_prepare: bump conntrack + SYN backlog for VPN workload #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
findias merged 1 commit into from
May 7, 2026
Merged

srv_prepare: bump conntrack + SYN backlog for VPN workload #41

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletions roles/srv_prepare/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,27 @@ srv_prepare_apps_list_alpine:
- openssl
- ca-certificates

# Default sysctl settings
# Default sysctl settings — TCP performance + conntrack capacity for VPN workload.
# Default Ubuntu values are dangerously low for a multi-thousand-connection VPN
# box: nf_conntrack_max=8192 fills under load, packets get silently dropped,
# and tcp_timeout_established=432000 (5d) holds VPN slots forever even after
# clients disconnect. Cause of "TLS handshake fails from new source IP" symptom.
srv_prepare_bbr_settings:
# BBR + buffers
net.ipv4.tcp_congestion_control: bbr # Enable BBR
net.core.default_qdisc: fq # Set default queue discipline to fq
net.core.rmem_max: 67108864 # Maximum receive buffer size
net.core.wmem_max: 67108864 # Maximum send buffer size
net.ipv4.tcp_rmem: 4096 87380 67108864 # Minimum, default, and maximum receive buffer sizes
net.ipv4.tcp_wmem: 4096 65536 67108864 # Minimum, default, and maximum send buffer sizes
net.core.netdev_max_backlog: 250000 # Maximum number of packets queued on the input side
net.core.somaxconn: 65535 # Maximum number of connections that can be queued for acceptance
net.core.somaxconn: 65535 # Maximum connection backlog
net.ipv4.tcp_tw_reuse: 1 # Allow reusing TIME-WAIT sockets for new connections
net.ipv4.tcp_fin_timeout: 15 # Reduce the time a socket stays in TIME-WAIT state
net.ipv4.tcp_fin_timeout: 15 # Reduce TIME-WAIT duration
# SYN backlog — protect bursty handshake bursts
net.ipv4.tcp_max_syn_backlog: 4096
# Conntrack capacity — VPN workload generates lots of short-lived flows
net.netfilter.nf_conntrack_max: 131072
net.netfilter.nf_conntrack_buckets: 131072
# Reduce VPN slot retention — 5 days default is too generous for short flows
net.netfilter.nf_conntrack_tcp_timeout_established: 3600
Loading