Unbound Unbound Tuning for gaming

[Jack-Sparr0w]

1472 without VPN is fine

 

[Jack-Sparr0w]

went up 20 percent on the hit rate. I mean 1400 has got to be the magic number with OpenVPN

 

[jacklul]

line 83: IPV6 section is # edns-buffer-size: 1232

line 119: which is part of ipv4 is edns-buffer-size: 1472

Router mtu is 1500

Perhaps running two instances of Unbound (one for ipv4 and one for ipv6) would push the optimizations to maximum, might achieve even higher hit rate this way.

Edit: I consulted this with AI, it obviously agrees that running two instances will be better.
Judgement day ain't happening anytime soon.

 

[Ripshod]

This is the same member whose superior Skynet blocklist blocked Ookla speedtest servers.
Once again, onto my ignore list

 

[Jack-Sparr0w]

This is the same member whose superior Skynet blocklist blocked Ookla speedtest servers.
Once again, onto my ignore list

use another firewall or wait a day for it to roll over. I told you the firewall was overkill.

 

[Tech9]

Still going? This is the longest useless thread I've seen on SNB Forums.

 

[Viktor Jaep]

Still going? This is the longest useless thread I've seen on SNB Forums.

I think there's actually a bunch more settings we still need to cover. Can't wait!

 

[Jack-Sparr0w]

Anything under 1400 stops Open VPN bind from working, I tried 1368 and it just messes with everything and dose not connect
edns-buffer-size: 1232 is used for ipv6 encapsulation

 

[Jack-Sparr0w]

Better option?
push "redirect-gateway def1" - Redirects all to Unbound
push "dhcp-option DNS 10.100.0.2"

Vs

pull-filter ignore "dhcp-option DNS" - could bypass and cause leaks

push "redirect-gateway def1"
push "dhcp-option DNS 10.100.0.2" - Best way to do this to block pushed VPN DNS

In open VPN config file

 

[Viktor Jaep]

Better option?
push "redirect-gateway def1" - Redirects all to Unbound
push "dhcp-option DNS 10.100.0.2"

Vs

pull-filter ignore "dhcp-option DNS" - could bypass and cause leaks

push "redirect-gateway def1"
push "dhcp-option DNS 10.100.0.2" - Best way to do this to block pushed VPN DNS

In open VPN config file

I bet @Tech9 can probably recommend some better options!

 

[Jack-Sparr0w]

just trying to block pushed dns in NordVPN

 

[Viktor Jaep]

just trying to block pushed dns in NordVPN

Instead of going through all that trouble, you could simply do this... which I mentioned a few pages back?

 

[Jack-Sparr0w]

did that and log still said it was pushed

 

[Viktor Jaep]

did that and log still said it was pushed

The log may say that because the VPN provider tried to push it, but your router would have rejected that and done it's own thing based on your own DNS director settings.

 

[Jack-Sparr0w]

log shows: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.100.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.100.0.2 255.255.0.0,cipher AES-256-GCM'

 

[Jack-Sparr0w]

what OpenVPN custom config looks like:

remote-random
nobind
tls-version-min 1.2
tls-version-max 1.3
resolv-retry infinite
remote-cert-tls server
cipher AES-256-GCM
data-ciphers AES-256-GCM
ping 60
ping-restart 180
ping-timer-rem
verify-x509-name CN=ca1507.nordvpn.com
persist-key
persist-tun
max-clients 100
reneg-sec 3600
pull
fast-io
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
push "redirect-gateway def1"
push "dhcp-option DNS 10.100.0.2"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

#log /tmp/vpn.log

 

[Tech9]

I bet @Tech9 can probably recommend some better options!

Yes. Go on a vacation and leave DNS alone. This is what I'm doing now and can recommend it. Much better option.

 

[Viktor Jaep]

Yes. Go on a vacation and leave DNS alone. This is what I'm doing now and can recommend it. Much better option.

remote-random
nobind
tls-version-min 1.2
tls-version-max 1.3
initiate-vacation
relax-mode max
wine-and-beer true
feet-position up

These will really screw up your DNS. Your family will most certainly make you take a vacation if you add these to your Unbound settings.

 

[Tech9]

Got lucky. I use remote-own and there was a H2O DDoS attack few times in the area potentially requiring feet-position up.

 

[Jack-Sparr0w]

Best way to make VPN work with hardened settings:



# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 16m
msg-cache-size: 16m
rrset-cache-size: 32m
ip-ratelimit-size: 16m
ratelimit-size: 16m
http-query-buffer-size: 16m
http-response-buffer-size: 16m
stream-wait-size: 16m
quic-size: 16m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 3600 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from u>
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 5000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1400 # v1.01 as per @dave14305 minimal config
max-udp-size: 1400 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 3
infra-cache-numhosts: 40000
discard-timeout: 3000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 60
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 468
pad-queries: yes
pad-queries-block-size: 468
val-bogus-ttl: 60
wait-limit-cookie: 10000
wait-limit: 1000
infra-cache-min-rtt: 1000
infra-cache-max-rtt: 120000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1000
neg-cache-size: 16m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 60
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0"
cookie-secret: "5c94fd9dc2d2afc8b553d8c6bcb90b56"
ip-ratelimit-cookie: 50000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 3600
outbound-msg-retry: 5
serve-original-ttl: yes
max-sent-count: 32
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: no
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: yes
harden-unverified-glue: yes
hide-http-user-agent: no

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes