Improving OpenVPN thoughput

I recently faced an unusual problem (for me): an OpenVPN connection going via TCP over a fast network, which had transfered speeds of less than 2KB/s. Although I tested some other options (compression on/off, UDP, etc), none of them proved significantly faster. Moreover, I has hoping to fix the problem with as few as possible changes to clients.
Some time ago, I red about optimizing OpenVPN over Gbit networks. That post covers optimizations related to CPU bottleneck (hardware SSL support, different ciphers, etc). This was certainly not the case for me, since boxes linked via OpenVPN were mostly idle. However, that post has a very brief and accurate explanation and statement about how OpenVPN works, i.e. the data flow between source and destination.
So based on that post, I decided to try mssfix 0 (ie. disable OpenVPN packet fragmenting and leave the kernel/driver do that) and to increase tun-mtu parameter to help test speed improvements. I increased it to 32000 and I got about 150KB/s speed, then to 48000 and I got about 250KB/s, then to 60000 and I got 300KB/s. I thought "what if ...?" and I raised it to 65500. Amazingly, I got average speeds of 1.25MB/s with top speeds above 2.5MB/s.
That was cool, but had one downside: the VPN connection become unstable, with the tun0 device disappearing from the server (probably because the process that managed it crashed).
Reading further in OpenVPN man page and other posts, I decided that I should try to use OpenVPN's mssfix feature. Default value is 1500, but OpenVPN automatically reduces that in order to allow for the SSL data overhead. I decided to be on the safe size and use mssfix 1440. Heuristically, I thought I should use a tun-mtu that is a multiple of that (to help split the data in even fully-filled packets). So I used tun-mtu 64800. With these two settings on, the server proved stable and average transfer speeds went to about 850KB/s (good enough for my needs).
I should not that these transfer speeds were obtained by applying the same settings:

tun-mtu 64800
mssfix 1440

in the client config. If no changes are applied to the client configs, the transfer speed will be still unacceptable low, but still higher than before (about 5KB/s).

Working out OpenVPN with Network Manager in Lucid Lynx

For two years now, I've used OpenVPN to connect to a server where I upload some of the stuff I work on. Until now I always started OpenVPN from the terminal, because I didn't manage to get it working from the Network Manager in the last 4 Ubuntu versions.
Last weekend, I had some spare time and I installed Lucid Lynx on my laptop. I tried (again) to get OpenVPN working with Network Manager. As usually it failed, although I was pretty sure everything I did was correct.
So I decided to import my existing openvpn configuration file and export it back to see if there's something different. After doing this, I've noticed a few difference, but most of them were just due to syntax. However, two lines looked more interesting:

user openvpn
group openvpn

I've checked and saw that with these lines in the configuration file, the openvpn connection failed to start even from the terminal. Therefore, I did the following:

1. create the openvpn group as a system group using
   
   

   groupadd -r openvpn

2. assign the openvpn group to the directory (and files) that holds my openvpn key and certificates (mine and server's):
   
   

   chgrp -R openvpn openvpn_folder

3. assign group read permissions to the openvpn settings directory and remove permissions for others:
   
   

   chmod g+r,o-rwx openvpn_folder

After these steps, the OpenVPN connection started from the Network Manager without problems (note that it's recommended route only traffic for that network through that connection).