OpenVPN Speed problem on 1 Gbps link

khodorb

HI ,
I am using OpenVPN on Netgate SG-4860 on our datacenter and i do have a symmetric WAN link for 1 Gbps speed,
when on lan i can test that speed on speedtest, but when connected remotely via openvpn i can only get 50 to 60 Mbps on speedtest.
i was wondering what could be wrong on my setup and what parameters i can change under my settings to increase the speed for VPN users.
is there is a limit on bandwidth that we can control under openVPN

i am on pfsense 2.4.5 version and i tested that also on version pfsense+ 22.05

This is my current configuration , i have removed the tls and dns section for privacy

<openvpn>
<openvpn-server>
<vpnid>1</vpnid>
<mode>server_tls_user</mode>
<authmode>Local Database</authmode>
<protocol>UDP4</protocol>
<dev_mode>tun</dev_mode>
<interface>wan</interface>
<ipaddr></ipaddr>
<local_port>1194</local_port>
<description><![CDATA[PAID OpenVPN server]]></description>
<custom_options></custom_options>
<tls></tls>
<tls_type>auth</tls_type>
<tlsauth_keydir>default</tlsauth_keydir>
<caref>59a47a78cfd5b</caref>
<crlref>59a47fec1401d</crlref>
<certref>59a5ca057de10</certref>
<dh_length>2048</dh_length>
<ecdh_curve>none</ecdh_curve>
<cert_depth>1</cert_depth>
<strictusercn>yes</strictusercn>
<crypto>AES-256-CBC</crypto>
<digest>SHA256</digest>
<engine>cryptodev</engine>
<tunnel_network>192.168.72.0/24</tunnel_network>
<tunnel_networkv6></tunnel_networkv6>
<remote_network></remote_network>
<remote_networkv6></remote_networkv6>
<gwredir>yes</gwredir>
<gwredir6></gwredir6>
<local_network></local_network>
<local_networkv6></local_networkv6>
<maxclients>100</maxclients>
<compression></compression>
<compression_push></compression_push>
<passtos></passtos>
<client2client>yes</client2client>
<dynamic_ip>yes</dynamic_ip>
<topology>subnet</topology>
<serverbridge_dhcp></serverbridge_dhcp>
<serverbridge_interface>none</serverbridge_interface>
<serverbridge_routegateway></serverbridge_routegateway>
<serverbridge_dhcp_start></serverbridge_dhcp_start>
<serverbridge_dhcp_end></serverbridge_dhcp_end>
<dns_domain>company.local</dns_domain>
<dns_server1></dns_server1>
<dns_server2></dns_server2>
<dns_server3></dns_server3>
<dns_server4></dns_server4>
<push_blockoutsidedns>yes</push_blockoutsidedns>
<username_as_common_name><![CDATA[enabled]]></username_as_common_name>
<exit_notify>none</exit_notify>
<sndrcvbuf></sndrcvbuf>
<push_register_dns>yes</push_register_dns>
<netbios_enable></netbios_enable>
<netbios_ntype>0</netbios_ntype>
<netbios_scope></netbios_scope>
<create_gw>both</create_gw>
<verbosity_level>4</verbosity_level>
<ncp-ciphers>AES-128-GCM,AES-256-CBC</ncp-ciphers>
<ncp_enable>enabled</ncp_enable>
<ping_method>keepalive</ping_method>
<keepalive_interval>10</keepalive_interval>
<keepalive_timeout>60</keepalive_timeout>
<ping_seconds>10</ping_seconds>
<ping_push></ping_push>
<ping_action>ping_restart</ping_action>
<ping_action_seconds>60</ping_action_seconds>
<ping_action_push></ping_action_push>
<inactive_seconds>60</inactive_seconds>
</openvpn-server>
</openvpn>

i have tested 2 netgate devices :
SG-4860 and 6100 MAx with 1Gbps Wan speed , on the lan network i can reach the same speed, but when using openvpn client connection, the speed test shows a result of 50 to 60 Mbps, i have in total 50 users using openvpn and i have tested the speed when no one else is connected

SteveITS

@khodorb 1 Gb is probably unrealistic but it should be higher than 50.

On the dashboard, under CPU Type, is one of the crypto options enabled?
https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#cryptographic-thermal-hardware

also see: https://docs.netgate.com/pfsense/en/latest/vpn/performance.html and subsection https://docs.netgate.com/pfsense/en/latest/vpn/performance.html#scaling-openvpn

Using a 128 bit cipher should speed things up.

khodorb

@steveits
This is what i have in place

And this is for openvpn settings , what do you recommend ?
any advice is highly appreciated

khodorb

@SteveITS

SteveITS

@khodorb Try changing "Cryptographic Hardware" to AES-NI. IIRC OpenVPN doesn't support QAT.

What is the CPU usage while transferring files?

Did you review https://docs.netgate.com/pfsense/en/latest/recipes/index.html#openvpn ?

You're also on a pretty old version, 2.4.5. You can upgrade to Plus though it might be a few steps to get there. Or you can back up, install 22.05, and restore.

re: Plus, also see:
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html

khodorb

@steveits
CPU Usage is normal between 5 to 20 %

i reviewed this doc but i haven't applied any changes beside enabling hardware crypto and set it to AES-NI + BSD Crypto
to be honest i am still getting the same speed whern doing a speedtest,
would you be able to find any misconfiguration in my settings above,

i am planning to upgrade soon and hope that helps too

SteveITS

@khodorb When you say 1 Gbps WAN, is that symmetrical? Both up and down? The limit would be the slowest speed at either end of the VPN.

khodorb

@steveits yeah it is symmetric , i have tested that on the lan network,

also i have tested that on 3 end users :

User 1 had 500Mb downlad and 30upload

he conducted 2 tests while connected to VPN : first test on wifi home modem he got 29/17
second test using lan connection on him home modem he got 80/20

second users was testing VPN on lan , he got 60/20

Jarhead

@khodorb You only mention the 1G on your side.
What connection speed do they have at home?

disregard, noticed the 500/30. Thought that was his test speeds.

khodorb

@jarhead
This is the speed test when i run it from the datacentre on lan where the pfsense is installed

this is the test speed from my home internet using the lan connection to the modem

this is the VPN speed test while connected to pfsense using lan connection in my home modem

spyder0552

Hate to say it..you will most likely not get much faster.
I posted my test results a year or so ago here where I was testing openVPN in lab where my computer was on the WAN interface in the lab with full 1Gb.
I could never get it above 30-50Mb. Even had Netgate support go through the config.
This was also running Pfsense on a Dell R610 with 144Gb ram.

Pfsense is just slow.

Actually doing another lab test this week to use Wireguard instead. If you figure out the issue with OpenVpn let me know as I am curious. I think it is also just Windows enviroments.

khodorb

@spyder0552

Thanks, I will be going through some debugging and might go for a new netgate appliance 6100 Max with new pfsense+ version, i will update the thread once i have some updates