OpenVPN TCP port 443 bad performance

Krome

Hello everyone!

I would open a topic because I did not solve my problems with pfSense OpenVPN.
Let me explain: I use OpenVPN to connect to the remote pfSense via port 443 TCP usually reserved for HTTPS, and in order to bypass firewalls (including public wifis, schools, etc.).

Until now, I used a virtual machine running Debian on a server at OVH, with openvpn-server.
I could ride a rather comfortable rates (20 to 30 Mb / s by making a speedtest), which is completely honest for a 30 Mb/s fiber link.

I wanted to make this on PFSense VPN, with basically the same configuration (TCP 443), by virtualizing PFSense on the same machine OVH (you follow?) than my previous debian.

But then, passing through PFSense I get a rate far lower than previously: 1.7 Mb/s maximum.
I tried full of different configurations, including activating the fast IP forwarding etc etc … but in vain.

So I leave it to you to know what could cause me such a drop rate? If I reconnect to my virtual Debian, I found a good rate.
Proxmox Virtual Environment is running the latest version.

Thank you in advance for your answers! :)

Krome

50 views and no reply?

kejianshi

Is your pfsense web gui also on port 443?  Same port as your VPN?
Also, in all cases, UDP is faster IF it works.

Plus, we don't know what packages you are running.

Krome

Hi,

Thanks for your answer!
The web gui runs on port 80.
The only package I've added is OpenVPN client export utility.

kejianshi

Try it on UDP unless you don't like UDP.

I'm not sure what is causing this with your setup.  I don't get bad results here.

doktornotor

Pretty much convinced it's related to the virtualization.

kejianshi

Yeah - I also have that strong inclination to believe its a visualization issue.  However, I'm not sure what kind. My VMs also behave alot better than that.  Maybe he gave it not nearly enough memory and its using swap for RAM.  I don't know.  I've never had one misbehave that way.

Krome

@kejianshi:

Try it on UDP unless you don't like UDP.

I'm not sure what is causing this with your setup.  I don't get bad results here.

I need to use TCP in order to bypass some firewalls. :)

@kejianshi:

Yeah - I also have that strong inclination to believe its a visualization issue.  However, I'm not sure what kind. My VMs also behave alot better than that.  Maybe he gave it not nearly enough memory and its using swap for RAM.  I don't know.  I've never had one misbehave that way.

I gave 8vcpu and 4Gb of RAM to Pfsense but same result :(

Krome

I've tried too with VIRTIO drivers in Pfsense but there is no improvement.

jimp

@Krome:

50 views and no reply?

50 google/yahoo/bing bots hit the thread and you wonder why they don't respond? :-)
Not all views are human, and if someone can't help, they wouldn't reply. You can't judge anything by thread views.

VPN performance on TCP is going to be bad if there is any notable loss along the way. Any loss will be compounded because TCP connections will retransmit to ensure data gets to the other side. So if the tunnel loses a packet, it will retransmit, meanwhile the client inside the tunnel also lost a packet and will retransmit, and then the retransmits of the client get retransmitted by the tunnel, etc, etc.

Until you try it on UDP to eliminate that as a potential cause, the rest is pure speculation though.

There isn't any general issue with OpenVPN and virtualization, but encryption tends to be CPU-bound so if there isn't much CPU to spare, it could be slow.

What does "top -aSH" show at the shell while doing a performance test? It would help narrow down where the bottleneck is, if it's CPU/resource-related.

Krome

Hi,
Thank you for your answer.

A top -aSH during a performance test shows this output :

last pid: 52778;  load averages:  0.16,  0.08,  0.02                                                                                                                                up 0+03:43:44  14:43:22
127 processes: 9 running, 90 sleeping, 28 waiting
CPU:  0.0% user,  0.0% nice,  0.7% system,  0.4% interrupt, 98.8% idle
Mem: 57M Active, 15M Inact, 105M Wired, 364K Cache, 98M Buf, 1814M Free
Swap: 4096M Total, 4096M Free

Seems it's not CPU/resources related :(

doktornotor

I've seen this kind of setup traffic-shaped with a 3G ISP… Not kidding. Almost unusable.

Krome

In my case I'm using this setup behind a fiber connection  ;)

Krome

Disabling tcp.inflight mode has strongly increased performances in TCP 443.
Now, I'm getting around 80 Mb/s via the tunnel.
The Pfsense is behind a 1 Gb/s connection to the Internet, and at home I've got a fiber connection ~200 Mb/s download, are there some tunables to increase the bandwidth again ?

Thanks  :)
Alex

Guldil

ok i confirm the workaround.

For an OpenVPN in TCP 443 on pfsense 2.1.3 i have to disable TCP Inflight Mode.

If not, i have only 1.3 Mbit, without, i have 12 Mbit !