Can't break 15mbps OpenVPN throughput
-
Approx. 400 miles by road. Since the East Coast routing tables are all kinds of screwed over right now (thanks Comcast!) it might be going through anywhere from 10 to 17 hops depending on what BGP feels like doing this particular time of day.
How would the ISP realize whether or not I'm pushing multiple TCP connections over this VPN though if it's encrypted UDP?
-
Are you telling me that all your traffic is going out over this 1 udp vpn but that if you are doing 1 TCP downlaod with this vpn you are limited to 15 but when doing many tcp downloads over this same vpn you can hit 50?
-
Not exactly.
All traffic going over this VPN. I have 100mbit/s UPLOAD speed for my client. I have 100mbit/s download speed where the OpenVPN server is. Pushing FROM my client TO my server, I would expect 100mbit/s minus some overhead. I instead get 15mbit/s with one TCP stream or 50mbit/s with 8 TCP streams.
50 is acceptable, and looks like ISP shaping. 15 is not good or expected.
-
You didn't answer my essential question.
Are the TCP stream all inside the vpn when you test or are you testing without vpn?
If you are getting these results while everything is being tunneled on vpn, then your problem is latency. Latency will cause 1 single TCP stream to have limited available bandwidth.
This is the "long fat pipe" issue I mentioned earlier. The cure for this is to either break a single file into multiple tcp streams for transfere or to transfer many files at once to max out available bandwidth.
-
All TCP streams are inside the tunnel when testing.
Is there anything in the system tunables section or somewhere else that I can tweak to improve speeds? :(
Multiple transfers at the same time seems to be what I'll have to do, I guess.
-
I already told you what is limiting your bandwidth per TCP connection.
Same issue here at 8k miles from pfsense vpn, only alot worse.
-
Well alright then. I guess we'll chalk it up to TCP being TCP.
Thanks
-
TCP window size can be an issue, but most modern end-clients sort that out reasonably.
e.g. if you have 10ms latency (1/100th sec) then it always takes at least 10ms to receive an ACK back for a packet.
At 50Mbps the TCP connection needs to be willing to have at least 50,000,000/100 = 500,000bits of data unACKed, outstanding in the pipe - this is "TCP window size". Otherwise it wastes time sitting waiting for old ACKs before putting more data in the pipe.
If the latency is higher (e.g. 100ms) then you would need 5,000,000 bits window size…If you can run iperf (or similar) tests end-to-end through the pipe and adjust the window size used by iperf then you should be able to observe all that.
-
Interesting. Setting a very large window size (10Megabytes) yields 25 mbit/s….. What you say seems to be the case. :)
Anything PFSense side that should be modified?
-
Formula to Calculate TCP throughput
TCP-Window-Size-in-bits / Latency-in-seconds = Bits-per-second-throughput
So lets work through a simple example. I have a 1Gig Ethernet link from Chicago to New York with a round trip latency of 30 milliseconds. If I try to transfer a large file from a server in Chicago to a server in New York using FTP, what is the best throughput I can expect?
First lets convert the TCP window size from bytes to bits. In this case we are using the standard 64KB TCP window size of a Windows machine.
64KB = 65536 Bytes. 65536 * 8 = 524288 bits
Next, lets take the TCP window in bits and divide it by the round trip latency of our link in seconds. So if our latency is 30 milliseconds we will use 0.030 in our calculation.
524288 bits / 0.030 seconds = 17476266 bits per second throughput = 17.4 Mbps maximum possible throughput
So, although I may have a 1GE link between these Data Centers I should not expect any more than 17Mbps when transferring a file between two servers, given the TCP window size and latency.
What can you do to make it faster? Increase the TCP window size and/or reduce latency.
To increase the TCP window size you can make manual adjustments on each individual server to negotiate a larger window size. This leads to the obvious question: What size TCP window should you use? We can use the reverse of the calculation above to determine optimal TCP window size.
Link here:
http://bradhedlund.com/2008/12/19/how-to-calculate-tcp-throughput-for-long-distance-links/
-
;D
Kudos to you for the explanation! I appreciate it.
We'll consider this problem "explained"… perhaps not solved, but definitely understood better now.
Thank you both.
-
Interesting. Setting a very large window size (10Megabytes) yields 25 mbit/s….. What you say seems to be the case. :)
Anything PFSense side that should be modified?
TCP window size is an end-to-end client parameter of the TCP session they establish. Routers and firewalls… in the session path do not mess with that. So you need to make any settings at the client node on each end.
I remember messing with this many years ago to optimize single-session use of 4Mbps circuits many years ago! Now that people want 100Mbps transfer rates there are much larger TCP window sizes needed, but I thought that modern OS networking stacks were good at sorting this out automagically underneath. -
Assuming you own both the servers and clients, the link includes how to calculate best settings. However, you will be sacrificing performance for either the near connections or the far. Ehhhhhh… I just use a client that opens multiple simultaneously TCP links for a single file download to max out my available bandwidth.
Hope you can optimize you settings.
-
Is there a client or protocol that you'd recommend? Maybe good 'ole FTP over TLS or something… :)
-
Depends - Where are the files and how do you currently access them?
I keep files on a HTTP file server with a simple web interface. So, I can go there, a click download and via TCP it gets downloaded.
If on my firefox web browser I use a add-on, "downthemall" for instance, I can set it so that the file will be downloaded as 10 simultaneous segments.
Thats plenty to max my bandwidth here.
I used to manually take my files, whether it be 1 or 100 and rar them up into 30 or 40 smaller files, transfere those simultaneously and then un-rar them on the receiving end.
I'm sure there are other clients around to do the same things for you.
-
The primary files that I'm transferring are .mkv files and Acronis True Image backup files .tib
The .tib files are around 400GB and get pushed every 14 days.
The .mkv files are around 30GB or so and get accessed as needed.
Before I had a VPN setup, I was using FileZilla FTP over TLS to an older firewall with forwarded ports. Said firewall forwarded the ports to a 2012 R2 VM running an FTP site with IIS.
I suppose I could still do that if need be…