OPENVPN and IPERF not working

KOM

Hmmm, very strange. Are you running any packages that might interfere with local traffic, like pfBlocker, Snort, Suricata...?

Pippin

On client side, add to OpenVPN config:
mssfix 1400
and try iperf again.

KOM

Try @Pippin's suggestion. In the meantime, I did some reading and there are numerous reports of problems with iperf and NAT. One guy said you need to run it with -d (iperf2) or -R (iperf3) when in a NAT situation. Another said that iperf requires static source ports, and pfSense scrambles them (dynamic), so you might have to create an outbound NAT rule for just that connection and make it static port.

techjunky

Rebooted the pfsense box and now its working! No idea...

[img]https://i.postimg.cc/DwGWbjdt/iperf-vpn.png[/img]

Pippin

The -R option swaps client server role.

techjunky

So now that I am successful in testing the connection, its reporting under 1Mbps.... Pretty useless for a VPN IMO other than some basic web based administration and or RDP.

KOM

Ha, this is the second time tonight that a problem I was helping to debug fixed itself with a reboot.

There must be something else going on. I use pfSense OpenVPN from home (150/15) and its quite fast.

Pippin

Does your client CPU support AES-NI?
What is the path from client to WAN of pfS?

Also add
-P 4
to iperf.

techjunky

I have a SG-3100 made by netgate. I would assume it supports AES-NI hardware based.. I can look into that.

Ping is 20ms from client endpoint to PFSense SG-3100. I have a home built pfsense at home for my own vpn and it rocks, but I know I am utilizing hardware AES and I also have a 50mb upload at home. 5 times faster than the office upload.

KOM

I have to go, but if none of the supplied command-line switches work, then my money is on the static source port requirement.

https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html

Good luck!

techjunky

Enabled AES-NI cpu on the Netgate 3100 and now I am getting 10Mbit compared to 6Mbit. So it did help a little.

Thanks for the assistance. Looked like reboot and enabling hardware accel is the best I can get... I wonder if it has anything to do with pfsense location internet is using async dsl internet.

Derelict

@techjunky said in OPENVPN and IPERF not working:

Enabled AES-NI cpu on the Netgate 3100 and now I am getting 10Mbit compared to 6Mbit. So it did help a little.

That is interesting since, as the SG-3100 is an ARM device, it does not have AES-NI.