OpenVPN Slow - local network test

spyder0552

Thank you for trying to help btw.
Changed to use GCM and set the buffers on both sides...actually made it a little worse.

I am totally baffled by this. I know it can work and is not the network. Just something in OpenVpn is throttling it all down.

spyder0552

@Rico
Also, wondering if I need to set the tunnel size.
Pinging at 1500 shows fragmentation. Setting it to 1472 shows no frag. (hitting a box on the remote network of course).

What do you think?

johnpoz

I would take a look at this
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

spyder0552

@johnpoz
Thanks, I did read this but going to go over again to see if I missed something.
I know it talks about jumbo frames....will try that and let everyone know what i find.

Rico

Pls run those two via the command line or SSH and post the output here

openvpn --genkey --secret /tmp/secret
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm

-Rico

spyder0552

@Rico

[2.4.5-RELEASE][admin@pfSense.seradex.local]/root: openvpn --genkey --secret /tm p/secret
[2.4.5-RELEASE][admin@pfSense.seradex.local]/root: time openvpn --test-crypto -- secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
Fri Jun 19 14:47:16 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
10.007u 0.000s 0:10.00 100.0% 843+177k 0+0io 0pf+0w
[2.4.5-RELEASE][admin@pfSense.seradex.local]/root:

spyder0552

@spyder0552
Also just did a test one using UDP and setting the tunnel size to 9000....but still same results

Rico

Hmm with this output I'd expect more than ~165 Mbps but you will never get to 1 Gbps with this CPU and OpenVPN, not even close.
Run again your iperf via the tunnel and check top -aSH - does the OpenVPN process run close to 100%?
Also for testing try with Encryption Algorithm set to None and try iperf via the tunnel again.

-Rico

spyder0552

@Rico
From what I see, no where near any cpu usage

spyder0552

@spyder0552
Back on this again now. Anyone have suggestions?
This is all on the same network using Cat6 cables. Just testing from a laptop to the wall to a device on the other side.
No VPN - Speed is fantastic.
OpenVPN tunnel - speed is pathetic.

Any help would be appreciated before I have to dump this and look to another solution. I just can't believe that OpenVPN can't handle at least 400-600 Mbs.

Thanks all.

Rico

Did you try with Encryption Algorithm set to None for testing?
If you really aim for highspeed VPN traffic I think you need to try with IPsec.

-Rico

johnpoz

I'm about ready to head out - but I I want to try and see what my 4860 can do via this local sort of testing.. If find some time will do a local only test..

spyder0552

@johnpoz
Hi all.
So, still having the same issue. I have now setup a home lab and get the exact same results.
Test Lab:
Intel i5 with 32Gb Ram.
Using Windows HyperV as the host.
Pfsense and Windows10 as guest machines.

Test 1 = laptop -> Firewall -> Windows 10
Get ~900 Mb/s

Test 2 = Laptop with OpenVP -> Firewall -> Windows 10
Get ~ 170 Mb/s

This is the same results I am seeing at my office using Dell R610 with 24 CPU Xenon's.

Things I have tried:

Enable/disable the network options Hardware TCP Seg and Large Receive Offload (check box set to disable them).
Enable fast I/O (with it turned off, I go down to ~155-160)...so currently enabled.
Snd/rcv buffers. Tried default and 2Mb. No significant change.
Encryption at AES-128-CBC and GCM. No significant change.

So for anyone that wants to setup my test enviroment:

Just setup a HyperV box.
Add 2 virtual switches (one external and one internal).
Create a VM for Pfsense and give it both virtual switches (WAN = External, LAN = Internal switch).
Create a VM for a test box
Put Iperf on the test box
Create your PFsense with default OpenVPN (using TLS). Just run through the wizard.

I am sure if someone did this they would get to the same spot I am where the speed is just no where at what it should be capable of.
You can rule the hardware out to some extent as testing without the VPN shows near full speed (meaning the nics are talking to each other properly).

Anyone willing to try my test?

spyder0552

@Rico
Hey, just replied below. Yes, I did try that on Friday and it did not make a difference.

Is anyone out there trying this with Windows 10 clients? Perhaps this is a windows issue?

Pippin

@spyder0552 said in OpenVPN Slow - local network test:

[2.4.5-RELEASE][admin@pfSense.seradex.local]/root: openvpn --genkey --secret /tm p/secret
[2.4.5-RELEASE][admin@pfSense.seradex.local]/root: time openvpn --test-crypto -- secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
Fri Jun 19 14:47:16 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
10.007u 0.000s 0:10.00 100.0% 843+177k 0+0io 0pf+0w
[2.4.5-RELEASE][admin@pfSense.seradex.local]/root:

By the looks of that ^^^ it theoretically could do ~320Mbps

How about testing both ways? (client>server - server>client)
Which I5 is that?

Your top -aSH screenshot is timed wrong, ..... I guess.

spyder0552

@Pippin
Home test lab is i5-4690K (yeah..little dated...best I can get atm).

I can't really get it to test from the inside out. The wall seems to be blocking it out. I guess the IP I would connect to would be the end point of the tunel...but not working it seems.

Pippin

You can reverse test mode by using iperf3 -R
"-R, Reverse test mode – Server sends, client receives"

spyder0552

@Pippin
WOW...actually slower in reverse. Averaged only 100 Mb/s

But if I drop the VPN and just go through the firewall, it goes up to 900

spyder0552

@spyder0552
Just to show the config on the client/server side
Client:
dev tun
persist-tun
persist-key
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote 192.168.2.98 1194 udp4
verify-x509-name "OpenVPN-Server-Cert" name
auth-user-pass
pkcs12 pfSense-UDP4-1194-vpn.p12
tls-crypt pfSense-UDP4-1194-vpn-tls.key
remote-cert-tls server

Server:
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-GCM
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.2.98
tls-server
server 192.168.99.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN-Server-Cert' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DOMAIN test.local"
push "dhcp-option DNS 8.8.8.8"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-crypt /var/etc/openvpn/server1.tls-crypt
ncp-ciphers AES-128-GCM
persist-remote-ip
float
topology subnet
fast-io

johnpoz

@spyder0552 said in OpenVPN Slow - local network test:

Just setup a HyperV box.

That doesn't seem like a legit test.. My test will be this

windows 10 PC --- sg4860--- NAS

Will set this up later.. But you don't show any of the mtu settings or txqueuelen..