OpenVPN slow speed but sometimes high



  • Hi,

    I'm having some problems with slow speed on my pfsense openvpn server.

    The server is connected to a 1Gbps connection (up/download speed pretty much always 200Mbps or higher) and my client to 4G or DSL connection that is 40+Mpbs. All tested using speedtest.net.

    However my VPN connection maxes out at around 10Mbps.

    I'm running pfsense inside virtualbox on a intel nuci3. At first I thought the hardware might not be capable of more but pfsense and the virtualbox host never really go above 25% cpu usage when the VPN is active. I also tried creating a additional VPN server with a 1024bit key and 256bit hash to rule out provider throttling and hardware limitations but results are similar.

    The weird thing is that sometimes I do get high throughput, maxing out the VPN client connection. E.g. If I run speedtest.net 5 times maybe 4 times it will hover around 10Mbps but 1 time it will easily to 40Mbps. When it does 40Mbps I see cpu usage spiking to 70% so the hardware is sufficient.

    I already tried setting the ip.net settings to 1 instead of 0 but no change. I also tried playing around with mtu and fragment settings without any luck. Though I might be doing that the wrong way.

    How can I troubleshoot what is causing the slow speed? The hardware and connections don't appear to be the limiting factor.



  • Turning compression on/off or using hardware acceleration makes no difference. Also for some reason using speedtest or downloading the windows 10 iso gives ~10Mbps in speed but http downloads are much slower, around 500kbps.

    This is my config without anything pushed under advanced option.

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote myip 443 udp
    lport 0
    auth-user-pass
    ns-cert-type server
    comp-lzo no (originally adaptive)



  • How far away from the vpn server are you?  Whats the ping time to it?



  • I can't ping my server but if I ping my client from the server ping is 8ms. Distance from client to server is less than 3km so it's pretty much next door.



  • No hints?

    No matter what settings I use performance hovers between 4 and 8mpbs on speedtest.net. File transfers are around 4mps. The hardware and VM are never showing anywhere near max cpu usage, maxing out at about 30%. The connection running the server is hitting over 100mpbs while testing with the client side hitting well over 50mbps.

    I tried using 128bit or no encryption at all, compression and no compression, different ports but apart from port 443 appearing to be slightly faster I don't see any difference.

    I really can't think of anything being wrong apart from my dsl provider throttling openvpn… but they say they aren't throttling anything and throttling openvpn while putting no limit on p2p doesn't make any sense either.

    I'll try setting up a different type of VPN server, see if that makes any difference as well as try running a new VM on my main rig with an i7 4770, that should rule out a lack of power.

    The weird thing is that running speedtest from the client while connected to the VPN gives pings as low as 18ms.

    Edit: I think I might have found the problem. Running fetch -o /dev/null http://cachefly.cachefly.net/100mb.test I get only about 4mbps. Either something in pfsense's config is giving such low network speeds or there is something wrong with the VM's settings.

    edit2: That wasn't the problem. The previous server runs on a 56k link or whatever and never gets higher speeds than 4mbps. Tried a non sucky server and fetching files at 20mbps. Sure it would be higher if there was a decent server somewhere.



  • You could try to add these two lines in advanced option:

    sndbuf 524288
    rcvbuf 524288

    Furthermore, for an UDP connection, you could add even this:
    fast-io



  • Yep - Thats what I was going to recommend also except he seems to have no latency problems.

    Also, I've been made aware that there are now openvpn clients available that don't have that buffer issue.



  • Yes, since client version 2.3.9 the 64k buffer sizes are removed so that OS will determine it.



  • @mauroman33:

    You could try to add these two lines in advanced option:

    sndbuf 524288
    rcvbuf 524288

    Furthermore, for an UDP connection, you could add even this:
    fast-io

    I tried earlier but it makes no difference.

    What does make a big difference is picking TCP over UDP. With TCP I get 20 ~ 30mbps when downloading a linux iso or driver vs about 5mbps on UDP. Ping doubles compared to UDP to around 40ms and transferring a file using tightvnc is about 1/3 of the speed compared to UDP (1.5mbps vs 4mbps).

    This doesn't make sense to me. First of all UDP should be faster but even if for whatever reason TCP would be faster because my ISP is throttling UDP traffic or whatever I still don't understand how downloading a file from a website can be much faster compared to UDP while transferring a file suddenly is 1/3 the speed compared to UDP.

    Anybody knows why this is happening?

    PS. my provider has a MTU of 1454 (set on my router, not the pfsense box). As far as I can tell there aren't any MTU errors but could this be related? I tried setting it in the advanced settings earlier but that lead to errors on the client.



  • if you are indeed having a lower MTU on the wan then on the vpn / then you should lower your MTU for the openvpn

    https://forum.pfsense.org/index.php?topic=67080.0



  • On TCP it will fail to connect to the server with fragment 1426;mssfix in advanced options (doesnt matter what MTU I set)

    1426 being the highest I can go when connected to the TCP vpn and pinging google.com -l 1426.

    TCP
    failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

    UDP (mtu was set to 1400 at the time of this test)
    Mon Jul 04 17:19:48 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1606'
    Mon Jul 04 17:19:48 2016 WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
    Mon Jul 04 17:20:01 2016 Bad LZO decompression header byte: 0
    Mon Jul 04 17:20:11 2016 Bad LZO decompression header byte: 0
    Mon Jul 04 17:20:21 2016 Bad LZO decompression header byte: 0
    Mon Jul 04 17:20:31 2016 Bad LZO decompression header byte: 0
    Mon Jul 04 17:20:41 2016 Bad LZO decompression header byte: 0
    Mon Jul 04 17:20:50 2016 [Beko] Inactivity timeout (–ping-restart), restarting
    Mon Jul 04 17:20:50 2016 SIGUSR1[soft,ping-restart] received, process restarting
    Mon Jul 04 17:20:53 2016 UDPv4 link local (bound): [undef]

    Also, when not connected to a VPN I can't ping -l 1500 from my client either but speeds are fine.


Log in to reply