Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN: bandwidth problem (site to site)

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 579 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dodo25
      last edited by

      Hello,

      I am experiencing bandwidth problems between two sites connected via OpenVPN,

      The physical context:
      -The pfsense are each connected to a switch in order to pass through an open fiber link (no flow restriction, via 1Gbps fiber module), via a 1 Gbps Ethernet link.
      -Behind each pfSense is the LAN of each site.
      -The two pfSense are SG-8860 (https://store.pfsense.org/SG-8860-1U/)

      Software context:
      -The two sites are connected via an OpenVPN Tunnel (see below the configuration)

      The problem :
      -I can not exceed 20MB / s (~ 160Mbps) in LAN-to-LAN between the two sites, via the pfSense VPN.
      If I connect 2 PCs directly on switches 1 and 2, I reach an average throughput of 80 MB / s in file transfer (~ 640Mbps)

      I do not understand why I have such a loss by going through the VPN of my pfSense (even by adding the encryption part).
      So I wonder if my configuration is not optimal.

      Regarding the VPN configuration, this is what it contains:
      Pfsense1 (server mode):

      PfSense2 (client mode):

      Server type : Peer to Peer (Shared Key)
      Protocol : UDP
      Device mode : tun
      Port : 9876

      -I have activated on both pfSense the AES-NI CPU-based Acceleration (which supports AES-CBC, AES-XTS, AES-GCM, System Advanced Miscellaneous)

      • Encryption Algorithm used : AES-256-CBC (256-bit)
        -Auth digest algorithm used : SHA1 (160-bit)
        -Hardware Crypto: BSD cryptodev engine – RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC
        -Hardware Compression: Enabled with Adaptive Compression

      I made tests by modifying the parameters of cryptography as well as the port used and the result of flow remains the same (18 m / s) (gain of 4 m / s without sha1).

      As for the more advanced parameters such as the MTU interface, I left that so, so 1500 MTU on the routers (on the switches we have a MTU of 1512 by default).

      At each test the CPU never exceeds 20% usage.

      In my configuration there is something that seems badly configured and that could cause this low bit rate. Or is there any other limitation ?

      Thank you for your help.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.