Internet slowness over VPN

  • All,

    I have been dealing with a general TCP slowness issue when accessing the Internet while connected to my mobile IPSec endpoint.

    The network has got multiple tunnels in a hub-and-spoke scenario (IPSec + GRE + BGP). A mobile IPSec client connects to one of the hub nodes. Split tunneling is disabled, so once connected to the VPN, all traffic is tunneled, and source NAT is done for the VPN client address pool.

    When I'm connected, I have no issues with reaching any of the internal locations (vpn client -> (internet) -> hub -> (internet) -> spoke -> node) - data rates are what the network permits. My hub nodes are also running squid - download speeds via Squid are fine.

    However, when trying to reach an Internet location directly via the VPN client (web, anything TCP), I am seeing a horrible sequence of TCP retransmissions and duplicate ACKs: vpn client -> (internet) -> hub -> internet. I can only reach something like 10 kB/sec.

    First thing that came to my mind was MTU issues - however I have normalised MTU and TCP MSS across the whole network, including the WAN interface on the hub nodes - no issues, any intranet communication is fine, and as I said, browsing via Squid is also fine.

    Essentially the hub is bouncing my traffic via its WAN interface (encrypted ingress SYN, decrypted egress SYN, non-encrypted  ingress ACK, encrypted egress ACK, etc). Could this in itself be causing my issue? Could this be a prioritisation problem i.e. VPN traffic is contending with Internet traffic?

    I am using PfSense 2.3.2.

    Any ideas welcome.


  • We have closure! After a really long time dealing with slow VPN client operation, it turned out that the problem was UDP checksums. "Disable hardware UDP checksums" solved all performance issues.

  • I will keep that in mind as a possible bug for future builds when I am looking for issues.

    VPN performance is my number one most important thing.

Log in to reply