Host-based OpenVPN connection slow/flapping
-
I tried to search but most issues involve OpenVPN running on the pfSense box itself.
I have a client inside my network that connects to an OpenVPN server on the internet. That is, the computer is running OpenVPN and the pfSense box sees nothing but a connection on port 443. Not using pfSense as the initiator of the VPN.
When going through the pfSense firewall the connection speed will "ramp up" over several seconds (10-30) and then abruptly drop to almost nothing for about the same period. During this, I can see internet pings go from ~50ms to ~2000 to finally timing out. Once the pings return to ~50ms, the speed ramps back up and the process repeats.
Previously this OpenVPN connection was working great on my rinky dink home wireless router, so I do not suspect the ISP or any other part of the network. I used to consistently see ~10 Mbps per second of bandwidth, now it ramps up to about 4Mbps and then down to zero, over and over.
The pfSense firewall can handle 200 Mbps across the WAN with minor resource usage, so I don't see how getting 10 Mbps from a connection on 443 is taxing it.
-
I have done some more research and determined I can get slightly better performance by greatly limiting my number of connections for downloads. Anything higher than 2 concurrent connections causes the connection to "die" for several seconds before ramping back up to a few Mbps. Even with 2 concurrent connections it oscillates between 2 and 4 Mbps on a 10-30 second period. The speed graph looks like waves.
I've read about NAT tables getting full, but pfSense just sees a single TCP connection on port 443. I've also tried the net.inet.ip.fastforwarding 1 setting and tweaking the MTU on the client running OpenVPN.
Since this was working great with my old router yesterday I really think the issue is with pfSense. It's like the connection really takes off, then gets "clogged" and slows down for several seconds. The top command shows about 8% CPU usage and there are no line errors on any of the hardware.
-
Still scratching my head on this one. I am going to try to move to having the OpenVPN tunnel originated on the pfSense box and using firewall rules to force this host to only go through that tunnel. I've already got pfSense blocking all WAN traffic and permitting only the IP of the OpenVPN server. Maybe that will help out.
-
Any ideas? It will run at a solid 10 Mbps for anywhere from one to ten minutes, then sit idle for up to an hour. During this time I can go to speedtest.net and get ~5 Mbps download no problem.
Being a VPN tunnel, does pfSense or my ISP even know what's going through the pipe? I would think encrypted traffic would all look the same, but it feels like I'm getting throttled.
Should I suspect the VPN server itself?
I'm open to ideas…. I really don't want to go back to my old router.