[SOLVED] Packet Loss on WAN when OpenVPN Speed is High
-
I have a bit of a weird problem I'll try to keep it short.
I have two OpenVPN clients configured in pfSense (v2.3.4). I have them configured so that all my LAN traffic goes through one of them except one computer which uses the other OpenVPN client connection.
This all works fine, I can access the internet from any computer on my LAN and their traffic goes out via the OpenVPN clients as intended.
But if the data over any of the OpenVPN clients reaches around 50Mb/s or more both the OpenVPN client handling that traffic and the internet WAN gateway both start suffering bad packet loss. About 30-50% on the OpenVPN and 15-30% on the WAN interface.
Now my first thought was my ISP is throttling OpenVPN or something. So I installed OpenVPN on my desktop computer and ran the same tests and I'm getting 200Mb/s through it to the same OpenVPN server (across the internet) as I'm using with pfSense and this time no WAN packet loss.
So I thought perhaps it's the CPU on my pfSense box? So I ran an OpenSSL benchmark of AES-256-CBC which is what my VPN uses and got a speed result of between 195MB/s and 215MB/s (smallest 16 bytes to largest packets 8000 bytes - single thread test only). Which should be 1.5Gb/s to 1.7Gb/s.
So I'm really just kind of confused about what is going on exactly. Can anyone shed some light on this? - Also my CPU does not have AES-NI I don't know how much or how little that helps on 2.3.4 is AES-NI even utilised by OpenVPN on this version of pfSense yet or is that 2.4 only?
Anyway thank you for any assistance.
-
Okay it actually turned out that it was my ISP throttling. When I change OpenVPN to use TCP 443 instead of UDP 53 I have no more WAN packet loss and speeds went up to 200Mb/s like on my desktop.
It seems the OpenVPN file from my VPN provider by default already had the TCP 443 specified in it but of course when I followed their pfSense guide it said use UDP 53 instead which is what accounts for the speed discrepancy due to my ISP's throttling.
Thank you for reading, hope this helps someone!
-
Okay it actually turned out that it was my ISP throttling. When I change OpenVPN to use TCP 443 instead of UDP 53 I have no more WAN packet loss and speeds went up to 200Mb/s like on my desktop.
It seems the OpenVPN file from my VPN provider by default already had the TCP 443 specified in it but of course when I followed their pfSense guide it said use UDP 53 instead which is what accounts for the speed discrepancy due to my ISP's throttling.
Thank you for reading, hope this helps someone!
UDP 53 is standard for DNS services. Many ISP intercept/redirect/etc UDP 53. Using UDP 53 for anything other than DNS is likely to produce unpredictable results.
-
I actually have the issue on all UDP ports. My VPN provider says to use UDP 2000 or something like that and if that doesn't work try UDP 53. I get the same speed issues on both. But not on TCP 443.