OpenVPN tunnel is crawling, not sure why.



  • Hi everyone,

    I've been tinkering with this for a month now and I still am at a loss as to why this is the case.

    Hardware:

    OpenVPN Server:

    i5 5250U
    4GB RAM
    32GB mSATA
    4 x Intel gigabit ports

    Connection Speed: 50/60mbps (wired)

    http://www.ebay.com/itm/New-4-LAN-Barebone-Mini-PC-with-I5-5250U-up-to-2-7G-Dual-core-Fanless-Q355G4-/262557147850?nma=true&si=p9Y6Fo8lAJEGzJcanE8mK6N%2F3Qc%3D&orig_cvip=true&rt=nc&_trksid=p2047675.l2557

    OpenVPN Client:

    Lenovo T450s

    Connection Speed: 80/60mbps (wireless)

    When I tunnel my Lenovo through the OpenVPN connection, I get…

    128 bit: 5/6mbps
    256 bit: 5/5mbps

    I've looked at these threads in an attempt to speed up the connection.

    https://forum.pfsense.org/index.php?topic=47567.0
    https://forum.pfsense.org/index.php?topic=56225.0

    Connecting to a VPN server that is hosted on my Synology NAS behind the PFSense server gets 10/12mbps. I'd think this is limited by the power of the CPU (ds1511+).

    Not sure how else to troubleshoot.

    What am I missing or doing wrong?



  • edited right after I posted….

    Sorry upfront for the blast of questions...

    What type of encryption are you using?
    Are you pushing all traffic across the VPN from the client?
    Whats the output of pftop while the VPN tunnel is active?
    What routes are you pushing to the client?
    Are other services are you running on the pfsense box (Snort, Squid, pfblockerng, etc...)?
    And finally, I think, what are you using to test the throughput (have you tried iperf)?



  • @jeffwcollins:

    What type of encryption are you using?
    Are you pushing all traffic across the VPN from the client?
    Whats the output of pftop while the VPN tunnel is active?
    What routes are you pushing to the client?
    Are other services are you running on the pfsense box (Snort, Squid, pfblockerng, etc…)?
    And finally, I think, what are you using to test the throughput (have you tried iperf)?

    • Crypto: AES-256-CBC/SHA1
      D-H Params: 2048 bits

    • Yes.

    • http://i.imgur.com/WuH6opw.png

    • One subnet on the server LAN (192.168.1.1-192.168.1.254)

    • Squid, lightsquid Here are the packages I have installed: http://i.imgur.com/Gh9Z79h.png

    • Using speedtest.net, and file transfers between server lan and client. Not 100% sure how to use iperf, gonna look that up and see if I can figure it out.

    Thank you for your help! Hopefully others will be able to troubleshoot off of this.


  • Netgate

    Connection Speed: 50/60mbps (wired)
    Connection Speed: 80/60mbps (wireless)

    What kind of ISP services are these? What are the speeds?

    Using speedtest.net, and file transfers between server lan and client.

    What kind of file transfers?



  • Server ISP: Verizon FIOS 50/50 mbit service

    Client ISP: Bangkok TRUE Fiber internet (found in malls) running 802.11ac

    The file transfers that I'm doing are mapping a network drive to my NAS, and quite literally copying and pasting a file as if I were on a local LAN.



  • I think there are a few things to note here.

    First, if its file transfer speeds that you are having a problem with, I think you have have your MTU size set to high, which may cause re-transmits or fragmentation of packets which slow down throughput on the transfer itself.

    The second, is that you are transferring files over the vpn using TCP which has alot of overhead, so while you may be noticing slow transfers, it may actually be going faster than you think because of the TCP ack's.

    Third, your wireless provider may be rate limiting (or shaping) traffic based on traffic type, in this case IPsec traffic, or they may be doing rate limiting on a per person/connection basis.  Also, with it being wireless, they also may have issues with network congestion on the wireless bands themselves, even with your statement of it being 802.11ac.

    Try using iperf to validate point-to-point throughput from the client to the server over the ipsec tunnel.  You can setup iperf on the server by loading it as a package, and downloading related client version from the web to run this test.  This will show if its the tunnel causing the perceived slowness, or if its the types of traffic (file transfers) that you are trying to complete over the tunnel itself.


  • Netgate

    And SMB can be really slow especially when there is any latency involved.



  • Sorry for the delayed reply, couldn't get back to my usual testing grounds.

    Here are various iperf/speedtest results:

    -Inside VPN (TCP): http://i.imgur.com/v1CHGZM.png
    -Inside VPN (UDP): http://i.imgur.com/aJ2DF1O.png
    -Client to Outside Internet: http://i.imgur.com/MwlC8wX.png
    -Client to Outside Internet (Speedtest.net): http://i.imgur.com/qDqOlel.png
    -Inside server network to Outside Internet: http://i.imgur.com/4v1YOyI.png
    -Inside server network to Outside internet (speedtest.net): http://i.imgur.com/RRF2oKv.png

    So looks like the VPN is running at the speed allowed by my client ISP minus 60% overhead. What's more interesting is the Server ISP (50/50 Verizon FiOS) is showing only 20Mbps. Not sure what to make of that information, considering speedtest shows 50mbps.

    Not sure if this conclusion is correct, but it looks to be traffic shaping by the client-side ISP.

    I'm going to fiddle around to try and reduce the overhead required.

    1. Need to better understand the impact of MTU
    2. Set up servers inside the client side network to better assess internal throughput.
    3. Experiment more with 128bit encryption

  • Netgate

    No way am I going to compare all those imgur links to see what's going on. You will need to summarize.



  • Here are various iperf/speedtest results… Summaries in bold.:

    -Inside VPN (TCP): iperf: 1.48 Mbits/sec http://i.imgur.com/v1CHGZM.png
    -Inside VPN (UDP): iperf: 1.45 Mbits/sec http://i.imgur.com/aJ2DF1O.png
    -Client to Outside Internet: iperf: 3.72 Mbits/sec http://i.imgur.com/MwlC8wX.png
    -Client to Outside Internet (Speedtest.net): Speedtest: 86.61/86.92 Mbps http://i.imgur.com/qDqOlel.png
    -Inside server network to Outside Internet: iperf: 23.3 Mbits/sec http://i.imgur.com/4v1YOyI.png
    -Inside server network to Outside internet (speedtest.net): Speedtest: 56.43/63.89 Mbps http://i.imgur.com/RRF2oKv.png

    So looks like the VPN is running at the speed allowed by my client ISP minus 60% overhead. What's more interesting is the Server ISP (50/50 Verizon FiOS) is showing only 20Mbits/s. Not sure what to make of that information, considering speedtest shows 50Mbps.

    Not sure if this conclusion is correct, but it looks to be traffic shaping by the client-side ISP.

    I'm going to fiddle around to try and reduce the overhead required.

    1. Need to better understand the impact of MTU
    2. Set up servers inside the client side network to better assess internal throughput.
    3. Experiment more with 128bit encryption