Massive OpenVPN speed drop



  • in July 2014,  I did a test with BF-128-CBC, Sha1 and got 100 Mb/s download speed.  Yesturday, I did the same test with the same hardware and could only get 25 Mb/s.  I confirmed that nothing else was bottlenecking it.  It wasn't the VPN server on the other side.  It wasn't the ISP.  I asked earlier and someone  said there was a change in Pfsense implementation of OpenVPN since then but could that really be the reason why I have a 75% performance drop?



  • Hi

    i cant help you - but perhaps we have the same Problem and perhaps its the same issue

    https://forum.pfsense.org/index.php?topic=133409.0

    I also have only arround 25to28Mbit on a much faster Line and i get the max performance with ipfire …

    Perhaps you can also get me a hint if you know any new i will also do !

    Best regards



  • anyone?


  • Banned

    what hardware?
    what version of pfSense?
    why are you using blowfish? If your cpu has AES-NI try AES-128-CBC w/ SHA-2xx.



  • @pfBasic:

    what hardware?
    what version of pfSense?
    why are you using blowfish? If your cpu has AES-NI try AES-128-CBC w/ SHA-2xx.

    I used a EKIAD2500DL.
    http://www.boxhint.com/mitxpc-ekiad2500dl-intel-atom-d2500-dual-lan-dual-com-fanless-mini-itx-pc-d2500cce-2gb-t3410

    The first test was done in 2014 with whatever version of Pfsense was current.  The second test was done in a month ago with version 2.3.4 .


  • Banned

    what cpu usage and temps are you seeing when you max out your vpn connection?

    what's your top output during max vpn?


  • Rebel Alliance Global Moderator

    How are you testing exactly?  Are you udp or tcp on your vpn connection?  Yes the openvpn for sure has been updated since 2014.. April of 2014 is when 2.3.3 was released.  Current is 2.4.3 - MAJOR changes in openvpn since then!!

    What version of pfsense were you running?  You just now updated from your 2014 install? June of 2014 would of been 2.1.4, 2.1.5 came out end of august.

    Is this vpn server on the other side something you run, a vpn service (who) where are you connecting too?  Guessing if a vpn service that have pops all over the globe.  How exactly are you doing the speed test?  Did you enable fast I/0 (new), did you enable different buffer values (new) Are you using any hardware crypto?

    What is your latency when you do test without vpn, and then test with vpn.. Latency can have a HUGE impact.. If your going from 10ms to 100ms that can have a drastic effect on your testing.  What window size are using to offset the higher latency, etc. etc..



  • @pfBasic:

    what cpu usage and temps are you seeing when you max out your vpn connection?

    what's your top output during max vpn?

    In 2014, top output was almost 100 Mb/s.  Now the top output is 25 mb/s.  The CPU utilization in the recent test was 45%.  It looks like it was maxing out one CPU.  I don't have CPU utilization number from 2014.

    @johnpoz:

    How are you testing exactly?  Are you udp or tcp on your vpn connection?  Yes the openvpn for sure has been updated since 2014.. April of 2014 is when 2.3.3 was released.  Current is 2.4.3 - MAJOR changes in openvpn since then!!

    What version of pfsense were you running?  You just now updated from your 2014 install? June of 2014 would of been 2.1.4, 2.1.5 came out end of august.

    Is this vpn server on the other side something you run, a vpn service (who) where are you connecting too?  Guessing if a vpn service that have pops all over the globe.  How exactly are you doing the speed test?  Did you enable fast I/0 (new), did you enable different buffer values (new) Are you using any hardware crypto?

    What is your latency when you do test without vpn, and then test with vpn.. Latency can have a HUGE impact.. If your going from 10ms to 100ms that can have a drastic effect on your testing.  What window size are using to offset the higher latency, etc. etc..

    That computer was the router for my network.  It was connected to an apple wireless router in pass through mode.  Both test were done wirelessly.  I have confirmed that with the vpn off I can get much faster speeds.  I confirmed when running a vpn on a high end desktop computer that I can easily achieve over 110 mb/s with the VPN server provider (PIA).  Both test used udp.  I am running Pfsense 2.3.4 on the recent test .  I have been updating my Pfsense router with new versions periodically but I only just now ran a max speed test. The last time I ran a max speed test was in 2014.  I tested my speed with speedtest.net  .  I used default settings so I have not touched fast I/O or buffer values .  There is no hardware acceleration in both test.  My latency was 20ms-21ms in 2014 and 26ms now with the VPN on.  I used blowfish-128-CBC , SHA1 in both test.


  • Netgate Administrator

    The first thing to do here is run at the command line:

    top -aSH
    

    That will show you the CPU core usage breakdown whilst you're testing and what is using it.

    100Mbps seems quite good for a D2500. 25Mbps is certainly far lower than I'd expect assuming nothing else throttling it.

    Steve



  • Apparently OpenSSL library 0.9.8e-fips has a flaw that sabotages the speed.  An ideas which version Pfsense uses?

    https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux



  • 2.3.4-RELEASE (amd64)
    built on Wed May 03 15:13:29 CDT 2017
    FreeBSD 10.3-RELEASE-p19

    library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10


  • Rebel Alliance Global Moderator

    Current is 2.3.4_p1

    I would assume it would be using the the same version as 2.4 betas

    [2.4.0-BETA][root@pfsense.local.lan]/root: openvpn –version
    OpenVPN 2.4.3 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 21 2017
    library versions: OpenSSL 1.0.2k-freebsd  26 Jan 2017, LZO 2.10