SG-3100 OpenVPN Download slow (and it is SG slowing it)



  • Hi!

    I am new to pfsense but like the box quite so far. Nevertheless I have a problem with the download speed when using the pfsense VPN Client to my VPN provider.

    On my Mac I have the iVPN and ProtonVPN client. If I connect to a given server I get approx 85/85 (from 100/100) with both clients to different servers.

    On the SG-3100 I setup a VPN and a config to route certain clients via the VPN client. Same Mac, same VPN providers and I always (!) get something like 50/80. Every time, every time of the day, every server I can ususaly get fullspeed and every VPN provider.

    So I am basically sure that there is something with either my config or the SG slowing the download via the pfsense VPN client (but not the upload!).

    My config is included as screenshots. I have no idea and Dr. Google was not able help to help. Could someone please give me a hint?

    Cheers!

    ![Bildschirmfoto 2018-03-09 um 20.28.00.png](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.28.00.png)
    ![Bildschirmfoto 2018-03-09 um 20.28.00.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.28.00.png_thumb)
    ![Bildschirmfoto 2018-03-09 um 20.30.14.png](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.30.14.png)
    ![Bildschirmfoto 2018-03-09 um 20.30.14.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.30.14.png_thumb)
    ![Bildschirmfoto 2018-03-09 um 20.30.32.png](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.30.32.png)
    ![Bildschirmfoto 2018-03-09 um 20.30.32.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.30.32.png_thumb)
    ![Bildschirmfoto 2018-03-09 um 20.30.40.png](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.30.40.png)
    ![Bildschirmfoto 2018-03-09 um 20.30.40.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.30.40.png_thumb)
    ![Bildschirmfoto 2018-03-09 um 20.30.58.png](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.30.58.png)
    ![Bildschirmfoto 2018-03-09 um 20.30.58.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.30.58.png_thumb)
    ![Bildschirmfoto 2018-03-09 um 20.32.02.png](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.32.02.png)
    ![Bildschirmfoto 2018-03-09 um 20.32.02.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.32.02.png_thumb)
    ![Bildschirmfoto 2018-03-09 um 20.32.29.png](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.32.29.png)
    ![Bildschirmfoto 2018-03-09 um 20.32.29.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2018-03-09 um 20.32.29.png_thumb)


  • Netgate Administrator

    You should enable fast-io and you can set the buffers using the drop down rather than using custom options (though it does the same thing).

    What does OpenVPN status show the the actual negotiated parameters are?

    Steve



  • i don't use that provider.  but 2 things you can try.

    1.  change your ncp algorithm to CBC 128 and 256.  remove what you have.
    2.  change compression to LZO compression

    i use PIA.  and i get i would say 95% of my full download speed.

    i am no expert at OpenVPN.  but i have been tinkering with it on and off for about 2 years now on my sg 2200 router

    also.  have you downloaded the configuration files here: https://protonvpn.com/support/linux-vpn-setup/  ?  open the file and match your openvpn configuration



  • @stephenw10:

    You should enable fast-io and you can set the buffers using the drop down rather than using custom options (though it does the same thing).

    Steve, thank you. I actived fast-io and set the buffers in the drob down to 2MB. This raised the speed from 5 to 7 MB/s

    @stephenw10:

    What does OpenVPN status show the the actual negotiated parameters are?

    Do you mean the following information? ######## = my IP

    Mar 11 07:21:55 openvpn 59802 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
    Mar 11 07:21:59 openvpn 59802 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    Mar 11 07:21:59 openvpn 59802 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
    Mar 11 07:21:59 openvpn 59802 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
    Mar 11 07:21:59 openvpn 59802 TCP/UDP: Preserving recently used remote address: [AF_INET]###########2049
    Mar 11 07:21:59 openvpn 59802 Socket Buffers: R=[42080->2097152] S=[57344->2097152]
    Mar 11 07:21:59 openvpn 59802 UDPv4 link local (bound): [AF_INET]####5:0
    Mar 11 07:21:59 openvpn 59802 UDPv4 link remote: [AF_INET]95.211.172.18:2049
    Mar 11 07:21:59 openvpn 59802 TLS: Initial packet from [AF_INET]######:2049, sid=e2295144 cce39f60
    Mar 11 07:21:59 openvpn 59802 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Mar 11 07:21:59 openvpn 59802 VERIFY OK: depth=1, C=MT, ST=Malta, L=Malta, O=IVPN.net, CN=IVPN.net CA, emailAddress=support@ivpn.net
    Mar 11 07:21:59 openvpn 59802 VERIFY OK: nsCertType=SERVER
    Mar 11 07:21:59 openvpn 59802 VERIFY X509NAME OK: CN=nl8.gw.ivpn.net
    Mar 11 07:21:59 openvpn 59802 VERIFY OK: depth=0, CN=nl8.gw.ivpn.net
    Mar 11 07:22:00 openvpn 59802 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
    Mar 11 07:22:00 openvpn 59802 MANAGEMENT: CMD 'state 1'
    Mar 11 07:22:00 openvpn 59802 MANAGEMENT: Client disconnected
    Mar 11 07:22:00 openvpn 59802 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
    Mar 11 07:22:00 openvpn 59802 [nl8.gw.ivpn.net] Peer Connection Initiated with [AF_INET]#######:2049
    Mar 11 07:22:01 openvpn 59802 SENT CONTROL [nl8.gw.ivpn.net]: 'PUSH_REQUEST' (status=1)
    Mar 11 07:22:01 openvpn 59802 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,explicit-exit-notify 3,route-gateway 10.28.16.1,topology subnet,ping 10,ping-restart 60,dhcp-option DNS 10.28.16.1,ifconfig 10.28.16.16 255.255.252.0,peer-id 14,cipher AES-256-GCM'
    Mar 11 07:22:01 openvpn 59802 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:2 is ignored by previous <connection>blocks
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: timers and/or timeouts modified
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: explicit notify parm(s) modified
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: –ifconfig/up options modified
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: route options modified
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: route-related options modified
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: peer-id set
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: adjusting link_mtu to 1625
    Mar 11 07:22:01 openvpn 59802 OPTIONS IMPORT: data channel crypto options modified
    Mar 11 07:22:01 openvpn 59802 Data Channel: using negotiated cipher 'AES-256-GCM'
    Mar 11 07:22:01 openvpn 59802 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
    Mar 11 07:22:01 openvpn 59802 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Mar 11 07:22:01 openvpn 59802 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Mar 11 07:22:01 openvpn 59802 ROUTE_GATEWAY 91.106.136.1/255.255.248.0 IFACE=mvneta2 HWADDR=00:08:a2:0d:0a:79
    Mar 11 07:22:01 openvpn 59802 TUN/TAP device ovpnc2 exists previously, keep at program end
    Mar 11 07:22:01 openvpn 59802 TUN/TAP device /dev/tun2 opened
    Mar 11 07:22:01 openvpn 59802 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Mar 11 07:22:01 openvpn 59802 /sbin/ifconfig ovpnc2 10.28.16.16 10.28.16.1 mtu 1500 netmask 255.255.252.0 up
    Mar 11 07:22:01 openvpn 59802 /sbin/route add -net 10.28.16.0 10.28.16.1 255.255.252.0
    Mar 11 07:22:01 openvpn 59802 /usr/local/sbin/ovpn-linkup ovpnc2 1500 1553 10.28.16.16 255.255.252.0 init
    Mar 11 07:22:02 openvpn 59802 Initialization Sequence Completed

    Thank you for you help!</connection>



  • @bcruze:

    i don't use that provider.  but 2 things you can try.

    1.  change your ncp algorithm to CBC 128 and 256.  remove what you have.
    2.  change compression to LZO compression

    i use PIA.  and i get i would say 95% of my full download speed.

    i am no expert at OpenVPN.  but i have been tinkering with it on and off for about 2 years now on my sg 2200 router

    also.  have you downloaded the configuration files here: https://protonvpn.com/support/linux-vpn-setup/  ?  open the file and match your openvpn configuration

    Unfortunately this does not change the speed. Maybe I will give PIA a try for non essential VPN stuff


  • Netgate Administrator

    Do you have 'BSD Crypto Device' selected in System > Advanced > Miscellaneous.
    And also in the OpenVPN client settings?

    Steve



  • I am running Proton VPN but on a custom built pfsense box.

    On my box I can get a little over 300mbps.

    I know this isn't exactly what you were looking for but it at least proves out that pfsense\openvpn is capable of the faster speeds.

    I am curious to see what the max speed the 3100 will do on proton vpn.


  • Netgate Administrator

    It won't do 300Mbps OpenVPN, I would expect to see the full 85Mbps here though. I have tested it at 95-100Mbps. It will do far more using IPSec if the VPN service supports that.

    However in the above log we can see:

    Mar 11 07:22:01    openvpn    59802    Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Mar 11 07:22:01    openvpn    59802    Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    

    It's using the NCP Algorithms as they take priority over the specified algorithms. However the cesa hardware crypto in the SG-3100 only accelerates AES-CBC so those should be set in NCP as suggested above by bcruze.

    Steve



  • @stephenw10:

    It won't do 300Mbps OpenVPN, I would expect to see the full 85Mbps here though. I have tested it at 95-100Mbps. It will do far more using IPSec if the VPN service supports that.

    However in the above log we can see:

    Mar 11 07:22:01    openvpn    59802    Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Mar 11 07:22:01    openvpn    59802    Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    

    It's using the NCP Algorithms as they take priority over the specified algorithms. However the cesa hardware crypto in the SG-3100 only accelerates AES-CBC so those should be set in NCP as suggested above by bcruze.

    Steve

    I'm learning here but -GCM on my SG-3100 provides about 145Mbps on average. Compared to hardware acceleration with -CBC I think I come out ahead. I have tested both and see about 95Mbps with -CBC as well.


  • Netgate Administrator

    Hmm, that's an interesting result. I'll have to retest.

    Steve



  • A question not asked

    Are you paying for the service or using the free one?

    The free service has limited speeds it appears



  • sorry for beeing quite but did not have the time to test. I now bought PIA and tested several of their nodes and was able to get full 100 Mbit download with the tipps from above but only when disabeling hardware crypto. If I could post something to help development please drop me a message!


  • Netgate Administrator

    Disabling it in OpenVPN or in System > Advanced > Misc?

    Did you end up using AES-CBC or -GCM?

    Steve



  • I should add that my comments above with CBC vs GCM are my experience running the OpenVPN server on my SG-3100. I do use PIA as well but do not use it via config within the 3100. That said, when I connect to PIA I am using their OpenVPN option and it does now look like they are using GCM but so far as I know I have no control or option to decide what is used. Its certificate based. Is there a choice? A different server maybe based on the settings I want?



  • i've always followed the directions and use CBC:

    Mar 24 21:08:24 openvpn 15361 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Mar 24 21:08:24 openvpn 15361 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
    Mar 24 21:08:24 openvpn 15361 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key

    OK so a line above i do see this: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

    but i enabled 128 and 256 GCM for NCP Algorithms and it still connected as CBC

    shrug



  • @stephenw10:

    Disabling it in OpenVPN or in System > Advanced > Misc?

    In the OpenVPN client settings

    @stephenw10:

    Did you end up using AES-CBC or -GCM?

    I can use both in the settings and get full speed (10,5 MB/s) as long as I do NOT enable Hardware Crypto. If I enable it I do not get more the 7 to 8 MB/s