Extremely slow OpenVPN



  • Good evening,

    I'm here hoping you guys can help me. First of all, I have already read several post regarding possible slow OpenVPN fixes:

    • Already tried enabling fastforward parameter
    • Already enabled AES-NI
    • Already played with MTU and Buffer size

    Unfortunately, none of them worked. When I connect through my VPN, I hit 3mbps down / 2mbps up. My connection goes up to 300/300 (speed test carried out from pfSense), so I'm basically getting only 1% of my bandwidth.

    Some additional information:

    CPU: AMD Opteron™ X3216 APU / AES-NI CPU Crypto: Yes (active)
    RAM: 2GB

    Server config file

    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-GCM
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.1.138
    engine cryptodev
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<vpn hostname="">' 1"
    lport 1994
    management /var/etc/openvpn/server1.sock unix
    push "dhcp-option DNS 10.10.10.1"
    push "redirect-gateway def1"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh none
    crl-verify /var/etc/openvpn/server1.crl-verify
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    topology subnet</vpn>
    

    Client config file

    dev tun
    persist-tun
    persist-key
    cipher AES-256-GCM
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA512
    tls-client
    client
    resolv-retry infinite
    remote <vpn hostname=""> 1994 udp
    verify-x509-name "<vpn hostname="">" name
    remote-cert-tls server
    key-direction 1</vpn></vpn>
    

    Do you have any ideas or any hints regarding the extremely low speed?

    Thank you very much!



  • Update: switching to TCP seems to improve performance significantly. Over TCP I'm getting 30/30mbps



  • I am experiencing the same with my APU2C4 and (outgoing traffic via) AirVPN, hitting even lower rates!

    @Jausk:

    Good evening,

    I'm here hoping you guys can help me. First of all, I have already read several post regarding possible slow OpenVPN fixes:

    • Already tried enabling fastforward parameter
    • Already enabled AES-NI
    • Already played with MTU and Buffer size

    Unfortunately, none of them worked. When I connect through my VPN, I hit 3mbps down / 2mbps up. My connection goes up to 300/300 (speed test carried out from pfSense), so I'm basically getting only 1% of my bandwidth.

    Some additional information:

    CPU: AMD Opteron™ X3216 APU / AES-NI CPU Crypto: Yes (active)
    RAM: 2GB

    Server config file

    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-GCM
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.1.138
    engine cryptodev
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<vpn hostname="">' 1"
    lport 1994
    management /var/etc/openvpn/server1.sock unix
    push "dhcp-option DNS 10.10.10.1"
    push "redirect-gateway def1"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh none
    crl-verify /var/etc/openvpn/server1.crl-verify
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM
    topology subnet</vpn>
    

    Client config file

    dev tun
    persist-tun
    persist-key
    cipher AES-256-GCM
    ncp-ciphers AES-256-GCM:AES-128-GCM
    auth SHA512
    tls-client
    client
    resolv-retry infinite
    remote <vpn hostname=""> 1994 udp
    verify-x509-name "<vpn hostname="">" name
    remote-cert-tls server
    key-direction 1</vpn></vpn>
    

    Do you have any ideas or any hints regarding the extremely low speed?

    Thank you very much!



  • You might want to check that the settings for Hardware TCP Segmentation Offload (TSO) and Hardware Large Receive Offload (LRO) under System > Advanced on the Networking tab are ticked. (i.e. disabled)

    I found in my setup, that made a big difference.



  • @jausk said in Extremely slow OpenVPN:

    Update: switching to TCP seems to improve performance significantly. Over TCP I'm getting 30/30mbps

    UDP does not acknowledge sent packets, TCP does. Generally, due the extra overhead of acknowledging packet exchange via TCP, tends to cause more overhead, thus less achieved bandwidth vs. UDP, which is why UDP is the default for VPN services. And protocols that use UDP are considered to tolerate intermittent packet loss.

    So if you're experiencing an increasing in throughput with an acknowledged exchange protocol vs. a lossy protocol, that suggests something in the connection link may be priority throttling /losing/dropping packets, affecting overall throughput based on lossy vs. lossless protocol exchanges. This also does not rule out a packet size negotiation issue that may be the difference between your UDP and TCP connection differences.

    If TCP is giving you improved bandwidth over UDP, use that the explore if there is a packet fragmentation or priority issue in the upstream link between you, your VPN provider, and your target throughput test service.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy