Help getting my OpenVPN speeds up!

  • I've tried everything I can find from googling with no joy. I have a 350mbps connection which pfsense fully utilizes, but through the openvpn client only manages 30mbps - yet a connection to the same server when using a pc to connect with openvpn is orders of magnitude faster.

    I'm running PFsense virtualised, but have got the CPU setting on proxmox as 'host' and pfsense is happily showing both cores (3.07 GHZ each) and with hardware crypto enabled. Vpn uses AES-GCM and this is showing as enabled. I've also toggled the hardware crypto setting in the openvpn client settings but this makes no difference. I've tried changing the send/receive buffer sizes but this also makes very little difference. Hardware checksum/TCP/Large Receive offloading have all been checked/unchecked seperately and together - also only a small difference to download speeds. Openvpn config includes tun-mtu 1500; tun-mtu-extra 32; mssfix 1450;

    Where do I go from here? I'll admit that I'm pretty new to all of this but I've tried everything before coming here for help. Any suggestions greatly received!

  • I don't know anything about proxmox, but if at all possible I might try to compare to bare metal performance. I only say that because I run VPN clients on a small machine (Celeron N3150) and regularly get above 30Mbps through them. And I run snort and pfBlockerNG too. So the glaring difference is the virtualization, and if you could either implicate or exonerate it, it would dramatically narrow down where you'd need to focus.

  • @thenarc I completely agree - but the fact that I'm able to max out my connection with PFsense means I'm inclined to think the issue lies with how Openvpn is configured. The only real issue I can see with Proxmox is getting AES-NI support, but by using the host setting this has already been done. I can't really test it in any other way, stuck with virtualised!

  • Ah sorry, I missed the point that the "maxed out" test was also going through the same pfSense machine, just bypassing its client tunnel. I don't know what would be causing that dramatic of a difference. If the VPN provider offerns *.ovpn config files, you could check the options in them against the options being set in your client config in pfSense, but that seems unlikely to be fruitful. I feel like you'd be able to tell whether the AES-NI is really being used by watching CPU usage while running a speed test? Because if the theory is it's being bottlenecked by software crypto, then it ought to be pretty evident there. If I think of anything else I'll let you know . . .

  • @thenarc Thanks for trying anyway. Yeah, watching the CPU usage was one of the first things I tried and it definitely isn't a problem as far as I can see, not even close. I'll keep trying different configurations, but if you or anyone else thinks of something then do let me know and I'll owe you a beer :-)

Log in to reply