Gigabit WAN + OpenVPN -- Speed on WAN for policy routed devices



  • Anyone seen this and could provide some guidance on how to fix? (whether it's a bug or intended behavior)?

    1. Gigabit WAN connection on pfsense 2.4.4. Speed tested via speedtest.net from LAN device when OpenVPN client is NOT connected. Speed within spec (~900 Mbps)

    2. OpenVPN client is then connected over WAN. Speed tests for traffic routed via OpenVPN gateway (pfsense default route or policy routing from the same LAN device) around ~100 Mbps (acceptable for VPN provider).

    3. LAN device is then policy routed via WAN (i.e. bypassing OpenVPN connection). Speedtest.net displays the correct WAN IP address, confirming policy routing rule works.

    Despite traffic going out via Gigabit WAN, speed tests continue to be ~100 Mbps -- suggesting that even though traffic goes out via WAN gateway, the speed is somehow capped at OpenVPN levels.

    Is pfsense or OpenVPN limiting WAN speed (~900 Mbps when OpenVPN client is NOT connected) to OpenVPN interface/gateway levels (~100 Mbps) once OpenVPN client is connected? Is there any way for WAN policy routed devices (bypassing VPN) to get Gigabit WAN speeds rather than the much lower OpenVPN speeds? Any help is appreciated.


  • Netgate Administrator

    That is not intended. Most likely you have remaining states from an earlier test. Be sure to clear states between testing after changing the firewall rules.
    Otherwise your speedtest traffic is not being caught by the correct rules for some reason.

    Check the traffic graphs for the OpenVPN interface to confirm it really isn't going out over that.

    Steve



  • Check your openvpn provider configuration. I get at least 70% to 95% openvpn connection with my vpn provider at 14k miles away on any given day.



  • @stephenw10 said in Gigabit WAN + OpenVPN -- Speed on WAN for policy routed devices:

    That is not intended. Most likely you have remaining states from an earlier test. Be sure to clear states between testing after changing the firewall rules.
    Otherwise your speedtest traffic is not being caught by the correct rules for some reason.

    Check the traffic graphs for the OpenVPN interface to confirm it really isn't going out over that.

    Steve

    @stephenw10 thanks for your response and suggestion to check traffic graphs. Turns out the testing site (speedtest.net) branches off into a few other IPs/FQDNs and those were getting routed (as expected) via VPN even though speedtest.net itself was routed via WAN and reporting the right WAN IP. So this addresses the original issue.

    As a follow-up question -- once all traffic from test LAN device was routed via WAN, speed tests came back at roughly WAN speed minus speed per OpenVPN client connection (in this case ~900 Mbps - (2 x ~100 Mbps) ~= 700 Mbps as it was tested with 2 x OpenVPN connections in a load balancing gateway group). Is this expected behavior in your experience or do you see anything that may be fine tuned?

    Related, per @lovan6 comment (thank you for your reply), what might you look at tweaking in the OpenVPN client settings to bridge the gap between OpenVPN speeds (~100 Mbps) and WAN capacity (~900 Mbps -- for example outgoing bandwidth or anything else - currently outgoing bandwidth is empty for no limit). Thanks for your help.


  • Netgate Administrator

    I would only expect to see that reduction if something else is using the VPN connection. If there is no VPN traffic then the full WAN bandwidth should be available for clients routing directly. Unless you have some traffic shaping in play.
    100Mbs doesn't seem bad for a VPN provider but speeds do vary wildly. 70-95% is not a useful measure, there things are almost certainly limited at the VPN provider in absolute terms.

    What hardware are you running this on? You may be hitting a local limit there.

    Steve