OpenVPN Server slow Download speeds to Android & Windows clients

  • I am running a pfsense VPS on
    I am seeing nasty speed results on Download speeds over OpenVPN. I am forcing all client traffic through the vpn connection. If I reinstall the vps with Debian and install OpenVPN server on it I get much better results around 50mbps DL and 30 - 40 UP. However I do need to use pfsense for a different project and it would be nice to have an all in one vps.

    (no vpn) Home network speed test
    Download: 89mbps
    Upload: 53mbps

    (with vpn) Home network speed test
    Download: 200kbps <-> 1mbps
    Upload: 30mbps <-> 35mbps

    Clients: ( vpn client obtained form pfsense client export page )
    Windows 10 PC ( i7-7700 / 8GB DDR4 / 120GB SSD )
    Samsung Galaxy Note 9 - openvpn Connect app

    Server Info
    CPU: 1v core
    RAM: 512MB
    NET: 1 GB/s - Speed test 884.90mbps DL / 554.49mbps UP
    OS: Pfsense
    Version: 2.4.4-RELEASE (amd64)
    WAN port MTU: 5000

    Tweaks made to pfsense settings

    System /Advanced/Miscellaneous
    -- Cryptographic & Thermal Hardware --
    Cryptographic Hardware: AES-NI CPU-based Acceleration

    System /Advanced/System Tunables
    net.inet.ip.fastforwarding: 1

    VPN Server settings

    -- General Information --

    Server mode: Remote Access (SSL/TLS+ User Atuh)
    Protocol: UDP on 1pv4
    Device Mode: tun - Layer 3 Tunnel Mode
    Interface: WAN
    Local Port: 443 ( have tested other ports no change )

    -- Cryptographic Settings --

    TLS Configuration: (check) Use a TLS Key
    TLS Key: key file here
    TLS Key Usage Mode: TLS Authentication
    Peer Certificate Authority: (cert is selected)
    Peer Certificate Revocation list: ( No Certificate Revocation Lists defined )
    Server certificate: (cert is selected)
    DH Parameter Length: 2048 bit
    ECDH Curve: Use Default
    Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
    Enable NCP: (check) Enable Negotiable Cryptographic Parameters
    NCP Algorithms: AES-128-GCM
    Auth digest algorithm: SHA256 (256-bit)
    Hardware Crypto: Intel RDRAND engine - RAND
    Certificate Depth: One (Client+Server)
    Strict User-CN Matching: -blank-

    -- Tunnel Settings --

    IPv4 Tunnel Network:
    IPv6 Tunnel Network: -blank-
    Redirect IPv4 Gateway: (checked)
    Redirect IPv6 Gateway: -blank-
    IPv6 Local network(s): -blank-
    Concurrent connections: -blank-
    Compression: Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
    Push Compression: (checked)
    Type-of-Service: -blank-
    Inter-client communication: -blank-
    Duplicate Connection: -blank-

    -- Client Settings --

    Dynamic IP: (checked)
    Topology: Subnet -- One IP address per client in a common subnet

    -- Advanced Client Settings --

    DNS Default Domain: -blank-
    DNS Server enable: -blank-
    Block Outside DNS: -blank-
    Force DNS cache update: -blank-
    NTP Server enable: -blank-
    NetBIOS enable: -blank-

    -- Advanced Configuration --

    Custom options:

    sndbuf 524288
    rcvbuf 524288
    tun-mtu 1500
    mssfix 1400

    UDP Fast I/O: (checked)
    Send/Receive Buffer: 512 KiB ( I have moved this all the way up to 2mb - No change )
    Gateway creation: IPv4 only
    Verbosity level: default

  • I seem to have fixed my slow speeds with the following:

    I am now getting 40mbps download and 30 upload over vpn.

    -- Network Interfaces --
    Hardware Checksum Offloading: (checked)

    Open VPN Server config
    -- Advanced Configuration --
    Custom options:

    fragment 0
    mssfix 0