VPN throughput dips
-
I'm seeing an interesting behavior when connected to an OpenVPN. The hardware is a Supermicro SYS-5019A-FTN4 with a Comcast Gigabit (1024M/40M) service.
When the firewall is receiving traffic, there are occasions where throughput drops to zero. It will eventually rebound, but I'm curious what's causing the drops.
Here's an example:
I do not see the same behavior on traffic in the reverse direction. I've tried both iperf as well as file copies with the same result.
I'm wondering if there's a configuration item that's limiting the throughput or something else I should be looking at.
Here's my client VPN config:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote <host> 443 tcp-client
verify-x509-name "pfsense" name
auth-user-pass
remote-cert-tls server
route 192.168.10.0 255.255.255.0
route 192.168.100.1 255.255.255.255Thoughts? Thanks in advance!
-
TCP is always a really bad choice for OpenVPN.
-Rico
-
What modem are you using?
-
@chpalmer Netgear CM1000. To be clear, I don't see that pattern on LAN traffic. It's only via VPN.
-
How about the other side? How is it built?
-
@chpalmer The source is my office, which is a Cisco/Juniper enterprise environment.
-
@blwag said in VPN throughput dips:
192.168.100.1 255.255.255.255
The above address seems odd.. Can you reach your modem while the VPN is up?
-
@chpalmer Yes, the modem management is accessible via VPN.
-
Hey, I’m seeing exactly the same thing with my OpenVPN server. Were you able to determine the issue ?
My video streaming suffers due to the dip. Thanks for showing me the traffic graph package, now I can visually see what I’m seeing onscreen (OLED).
-
@blwag said in VPN throughput dips:
remote <host> 443 tcp-client
why are you using TCP for a VPN? That can cause flow control issues, as both the computer and firewall are trying to do flow control. You should use UDP for VPNs, unless you have no other option.
-
@jknott I travel quite a bit for work and outbound network policies seem to differ from office to office. The common denominator is tcp/443. It's the easiest way to know that my VPN will always work.
-
@doylet8456 I'm currently on Holiday break from work, so I haven't been at the office to do any additional testing. I will after the new year. I haven't found a smoking gun, so my guess is the throughput is the same.
-
TCP in TCP is far from ideal, as you are finding out. I would at least test using UDP for the tunnel and see if your issues go away there.