OPENVPN and IPERF not working



  • Client to SG-3100 OPENVPN Setup (not site to site).

    TUN = 192.168.3.0/24
    LAN = 192.168.1.0/24

    I can ping anything on the LAN from the client vpn connected device. However I am unable to utilize iperf to test connection speeds.

    Basically my OpenVPN is slow.

    Site internet is 50/10 and home internet is 1GB/50.



  • Need more info. Define 'slow'. What do you mean exactly when you say that you can't use iperf? Fails to connect? Runs but the throughput is crap? Are you running iperf server on pfSense or a LAN client running the server?



  • iperf is on LAN host 192.168.1.2.
    iperf client connected using vpnclient and running iperf -c 192.168.1.2

    I am unable to connect. Again, I can ping from vpn client to any LAN address. I can also rdp UNC etc from vpn client to LAN addresses.

    I assume it has something to do with the 192.168.3.0/24 network and the LAN not being able to connect to it... ACL?



  • What are your firewall rules on the OpenVPN interface? Post a screen with any public details obscured.





  • OK, default rules with nothing blocked.

    What port is the server listening on? What command line are you using for the client? The one you listed didn't specify a port. Sorry, just realized that it uses a default port. Can you make an iperf connection from another client on LAN to the listener?



  • Server is listening on 5201

    Both iperf versions are the same and should use default port. No firewalls internally. I can iperf from LAN to LAN hosts just fine using the below commands, does not work from VPN client.

    iperf -s
    iperf -c 192.1681.2



  • Hmmm, very strange. Are you running any packages that might interfere with local traffic, like pfBlocker, Snort, Suricata...?



  • On client side, add to OpenVPN config:
    mssfix 1400
    and try iperf again.



  • Try @Pippin's suggestion. In the meantime, I did some reading and there are numerous reports of problems with iperf and NAT. One guy said you need to run it with -d (iperf2) or -R (iperf3) when in a NAT situation. Another said that iperf requires static source ports, and pfSense scrambles them (dynamic), so you might have to create an outbound NAT rule for just that connection and make it static port.



  • Rebooted the pfsense box and now its working! No idea...

    [img]https://i.postimg.cc/DwGWbjdt/iperf-vpn.png[/img]



  • The -R option swaps client server role.



  • So now that I am successful in testing the connection, its reporting under 1Mbps.... Pretty useless for a VPN IMO other than some basic web based administration and or RDP.



  • Ha, this is the second time tonight that a problem I was helping to debug fixed itself with a reboot.

    There must be something else going on. I use pfSense OpenVPN from home (150/15) and its quite fast.



  • Does your client CPU support AES-NI?
    What is the path from client to WAN of pfS?

    Also add
    -P 4
    to iperf.



  • I have a SG-3100 made by netgate. I would assume it supports AES-NI hardware based.. I can look into that.

    Ping is 20ms from client endpoint to PFSense SG-3100. I have a home built pfsense at home for my own vpn and it rocks, but I know I am utilizing hardware AES and I also have a 50mb upload at home. 5 times faster than the office upload.



  • I have to go, but if none of the supplied command-line switches work, then my money is on the static source port requirement.

    https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html

    Good luck!



  • Enabled AES-NI cpu on the Netgate 3100 and now I am getting 10Mbit compared to 6Mbit. So it did help a little.

    Thanks for the assistance. Looked like reboot and enabling hardware accel is the best I can get... I wonder if it has anything to do with pfsense location internet is using async dsl internet.


  • LAYER 8 Netgate

    @techjunky said in OPENVPN and IPERF not working:

    Enabled AES-NI cpu on the Netgate 3100 and now I am getting 10Mbit compared to 6Mbit. So it did help a little.

    That is interesting since, as the SG-3100 is an ARM device, it does not have AES-NI.


Log in to reply