Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN performance for remote worker

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 5 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pf_novice
      last edited by

      Setting up OpenVPN for mobile user, who is behind NAT so haven't pursued IPsec. Coincidentally the same ISP: Comcast 300/10 at both client and server ends.

      However VPN performance won't go faster than 10/5. Similar results when testing using LTE: 50/10 reduced to 10/5 over VPN.

      Ping to 8.8.8.8 without VPN is 13ms, with VPN is 50ms.

      This isn't a theoretical problem - client cannot work effectively (videoconferencing and large up/downloads) at these speeds. We need to redirect all traffic through the VPN.

      Netgate SG-5100 with latest build of pfsense and OpenVPN. Have implemented recommendations in Netgate Docs; so far, no improvements.

      I'm wondering whether I've misconfigured something. Diagnostics / System Activity indicates only 2-3% CPU usage by OpenVPN and the system as a whole is running very low utilization.

      Key settings (LMK if anything else needed):

      Server Mode: Remote Access (SSL/TLS + User Auth)
      Backend: Local Database
      Protocol: UDP IPv4 and IPv6 on all interfaces (multihome)
      Device mode: tun - Layer 3 Tunnel Mode
      Local port: 1194
      
      TLS configuration: Yes (use a TLS key)
      TLS Authentication
      
      DH Parameter Length 2048 bit
      Encryption Algorithm: AES-128-GCM (128 bit key, 128 bit block)
      Enable NCP: Yes
      
      NCP Algorithms: AES-128-GCM, AES-256-GCM, AES-128-CBC
      Auto digest algo: SHA256
      
      Hardware Crypto: BSD Cryptodev engine - RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC
      
      IPv4 Tunnel Network: 192.168.21.0/24 
      IPv6 Tunnel Network: fe80::/64
      [my LAN is 192.168.1.0/24]
      
      Redirect IPv4 Gateway: Yes
      Redirect IPv6 Gateway: Yes
      
      Compression: Omit Preference (Use OpenVPN Default) 
      [I tried disabling compression, the VPN stopped working]
      
      Duplicate Connection: Yes 
      [Worker uses iPhone and Macbook simultaneously on same account and certificate]
      
      Firewall Rules
      Pass: Interface OpenVPN / any
      
      1 Reply Last reply Reply Quote 0
      • P
        pete35
        last edited by pete35

        @pf_novice said in OpenVPN performance for remote worker:

        BSD Cryptodev engine

        Netgate 5100 can do aesni. Try to change the cyrptodev to aesni.
        You may try to lower the mtu to 1450, this may help too.

        <a href="https://carsonlam.ca">bintang88</a>
        <a href="https://carsonlam.ca">slot88</a>

        noplanN 1 Reply Last reply Reply Quote 0
        • noplanN
          noplan @pete35
          last edited by

          Do u have to run all client traffic over VPN?
          That kills the VPN Endpoint pretty quick if more and more remote users are logged in (the bottleneck is your endpoint up/down speed)

          Try tu use Splitt tunnel
          So that your users Netflix YouTube traffic if allowed does not run over your VPN

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            Don't set any Hardware Crypto in the OpenVPN server settings.
            However the bottleneck is your small Upstream bandwidth. The OpenVPN servers 10 Mbps upload is the far side (client) download.

            -Rico

            P noplanN 3 Replies Last reply Reply Quote 0
            • P
              pf_novice @Rico
              last edited by

              @Rico of course! Can't imagine why I didn't think of that. Asymmetric connections won't play nice with VPN. Will see what the ISP can offer.

              Frustratingly, I just had to abandon a symmetric Fiber gigabit connection because AT&T's pole is 20 yards too far away and the conduit is borked.

              1 Reply Last reply Reply Quote 0
              • noplanN
                noplan @Rico
                last edited by

                @Rico said in OpenVPN performance for remote worker:

                The OpenVPN servers 10 Mbps upload

                but its enough to use for a couple of remote workers

                P 1 Reply Last reply Reply Quote 0
                • P
                  pf_novice @noplan
                  last edited by

                  @noplan In theory, yes it should be. In practice the performance is inconsistent and on the margins of acceptability. Hard to be sure whether the increased latency (50ms vs 10ms to 8.8.8.8) is part of the issue however.

                  noplanN 1 Reply Last reply Reply Quote 0
                  • noplanN
                    noplan @pf_novice
                    last edited by

                    @pf_novice

                    hi
                    we limited the upload of our vpn node to 10 Mbit
                    got right now 8 users workin full remote on that box,
                    means that all their traffic runs over the node with the 10Mbit limit

                    to be honest i v nerver looked at latency on a vpn

                    1 Reply Last reply Reply Quote 0
                    • noplanN
                      noplan @Rico
                      last edited by

                      @Rico said in OpenVPN performance for remote worker:

                      Don't set any Hardware Crypto in the OpenVPN server settings

                      for all times or only for this use case in this topic ?
                      brNP

                      1 Reply Last reply Reply Quote 0
                      • viktor_gV
                        viktor_g Netgate
                        last edited by

                        try to set net.link.ifqmaxlen="2048"

                        see https://redmine.pfsense.org/issues/10311

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.