• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN performance for remote worker

Scheduled Pinned Locked Moved OpenVPN
10 Posts 5 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pf_novice
    last edited by Sep 26, 2020, 1:10 AM

    Setting up OpenVPN for mobile user, who is behind NAT so haven't pursued IPsec. Coincidentally the same ISP: Comcast 300/10 at both client and server ends.

    However VPN performance won't go faster than 10/5. Similar results when testing using LTE: 50/10 reduced to 10/5 over VPN.

    Ping to 8.8.8.8 without VPN is 13ms, with VPN is 50ms.

    This isn't a theoretical problem - client cannot work effectively (videoconferencing and large up/downloads) at these speeds. We need to redirect all traffic through the VPN.

    Netgate SG-5100 with latest build of pfsense and OpenVPN. Have implemented recommendations in Netgate Docs; so far, no improvements.

    I'm wondering whether I've misconfigured something. Diagnostics / System Activity indicates only 2-3% CPU usage by OpenVPN and the system as a whole is running very low utilization.

    Key settings (LMK if anything else needed):

    Server Mode: Remote Access (SSL/TLS + User Auth)
    Backend: Local Database
    Protocol: UDP IPv4 and IPv6 on all interfaces (multihome)
    Device mode: tun - Layer 3 Tunnel Mode
    Local port: 1194
    
    TLS configuration: Yes (use a TLS key)
    TLS Authentication
    
    DH Parameter Length 2048 bit
    Encryption Algorithm: AES-128-GCM (128 bit key, 128 bit block)
    Enable NCP: Yes
    
    NCP Algorithms: AES-128-GCM, AES-256-GCM, AES-128-CBC
    Auto digest algo: SHA256
    
    Hardware Crypto: BSD Cryptodev engine - RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC
    
    IPv4 Tunnel Network: 192.168.21.0/24 
    IPv6 Tunnel Network: fe80::/64
    [my LAN is 192.168.1.0/24]
    
    Redirect IPv4 Gateway: Yes
    Redirect IPv6 Gateway: Yes
    
    Compression: Omit Preference (Use OpenVPN Default) 
    [I tried disabling compression, the VPN stopped working]
    
    Duplicate Connection: Yes 
    [Worker uses iPhone and Macbook simultaneously on same account and certificate]
    
    Firewall Rules
    Pass: Interface OpenVPN / any
    
    1 Reply Last reply Reply Quote 0
    • P
      pete35
      last edited by pete35 Sep 26, 2020, 5:11 AM Sep 26, 2020, 5:09 AM

      @pf_novice said in OpenVPN performance for remote worker:

      BSD Cryptodev engine

      Netgate 5100 can do aesni. Try to change the cyrptodev to aesni.
      You may try to lower the mtu to 1450, this may help too.

      <a href="https://carsonlam.ca">bintang88</a>
      <a href="https://carsonlam.ca">slot88</a>

      N 1 Reply Last reply Sep 26, 2020, 6:09 AM Reply Quote 0
      • N
        noplan @pete35
        last edited by Sep 26, 2020, 6:09 AM

        Do u have to run all client traffic over VPN?
        That kills the VPN Endpoint pretty quick if more and more remote users are logged in (the bottleneck is your endpoint up/down speed)

        Try tu use Splitt tunnel
        So that your users Netflix YouTube traffic if allowed does not run over your VPN

        1 Reply Last reply Reply Quote 0
        • R
          Rico LAYER 8 Rebel Alliance
          last edited by Sep 26, 2020, 5:34 PM

          Don't set any Hardware Crypto in the OpenVPN server settings.
          However the bottleneck is your small Upstream bandwidth. The OpenVPN servers 10 Mbps upload is the far side (client) download.

          -Rico

          P N 3 Replies Last reply Sep 27, 2020, 1:15 PM Reply Quote 0
          • P
            pf_novice @Rico
            last edited by Sep 27, 2020, 1:15 PM

            @Rico of course! Can't imagine why I didn't think of that. Asymmetric connections won't play nice with VPN. Will see what the ISP can offer.

            Frustratingly, I just had to abandon a symmetric Fiber gigabit connection because AT&T's pole is 20 yards too far away and the conduit is borked.

            1 Reply Last reply Reply Quote 0
            • N
              noplan @Rico
              last edited by Sep 27, 2020, 1:59 PM

              @Rico said in OpenVPN performance for remote worker:

              The OpenVPN servers 10 Mbps upload

              but its enough to use for a couple of remote workers

              P 1 Reply Last reply Sep 27, 2020, 7:56 PM Reply Quote 0
              • P
                pf_novice @noplan
                last edited by Sep 27, 2020, 7:56 PM

                @noplan In theory, yes it should be. In practice the performance is inconsistent and on the margins of acceptability. Hard to be sure whether the increased latency (50ms vs 10ms to 8.8.8.8) is part of the issue however.

                N 1 Reply Last reply Sep 28, 2020, 6:08 AM Reply Quote 0
                • N
                  noplan @pf_novice
                  last edited by Sep 28, 2020, 6:08 AM

                  @pf_novice

                  hi
                  we limited the upload of our vpn node to 10 Mbit
                  got right now 8 users workin full remote on that box,
                  means that all their traffic runs over the node with the 10Mbit limit

                  to be honest i v nerver looked at latency on a vpn

                  1 Reply Last reply Reply Quote 0
                  • N
                    noplan @Rico
                    last edited by Sep 28, 2020, 7:18 AM

                    @Rico said in OpenVPN performance for remote worker:

                    Don't set any Hardware Crypto in the OpenVPN server settings

                    for all times or only for this use case in this topic ?
                    brNP

                    1 Reply Last reply Reply Quote 0
                    • V
                      viktor_g Netgate
                      last edited by Sep 28, 2020, 11:32 AM

                      try to set net.link.ifqmaxlen="2048"

                      see https://redmine.pfsense.org/issues/10311

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received