OpenVPN performance for remote worker

pf_novice · Sep 26, 2020, 1:10 AM

Setting up OpenVPN for mobile user, who is behind NAT so haven't pursued IPsec. Coincidentally the same ISP: Comcast 300/10 at both client and server ends.

However VPN performance won't go faster than 10/5. Similar results when testing using LTE: 50/10 reduced to 10/5 over VPN.

Ping to 8.8.8.8 without VPN is 13ms, with VPN is 50ms.

This isn't a theoretical problem - client cannot work effectively (videoconferencing and large up/downloads) at these speeds. We need to redirect all traffic through the VPN.

Netgate SG-5100 with latest build of pfsense and OpenVPN. Have implemented recommendations in Netgate Docs; so far, no improvements.

I'm wondering whether I've misconfigured something. Diagnostics / System Activity indicates only 2-3% CPU usage by OpenVPN and the system as a whole is running very low utilization.

Key settings (LMK if anything else needed):

Server Mode: Remote Access (SSL/TLS + User Auth)
Backend: Local Database
Protocol: UDP IPv4 and IPv6 on all interfaces (multihome)
Device mode: tun - Layer 3 Tunnel Mode
Local port: 1194

TLS configuration: Yes (use a TLS key)
TLS Authentication

DH Parameter Length 2048 bit
Encryption Algorithm: AES-128-GCM (128 bit key, 128 bit block)
Enable NCP: Yes

NCP Algorithms: AES-128-GCM, AES-256-GCM, AES-128-CBC
Auto digest algo: SHA256

Hardware Crypto: BSD Cryptodev engine - RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC

IPv4 Tunnel Network: 192.168.21.0/24 
IPv6 Tunnel Network: fe80::/64
[my LAN is 192.168.1.0/24]

Redirect IPv4 Gateway: Yes
Redirect IPv6 Gateway: Yes

Compression: Omit Preference (Use OpenVPN Default) 
[I tried disabling compression, the VPN stopped working]

Duplicate Connection: Yes 
[Worker uses iPhone and Macbook simultaneously on same account and certificate]

Firewall Rules
Pass: Interface OpenVPN / any

pete35 · Sep 26, 2020, 5:11 AM

@pf_novice said in OpenVPN performance for remote worker:

BSD Cryptodev engine

Netgate 5100 can do aesni. Try to change the cyrptodev to aesni.
You may try to lower the mtu to 1450, this may help too.

noplan · Sep 26, 2020, 6:09 AM

Do u have to run all client traffic over VPN?
That kills the VPN Endpoint pretty quick if more and more remote users are logged in (the bottleneck is your endpoint up/down speed)

Try tu use Splitt tunnel
So that your users Netflix YouTube traffic if allowed does not run over your VPN

Rico · Sep 26, 2020, 5:34 PM

Don't set any Hardware Crypto in the OpenVPN server settings.
However the bottleneck is your small Upstream bandwidth. The OpenVPN servers 10 Mbps upload is the far side (client) download.

-Rico

pf_novice · Sep 27, 2020, 1:15 PM

@Rico of course! Can't imagine why I didn't think of that. Asymmetric connections won't play nice with VPN. Will see what the ISP can offer.

Frustratingly, I just had to abandon a symmetric Fiber gigabit connection because AT&T's pole is 20 yards too far away and the conduit is borked.

noplan · Sep 27, 2020, 1:59 PM

@Rico said in OpenVPN performance for remote worker:

The OpenVPN servers 10 Mbps upload

but its enough to use for a couple of remote workers

pf_novice · Sep 27, 2020, 7:56 PM

@noplan In theory, yes it should be. In practice the performance is inconsistent and on the margins of acceptability. Hard to be sure whether the increased latency (50ms vs 10ms to 8.8.8.8) is part of the issue however.

noplan · Sep 28, 2020, 6:08 AM

@pf_novice

hi
we limited the upload of our vpn node to 10 Mbit
got right now 8 users workin full remote on that box,
means that all their traffic runs over the node with the 10Mbit limit

to be honest i v nerver looked at latency on a vpn

noplan · Sep 28, 2020, 7:18 AM

@Rico said in OpenVPN performance for remote worker:

Don't set any Hardware Crypto in the OpenVPN server settings

for all times or only for this use case in this topic ?
brNP

viktor_g · Sep 28, 2020, 11:32 AM

try to set net.link.ifqmaxlen="2048"

see https://redmine.pfsense.org/issues/10311