Slow upload to server

Marci

Hi

I have set up a VPN server on pfSense and I am getting quite slow speeds when uploading to the server.

The connection on the server side has a 200 Mbit download and 60 Mbit upload line. The client side which I used for the test has 130 Mbit download and 85 MBit upload speed.

When I establish the tunnel the client gets 55 Mbit download, which is cool because 60 Mbit would be the limitation. Strangely the client only gets ~25 MBit upload speed which I do not understand , I was expecting a higher value.

Any idea/explanation would be welcome.

SteveITS

@Marci How are you testing? What OS?

Marci

@SteveITS I am using the OpenVPN app on iOS as a client

Marci

bump
I would very much appreciate any ideas

michmoor

@Marci Are you testing on WiFi or cellular? Either one your speeds will vary.
What are the speeds when not on vpn?

Marci

@michmoor On the client side I am testing on cellular, server is connected via cable to ISP.
The connection on the server side has a 200 Mbit download and 60 Mbit upload line. The client side which I used for the test has 130 Mbit download and 85 MBit upload speed, without VPN.

hr1sha

@Marci are you using tcp or udp? have you tried increasing sndbuf rcvbuf?

Marci

@hr1sha I am using UDP and I have really good download speed. Therefore I guess the protocol works.

I have tried setting
sndbuf 512000;
rcvbuf 512000;
push "sndbuf 512000";
push "rcvbuf 512000";
on the server side but it did not have any effect (I am not sure about the commands/values, I googled these).

hr1sha

This post is deleted!

hr1sha

@Marci please show your server and client configuration

Marci

@hr1sha
Client:

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-256-CBC
data-ciphers-fallback AES-256-GCM
auth SHA512
tls-client
client
resolv-retry infinite
remote *deleted IP* *deleted port* udp4
lport 0
verify-x509-name "VPN server Cert" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

Server:

reneg-sec 36000;
sndbuf 393216;
rcvbuf 393216;
push "sndbuf 393216";
push "rcvbuf 393216";

Thanks for looking into this

Gertjan

@Marci said in Slow upload to server:

reneg-sec 36000;
sndbuf 393216;
rcvbuf 393216;
push "sndbuf 393216";
push "rcvbuf 393216";

Noop.
These are the option you added manually.

edit : and you don't need to add

sndbuf 1048576
rcvbuf 1048576

and these get added as soon as you select :

reneg-sec 36000;

is more a security thing. Maybe not ok to set this to 10 hours. The default '3600' won't bite you (one hour !)

The actual OpenVPN server config looks like a OpenVPN client config.
Go console, or better : SSH,, option 8 :
It's here : /var/etc/openvpn/serverX/config.ovpn
Where X is your server ID, normally it's '1'

Here it is :

dev ovpns1
disable-dco
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh bhf.net"
local 192.168.10.4
engine rdrand
tls-server
server 192.168.3.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'bhf.net' 1"
lport 1194
management /var/etc/openvpn/server1/sock unix
max-clients 10
push "dhcp-option DOMAIN bhf.net"
push "dhcp-option DNS 192.168.3.1"
push "block-outside-dns"
push "register-dns"
push "redirect-gateway def1"
client-to-client
remote-cert-tls client
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert 
key /var/etc/openvpn/server1/key 
dh /etc/dh-parameters.2048
tls-crypt /var/etc/openvpn/server1/tls-crypt 
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
allow-compression asym
persist-remote-ip
float
topology subnet

status /var/log/openvpn.status
status-version 1

Note : my custom config :

so these are just added to the rest.

hr1sha

@Marci try changing the encryption algorithm to 128 and test. A large buffer size is not always a good thing.

Rico

Could the iPhone be the bottleneck pushing encrypted traffic?
Maybe you can test with another more beefy client device first.

-Rico

Marci

@Gertjan Thanks for the help, so here is the server config (I deleted some IPs)

dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local *IP deleted*
engine rdrand
tls-server
server *IP deleted* 255.255.255.0
client-config-dir /var/etc/openvpn/server2/csc
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server2 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN+server+Cert' 1"
lport *port deleted*
management /var/etc/openvpn/server2/sock unix
max-clients 4
push "dhcp-option DOMAIN localdomain"
push "dhcp-option DNS *IP deleted""
push "redirect-gateway def1"
push "redirect-gateway ipv6"
capath /var/etc/openvpn/server2/ca
cert /var/etc/openvpn/server2/cert 
key /var/etc/openvpn/server2/key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2/tls-auth 0
data-ciphers AES-256-GCM:AES-256-CBC
data-ciphers-fallback AES-256-GCM
allow-compression no
persist-remote-ip
float
topology subnet
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"

push "rcvbuf 524288"

I have also removed the manual entry for regen-sec and send/receive buffer (I used the pfSense GUI to set the send/receive buffer)

Marci

This post is deleted!

Marci

@Rico That is a bit difficult for me as I am lacking the infrastructure for this test. I would need a PC/laptop in a different WLAN which I do not have.

Marci

@hr1sha Great that solved the issue, I am now getting the expected upload speed.
I guess that means I have been limited by the iPhone hardware (like also @Rico suspected).

I chose 256 encryption because I thought it is safer that 128, but after some quick research I guess 128 should be sufficiently safe (I guess).

upgradeyard

This post is deleted!