ISP Throttling VPN
-
Hello all,
The current setup is OpenVPN on an SG-3100 to an SG-4100, site to site, using port 1195 as 1194 is used for client to site. I have moved this from an IPSec site to site to see if I can overcome the throttling issue but with no luck. Both sites are on 200meg symmetrical line but we are only getting a max of 40meg across VPN, mostly 20meg during peak times.
I have tested an SG-2100 and SG-3100 on a different provider to confirm the VPN is capable of the 200meg throughput and it works fine with another provider so I know there are no hardware limitations.
I have changed the ports and also to TCP from UDP on the OpenVPN to try and mask the traffic but the ISP is clearly wise to that, and it hasn't made any difference.
Is anyone aware of any site-to-site VPN options within pfsense that will prevent the ISP from identifying the traffic and throttling? I have been chasing the ISP for weeks to get the issue addressed but I'm getting blanked by their support team.
Or are there any tweaks within OpenVPN I could be making to try and achieve the required speed?
Thanks in advance for any advice.
-
@steve-comerford
How are you testing throughput? -
Hello, thanks for your reply.
iPerf from a client on the network to the remote gateway as well as client to client on the remote network. Both produce similar results.
-
@steve-comerford
if you do a speed test local at the site (speedtest.net) do you see 200Mbps ? -
Yes getting 195meg on each site from speedtest.net.
I have also just tested with client to client on Zerotier (Peer To Peer), and getting the same throttled speed of 40meg using iPerf.
Thanks.
-
@steve-comerford
This may be a case of VPN and MTU.
Enable MSS Clamping under VPN > IPsec, Advanced Settings. Try with 1400 or lower values such as 1350 or 1300.If you are using OpenVPN i think to set the MTU its going to be under customer options
tun-mtu 1400;
mssfix 1350;of course toy around with the numbers to see if you see throughput changing for the better or worse.
-
Thanks for your input on this. Based on your feedback I have followed the guide below, but with no joy setting to 1470 or playing with lower numbers.
https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/#:~:text=The%20first%20thing%20you%20need,the%20packet%20size%20to%20use.
I also went to system>advanced>firewall & nat and enabled MSS clamping and played with various numbers in there, again it had zero effect at all on the performance.
Should I be matching the MTU and MSS settings on both sides, i.e server and client settings should match?
Would this be affected by the MTU settings of the of the actual WAN interface?
-
@steve-comerford
You're setting it on the firewalls, right? You dont have to touch the clients.
Are you doing traffic shaping or using limiters in any way? -
Yes on the firewalls, sorry what I meant was the OpenVPN server, and OpenVPN client within pfsense, not the clients as in workstations.
No traffic shaping or limiter in place, no IDS/IPS, no additional packages etc.
The main site has a client-to-gateway OpenVPN. Both sites have some VLANs configured, and the firewall rules, are deny first with the required ports opened. Thats the height of the complexity.
-
@steve-comerford
hmmm. When you go on VPN, assuming one of your clients is a Windows machine can you run the following?ping REMOTE_HOSTNAME -f -l 1500
keep running the command until you get a ping response and that should be the MTU you set for the vpn tunnel.
I cant think of what else to try to be honest.
-
Yeah, that's what I did to come up with 1470. Ping from workstation to workstation over VPN starting at 1500, dropping 10 until I got a successful ping and set the MTU to that.
I think im fighting a losing battle to be honest, due to the fact both the VPN traffic and Zerotier Peer to Peer traffic are being limited to the same speed, the only logical thing left is the ISP.
I appreciate your time on this, if nothing else I learned something new, thanks very much for your efforts. If I get a result i'll bing you an update on here.
Thanks @michmoor
-
Around here there are ISP which have bad peering and do throttle all kinds of stuff. Maybe name your ISP and connection technology and others can confirm.
-
@Bob-Dig
Could be bad peering i didnt think of that..OP would need to do an iPerf test (using port forwards) to confirm that.
-
The best MSS for IPsec tunnel mode ist 1328 if you don't wand padding.
https://packetpushers.net/ipsec-bandwidth-overhead-using-aes/ -
@steve-comerford said in ISP Throttling VPN:
I have changed the ports and also to TCP from UDP on the OpenVPN to try and mask the traffic but the ISP is clearly wise to that, and it hasn't made any difference.
I'm aware of networks that block VPNs and the way around that is to use TCP port 80 to get through the firewall. That might also work for throttling, if that's actually what's happening.
