ISP Throttling VPN
-
@steve-comerford
This may be a case of VPN and MTU.
Enable MSS Clamping under VPN > IPsec, Advanced Settings. Try with 1400 or lower values such as 1350 or 1300.If you are using OpenVPN i think to set the MTU its going to be under customer options
tun-mtu 1400;
mssfix 1350;of course toy around with the numbers to see if you see throughput changing for the better or worse.
-
Thanks for your input on this. Based on your feedback I have followed the guide below, but with no joy setting to 1470 or playing with lower numbers.
https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/#:~:text=The%20first%20thing%20you%20need,the%20packet%20size%20to%20use.
I also went to system>advanced>firewall & nat and enabled MSS clamping and played with various numbers in there, again it had zero effect at all on the performance.
Should I be matching the MTU and MSS settings on both sides, i.e server and client settings should match?
Would this be affected by the MTU settings of the of the actual WAN interface?
-
@steve-comerford
You're setting it on the firewalls, right? You dont have to touch the clients.
Are you doing traffic shaping or using limiters in any way? -
Yes on the firewalls, sorry what I meant was the OpenVPN server, and OpenVPN client within pfsense, not the clients as in workstations.
No traffic shaping or limiter in place, no IDS/IPS, no additional packages etc.
The main site has a client-to-gateway OpenVPN. Both sites have some VLANs configured, and the firewall rules, are deny first with the required ports opened. Thats the height of the complexity.
-
@steve-comerford
hmmm. When you go on VPN, assuming one of your clients is a Windows machine can you run the following?ping REMOTE_HOSTNAME -f -l 1500
keep running the command until you get a ping response and that should be the MTU you set for the vpn tunnel.
I cant think of what else to try to be honest.
-
Yeah, that's what I did to come up with 1470. Ping from workstation to workstation over VPN starting at 1500, dropping 10 until I got a successful ping and set the MTU to that.
I think im fighting a losing battle to be honest, due to the fact both the VPN traffic and Zerotier Peer to Peer traffic are being limited to the same speed, the only logical thing left is the ISP.
I appreciate your time on this, if nothing else I learned something new, thanks very much for your efforts. If I get a result i'll bing you an update on here.
Thanks @michmoor
-
Around here there are ISP which have bad peering and do throttle all kinds of stuff. Maybe name your ISP and connection technology and others can confirm.
-
@Bob-Dig
Could be bad peering i didnt think of that..OP would need to do an iPerf test (using port forwards) to confirm that.
-
The best MSS for IPsec tunnel mode ist 1328 if you don't wand padding.
https://packetpushers.net/ipsec-bandwidth-overhead-using-aes/ -
@steve-comerford said in ISP Throttling VPN:
I have changed the ports and also to TCP from UDP on the OpenVPN to try and mask the traffic but the ISP is clearly wise to that, and it hasn't made any difference.
I'm aware of networks that block VPNs and the way around that is to use TCP port 80 to get through the firewall. That might also work for throttling, if that's actually what's happening.
