OpenVPN Slow Only on One Specific Client (2.5G/1G Network)

Aadrem

Hello everyone,
I have set up an OpenVPN server on pfSense, connected to a 1 Gbps download / 300 Mbps upload fiber connection. Most clients connect without any issues, but one specific client has recently started experiencing very slow and inconsistent speeds, sometimes dropping to as low as 5 Mbps.
This client has a 2.5 Gbps download / 1 Gbps upload connection, so bandwidth should not be a limiting factor. The VPN worked fine for several weeks, but now the issue appears randomly.
I have already tried:

• Changing the OpenVPN server's public IP
• Testing different ports: 1194, 1191, and 443 (to mask traffic as HTTPS)
• Checking the client’s CPU during the connection (it is not overloaded)
• Disabling firewall/antivirus to rule out interference
• Verifying that other clients on the same VPN are working fine

Despite these tests, the problem persists only on this client and appears randomly. Has anyone encountered a similar issue or has any suggestions on what to check?
Thanks in advance for any help!

Gertjan

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

Changing the OpenVPN server's public IP

Like changing your phone number .... while staying with the same operator. You agree that, without even knowing how all this 4G/5G works, this most probably doesn't change anything.
That said, as a zillion exceptions always exis : if your previous IP was DOSsed thus your down stream was completely saturated, this would actually help .... Just to name one.

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

Testing different ports: 1194, 1191, and 443 (to mask traffic as HTTPS)

This might help, but if the phone was using the subscribers data plan (4G/5G), and not some public Wifi hot spot (with its own bandwidth limit, local admin the blocking stuff etc) all ports are 'identical'.
The theoretical ^^ "2.5 Gbps download / 1 Gbps upload connection" applies, and lowered to you "1 Gbps download / 300 Mbps upload". Keep in mind : the outgoing 300 Mbits is the users max download. Are there other users (VPN and local LAN) connected, this 300 Mbits will be far less.

Another aspect is the device being used. Is it the latest iPhone or Samsung, then yes, they can spit out 1 Gbit, even when encrypted for VPN. Have a look here to see what official Netgate devices can handle that. You'll be needing a 4200 at least.
VPN encoding is very CPU demanding. If its a '50$' phone, forget about.

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

Verifying that other clients on the same VPN are working fine

So, the bandwidth coming to pfSense, and leaving, is already shared.
In that case, I've the next test for you : get the VPN client a new phone, and ditch his operator, problem solved ^^
After all, when the VPN packets are coming in, the only thing that is different is the "source IP" and "source port". Decoding the content from client A and client B : doesn't make a difference.
So, for me, it's the "road" being used, and/or the connecting device and/or the operator's network.

Btw : I've 5G here. My phone is two years old and uses 5G.
Never saw more then 500 Mbits or so on it and if it did, it would be game over after an half hour or so, as 5G needs loads of power.

Aadrem

Hello @Gertjan,

Thanks for your response! I wanted to clarify some details about my setup to rule out some of the assumptions made:

• The pfSense server is a Super Micro 1537 with a CPU that never exceeds 10% load, so VPN encryption should not be a bottleneck.
• The server is connected to a full FTTH fiber connection (1 Gbps download / 300 Mbps upload). I am fully aware that the VPN throughput is theoretically capped at 300 Mbps.
• The problematic clients are a MacBook Pro and a OnePlus connected to a FTTH fiber network (2.5 Gbps download / 1 Gbps upload). They are not on mobile 5G or a limited connection.
  Running Speedtest on these clients shows no issues, confirming that the underlying internet connection is stable.
• The issue does NOT occur when using 5G or FTTC connections, only on this specific FTTH connection.
• There are no signs of DDoS attacks on the server or client side.
• The problem occurs randomly, with VPN speeds varying between 5 Mbps and 30 Mbps, while other clients using the same VPN have no issues.

Given these details, it seems unlikely that the problem is related to the pfSense hardware, server bandwidth, or CPU processing power. Instead, it appears to be specific to the ISP or routing between the FTTH network and my OpenVPN server.

Would there be any recommended tests to diagnose potential ISP-level throttling or routing inefficiencies? Could this be related to MTU or MSS issues specific to this FTTH connection?

Thanks again for your insights!

Gertjan

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

Super Micro 1537 with a CPU that never exceeds 10% load,

pfSense is waiting on the WAN interface for traffic that comes in. Other VPN users have no issue, and you're pfSense handles them just fine. Just this 'one more' shows issues ?
So, the issue isn't pfSense, the VPN server ..... but the client, or the connection to/from the client.

What happens if you swap the VPN client config between 2 of your VPN users ?

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

(2.5 Gbps download / 1 Gbps upload). They are not on mobile 5G or a limited connection

No need to mention this, if you already know the hard sealing :
(1 Gbps download / 300 Mbps upload)

That said, the "problematic clients are a MacBook Pro and a OnePlus" have the connection "(2.5 Gbps download / 1 Gbps upload)" all for themselves ? Or is this connection shared with others ?
ISPs do sell their speeds measured with special condtions : like sun, Mars Earth and Jupiter aligned.

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

The issue does NOT occur when using 5G or FTTC connections, only on this specific FTTH connection.

Ah : That's useful info. The issue now boils down to that network and it's ISP.

Gertjan

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

Super Micro 1537 with a CPU that never exceeds 10% load,

pfSense is waiting on the WAN interface for traffic that comes in. Other VPN users have no issue, and you're pfSense handles them just fine. Just this 'one more' shows issues ?
So, the issue isn't pfSense, the VPN server ..... but the client, or the connection to/from the client.

What happens if you swap the VPN client config between 2 of your VPN users ?

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

(2.5 Gbps download / 1 Gbps upload). They are not on mobile 5G or a limited connection

No need to mention this, if you already know the hard sealing :
(1 Gbps download / 300 Mbps upload)

That said, the "problematic clients are a MacBook Pro and a OnePlus" have the connection "(2.5 Gbps download / 1 Gbps upload)" all for themselves ? Or is this connection shared with others ?
ISPs do sell their speeds measured with special conditions : like sun, Mars Earth and Jupiter aligned.

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

The issue does NOT occur when using 5G or FTTC connections, only on this specific FTTH connection.

Ah : That's useful info. The issue points to that network and the ISP.