OpenVPN slow download

bozo.bogd

Hi everyone,

I'm facing another issue with slow downloads through an OpenVPN server.

Upload speed: 220 Mbps
Download speed: ~40 Mbps
Setup: pfSense 2.7.2 VM running on KVM with ample resources
Connection: 600/600 Mbps line on both server and client

I've tested eight different server-side encryption parameter configurations without success.

Current settings:

Crypto engine: Enabled
Checksum offloading: Disabled on both VM and KVM
Fast forwarding: net.inet.ip.fastforwarding = 1
Custom OpenVPN config:

tun-mtu 1500  
fast-io  
mssfix 0  
send/receive buffer tested with all possible values  

Despite these optimizations, download speeds remain low.

Any insights or suggestions would be greatly appreciated!

Gertjan

@bozo-bogd

A suggestion : The client device also uses a powerful processor with hardware acceleration that supports your encryption method ?

Also, with a test site in front of your WAN connection, like this one www.google.com or www.speedtest.net, you can/should/could (in theory) see a pfSense "Download speed" that is close to 600 Mbits / sec.
And again : is your device, the client, able to do so ?
You can test for a short moment without using VPN : create WAN firewall rue that allows only the IP of your client device so no risk while testing.

bozo.bogd

Hey @Gertjan,

Firewall itself can push 600/600mbps of unencrypted traffic.
Tried iperf from outside, client-fw unencrypted traffic full speed.

Client itself, proton openvpn with its enc. parameters ~300/300mbps.
I w tried to mimic those enc. parameters from proton ovpn file, no luck there.
I understand they have more powerful hardware.. It was shot from the hip, so to say.

I am still hoping that I am missing something to turn on/ to push some kind of settings..

Gertjan

@bozo-bogd said in OpenVPN slow download:

Firewall itself can push 600/600mbps of unencrypted traffic.

You want or are promised these numbers.
Your pfSense WAN interface is most probably capable of handling 1 Gbit/sec.
Or :
Your ISP won't send info any faster as 600 Mbit/ sec
Your ISP wont accept more then 600 Mbit/sec from you.

@bozo-bogd said in OpenVPN slow download:

Client itself, proton openvpn wa....

Ah ... I thought your pfSense was the server, and your VPN clients were limited in speed.
So it's the other way around, your pfSense is the VPN client, and ProtoVPN, promising "all they have" .... is your server - yeah right, Where did we see that before ? ^^ ;)
The good thing is : this excludes 34/4G/5G marvelous data carriers and smartphone type devices.
It's the usual : a VPN ISP is like a ISP : they over-sell their connection speed a ten fold.
And of course it isn't their fault ! It was the connection between Proton and your ISP. Or : the russians dragged another boat anchor over their sea cable ... or whatever.

If your ISP isn't giving you not more then 40 Mbit/sec, and it is capable of delivering 600, then the most probable reason is : your ISP did not receive more then this 40 Mbit/sec.
Was it pfSense that was holding up ? Ask it !! Visit Diagnostics > System Activity and see what the top CPU users are ? Is it they openvpn client ?
( Probably not ... its waiting for more info, like you )
So .... humm who to blame ? ^^

@bozo-bogd said in OpenVPN slow download:

Tried iperf from outside, client-fw unencrypted traffic full speed

So, now you know the local wire speed, LAN, through pfSense, to WAN, all is ok.
Normally you should not test with pfSense, but from a LAN device.
Also : if pfSense is doing the encryption for all your LAN devices, be ware that this takes CPU cycles. The same cycles that are used (concur with) the shuffle of the data among the interfaces.

@bozo-bogd said in OpenVPN slow download:

I understand they have more powerful hardware.

Of course : big XEON quad core to the MAX, with 10 Gbit /sec interconnections and all that.
Let's believe this is exact.
What I also believe, as if I was an VPN ISP owner, per server, who much users would I allocate ? After all, a lot of users have idle connections ^^ so : 1000 ? users per VPN server, or more.
With means that if they are all idle, you have your 600 Mbits/sec for sure.
If all the others are P2P activists, then ... 10 000 / 1000 = everybody has 10 Mbits /sec and not 1 byte more.
Can you test this : no ...
You're role is : you are a client : be happy, or go elsewhere. Period.

@bozo-bogd said in OpenVPN slow download:

I am still hoping that I am missing something to turn on/ to push some kind of settings..

Normally, you should set up the OpenVPN connection with the ovpn config that they gave to you.
Normally, they don't support routers - like pfSense - setups - as the OpenVPN client, they will say : use our app. As you can't mess around with the app, they control the settings of the app. So support to you for the app is easy.
Support for routers is way harder, as people tend to mess up their routers. And suddenly your entire networking goes over the VPN connection, not just single single device. remember the "1000" users per server I talked about above ?

And sorry for the words, as it is less help and somewhat more a rant.
Just keep in mind that to find the answer of the question, you have to be aware of all the factors.

bozo.bogd

Sorry @Gertjan

I was not clear in me response.
ProtonVPN I added in talk just to confirm that client is able make good download, just as confirmation that client itself is good.

My connection is :
Ubuntu server (OpenVPN client -isp speed 600/600) <-> pfsense fw (OpenVPNsever - isp speed 10G/10G )

Iperf cleartext traffic ubuntu server <-> pfsense fw confirms client achives 600/600mbps
Iperf trough openvpn is 40/220 mbps

Pfsense fw gives really low download speed.

My understanding is, decryption and encryption takes same compute power for symmetric encryption algorithms (AES-256-GCM).
I am trying to figure out where download is lost :/

Gertjan

@bozo-bogd

Ok, so you did set up (change a bit) a OpenVPN server like this :

My pfSense has a WAN that is connected to an ISP router, which is connected to my 1+Gbit/sec up and 1+Gbit/sec up fiber connection.
Normally, the phone + TV and Wifi options of this ISP router are all disabled, as I use it as a Internet access only device, a device that can 'talk' to the fiber link, as my pfSense (a 4100) only has RJ45 plugs.

I activated the Wifi 5 and 6 modes on the AP router.
I added a OpenVPN client profile to my phone (iphone 12 max) VPN app so it connect to the 192.168.10.4 IP = my pfSense WAN IP. My phone was uing 192.168.10.10 - another LAN IP on the ISP router's LAN.

So : iPhone => [ Wifi 6] => (ISP Router AP) <=(cable) => [pfSense WAN] => pfSense OpenVPN server.

Keep in mind that the test app traffic will also leave the pfSense OpenVPN server, goes out over WAN again, hits the ookla (?) test server, coming back over WAN etc etc
I might expect more I guess. Not sure.

When I connect my phone a a pfSense LAN based AP (Unifi 6 Pro) is see 350 Mbits/sec in both directions. A LAN PC shows me :

which still isn't close 1 Gbits/sec symmetrical yet, but, right now, about 35 people (hotel clients with their devices) are using the same internet (pfSense etc) connection right now, so maybe this has to be taken in account ^^
The AP I was using was also used by some other devices (15 ?)
So, for me, using the super "Wifi 6" still can't make it, the wired 1Gbits is always better.

My OpenVPN setup : from Netgate documentation papers and the Netgate Youtube channel and the Netgate OpenVPN server setup blog.

When trying to max out my VPN connection, I saw :

on pfSense. For just one VPN user doing env 130 Mbirs /sec .... wow.

bp81

@bozo-bogd said in OpenVPN slow download:

Hi everyone,

I'm facing another issue with slow downloads through an OpenVPN server.

Upload speed: 220 Mbps
Download speed: ~40 Mbps
Setup: pfSense 2.7.2 VM running on KVM with ample resources
Connection: 600/600 Mbps line on both server and client

I've tested eight different server-side encryption parameter configurations without success.

Current settings:

Crypto engine: Enabled
Checksum offloading: Disabled on both VM and KVM
Fast forwarding: net.inet.ip.fastforwarding = 1
Custom OpenVPN config:

tun-mtu 1500  
fast-io  
mssfix 0  
send/receive buffer tested with all possible values  

Despite these optimizations, download speeds remain low.

Any insights or suggestions would be greatly appreciated!

Our experience is that without DCO enabled, OpenVPN is slow, even on relatively powerful hardware. This is OpenVPN's greatest limitation and is the primary reason we still use IPSEC for our site to site tunnels (though we are using OpenVPN for our client to site tunnels).

With DCO enabled on both ends, it's quite fast, at least in the site to site flavor (I would say in this mode it compares favorably to IPSEC. Probably around 90% of IPSEC's performance on average). Some of our appliances are running pfSense CE instead of Plus, however, and you have to have Plus to use DCO. Thus we use IPSEC.

Is this a client to site tunnel, or a site to site tunnel?