OpenVPN slow in PFSense VM

  • Hi all,

    I've been troubleshooting this for a couple of weeks now to no avail. Here is the situation:

    I am runing a PFSense installation in a VM running on Citrix XenServer. XenServer was previously 6.0, recently updated to 6.1. I've tried PFSense 2.0 and 2.1 beta.

    Problem: when I VPN in using OpenVPN, the network performance is slow. Max I see is around 2Mbps up/down. My link is 25Mbps up and down.

    The issue seems to be related to OpenVPN. The reason I say this is that download/upload speeds to a webserver behind the PFSense firewall are at or near line speed (20 to 25 Mbps when I am not VPN'ed in). Once I VPN in, the same speed test to the webserver is dog slow - never more than 2 or 3 Mbps.

    I've tried the fastforwarding kernel tweak. I've tried compression and no compression in OpenVPN. I've tried disabling encryption. So far, nothing seems to help with the slowwwww speeds. I'm at ends meet and looking for help/suggestions.


    Edit on 28 Nov: Seems like using TCP for OpenVPN's transport was a bad idea in my case. I switched to UDP and speeds are quite nice now - nearly full line speed.

  • Wow, thanks for the fast reply. I previously tried the fastforward tweak (including a reboot) and didn't notice a difference in performance.

    I will try it again to make sure I didn't goof it up the first time.

  • Check if you have hardware for 25mbit encryption with top or similar tool during throughput test.

  • The host is a core i7-970 with 24GB of RAM. The guest (PFSense) has 2 vCPUs and 512MB of RAM. Monitoring top in the guest and top and xentop in the host do not show high CPU use. While the speed test is underway, the PFSense top output shows openvpn using about 4-5% CPU. The host is very underutilized - normally at 10% or less CPU.

    Also, I modified the OpenVPN client and server profiles to use no encryption…and the speed test was still slow. So encryption overhead doesn't seem to be the issue.

  • I re-enabled fastforwarding, reboot the VM, double checked via sysctl net.inet.ip.fastforwarding (it was set to 1) and did another speed test. The results were perhaps slightly faster, but still very slow - 3Mbps range. :(

  • I also captured PCAPs with Wireshark on the remote system that I was VPNed in from. Nothing immediately sticks out as "wrong" - besides the fact that throughput is slower and there are fewer packets.

  • Ok, I've been playing more and might have found something. Seems like my decision to go with TCP might be related. I created a second instance as UDP and initial speed tests are MUCH better (expected levels).

    I went to TCP a while back due to the connection dropping out when I was streaming a moderate amount of data over hours of time over the VPN link. Perhaps that wasn't the right way to solve the problem…

  • If you have even a little packet loss, TCP (http) over TCP (openvpn) is going to be bad …

  • Apparently so. I guess I can chalk this one up as a good learning experience.

    Solution: Switch OpenVPN to UDP!