Slow speeds on pfsense to pfsense OpenVPN tunnel



  • A friend of mine and I setup an OpenVPN tunnel between our two routers after switching off of an ipsec tunnel. Previously with the ipsec tunnel we'd have slow speeds in both directions, even though he's on Comcast with 35 down and 5 up, whereas I'm on FiOS with 35 down and 35 up. We're talking about speeds as low as 35KB/sec both ways.

    Hoping OpenVPN might fix this issue (as well as the random disconnects we'd get with ipsec as well and it sometimes recovering, sometimes not) we seem to have hit an oddity in this setup as well. His pfsense box is acting as the server, mine is acting as the client. My network is 10.0.0.x based, whereas his is 10.0.1.x based. I can reach everything on his network and he can reach everything on mine. When I download something from him whether over SMB or HTTP, I pretty much max out his connection which is to be expected as there isn't any QoS or other elements at play with everything being idle. When he tries to download anything from me, he'll wind up getting speeds somewhere in the 3Mbps or less, which shouldn't happen since I should be able to push much more than that to him.

    One of the questions we both thought about was should I be the server since I have the faster connection? Didn't think it would matter, but thought it might have been something to consider.

    Settings for the server side:

    Disabled Protocol / Port Tunnel Network Description
    NO UDP / 1194 10.255.255.0/29

    Server mode: P2P (shared key)

    2048 bit OpenVPN static key

    Tunnel network: 10.255.255.0/29

    Local network: 10.0.1.0/24

    Remote network: 10.0.0.0/24

    Concurrent connections: 6

    Compression: Compress tunnel packets using the LZO algorithm.  (this is checked)

    =-=-=-=-=-=-
    Settings for the clientside:

    Server mode: P2P (shared key)

    2048 bit OpenVPN static key

    Tunnel network: 10.255.255.0/29

    Remote network: 10.0.1.0/24

    Based on another thread that I found at http://forum.pfsense.org/index.php/topic,47567.0.html, we also tried enabling "net.inet.ip.fastforwarding", but this doesn't seem to have helped.

    Any ideas?

    Thanks!



  • In theory, it "shouldn't" matter which side is server, but we'll start with a few questions:

    What version of PFsense?

    What kind of hardware are you running PFsense on?

    What Encryption Algorithm are you using?

    Do you have traffic shaping enabled?  Double check traffic shaping by interface and the limiter tab on both ends.



  • Sorry, forgot to include those points but should have initially. He'son 2.0.3-RELEASE and I'm on 2.0.1-RELEASE.

    Hardware wise, I'm on an i3 3220 @ 3.3GHz with 4GB of RAM, and my resources never seem to spike during VPN transmission or otherwise. He has a Xeon 5110 @ 1.6GHz. Pretty sure we're good on the hardware side.

    Encryption algorithm is AES-128-CBC (128-bit), no hardware encryption.

    Traffic shaping isn't enabled on either box. Double checked just to make sure.



  • @marvosa:

    In theory, it "shouldn't" matter which side is server, but we'll start with a few questions:

    What version of PFsense?

    What kind of hardware are you running PFsense on?

    What Encryption Algorithm are you using?

    Do you have traffic shaping enabled?  Double check traffic shaping by interface and the limiter tab on both ends.

    Sorry, forgot to include those points but should have initially. He'son 2.0.3-RELEASE and I'm on 2.0.1-RELEASE.

    Hardware wise, I'm on an i3 3220 @ 3.3GHz with 4GB of RAM, and my resources never seem to spike during VPN transmission or otherwise. He has a Xeon 5110 @ 1.6GHz. Pretty sure we're good on the hardware side.

    Encryption algorithm is AES-128-CBC (128-bit), no hardware encryption.

    Traffic shaping isn't enabled on either box. Double checked just to make sure.



  • I'd suggest a few things to try-

    Add "tun-mtu 1500;" and "mssfix 1400;" to the OpenVPN "Advanced Configuration"

    Move off port 1194… it might be shaped on the provider's end.



  • @dhel:

    I'd suggest a few things to try-

    Add "tun-mtu 1500;" and "mssfix 1400;" to the OpenVPN "Advanced Configuration"

    Move off port 1194… it might be shaped on the provider's end.

    Wow, this did cause a dramatic difference once applied to both ends. I max out his upload receiving on my end perfectly fine testing with both SMB and HTTP, and he can now get around 1 to 1.1MB/sec from me, which is great in comparison to before. I technically can push out 5MB/sec with the fluff on the upload from FiOS and he should be able to receive that since he has 45Mbps down, but I guess it's better than nothing!


Log in to reply