Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    2.1 Latency increase with openVPN

    Firewalling
    2
    6
    4674
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firewalluser last edited by

      I've noticed when using openVPN the latency on pfsense goes up to over 500ms and then effectively kills the connection when I need to access stuff on the web, so is there anything I can do to decrease the latency?

      OpenVpn is configured:
      persist-tun
      persist-key
      cipher AES-256-CBC
      tls-client
      client
      remote [VPN IP Address] [Port] udp
      tls-remote [VPN Server Certificate CA]
      auth-user-pass
      comp-lzo

      The CA cert is set to 4096 bits which I would prefer to keep inorder to the keep the spooks in business if possible.

      All subsequent net traffic is directed through the vpn and whilst the latency is fine when just accessing devices within the network via ssh, if I need to look up a webpage as this is now directed through the vpn this is when the 500+ms latency strikes. The net access is just an ADSL connection so I only get just under <1Mb upload but ATM I'm only using ssh to update devices or reconfig devices and I would prefer to keep all net traffic going through the vpn as this helps when I need to remote access another site which allows access from a known fixed ip's.

      So is there anything I can tweak to reduce the latency?

      TIA.

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi last edited by

        How are you accessing this?

        From where to where?  What protocol are you using for openvpn?  TCP or UDP?

        Is your client subnet range different that your server subnet range and that of pfsense?

        Lots of things might effect latency.

        1 Reply Last reply Reply Quote 0
        • F
          firewalluser last edited by

          UDP, TCP has too much of an overhead.

          ATM I'm accessing the vpn from a neighbours wifi connection to test, but tried also from a friends broadband connection 40 miles away last night which is with a different ISP.
          Pfsense is on a 10Mb/1Mb down/up connection, the neighbours and friends is no more than 4Mb down/500Kb up.

          The tunnel is a separate address range to the Lan interface, ie tunnel could be 10.10.1.x and the Lan could be 192.168.1.x.

          The only time the latency shoots up is when I need to access something from the net, like look up a simple webpage which shows my ip address.

          TIA.

          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

          Asch Conformity, mainly the blind leading the blind.

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi last edited by

            Change your LAN address from something other than 192.168.1.1 - Maybe take that first "1" and make it a random number between 25 and 200.
            Also, because of your very low upload speed and the neighbours very low upload speed, you can easily run into shaping on both ISPs which will exaggerate your latency.

            1 Reply Last reply Reply Quote 0
            • F
              firewalluser last edited by

              @kejianshi:

              Change your LAN address from something other than 192.168.1.1 - Maybe take that first "1" and make it a random number between 25 and 200.

              Done but no difference.

              Also, because of your very low upload speed and the neighbours very low upload speed, you can easily run into shaping on both ISPs which will exaggerate your latency.

              I've just added a vpn upload limiter to the main vpn allow rule and that seems to have stopped the dropped connection  thanks!

              512Kbps keeps the latency under 50ms and no more than 2% packet loss, a 768Kbps will see the latency increase to the highest seen of 312ms with no more than 4% packet loss, so I'll keep playing with this to find a sweet spot, possibly something around 600Kbps or just under as I still have to leave a bit spare.

              Incidentally for anyone else who might be interested in the capacity of their vpn, Youtube is handy for testing this, just find a HD film and although Youtube starts off at what it thinks is best, ie 144p in my case, if I select 720p or 1080p thats when it will test the vpn and then you can see the latency and packet loss issues, alternatively do a search and then opening multiple websites from the results on new tabs can also trigger this sometimes as I first found out.

              Anyway thanks again that seems to have done the trick and kept it reliable enough to not drop the connections.

              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

              Asch Conformity, mainly the blind leading the blind.

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi last edited by

                Yep - I've never had that problem before, but the cure for ISP shaping induced latency is exactly what you did.

                Make your own shaping and be sure to drop packets reasonably.

                Thank you for the help.  I'm clicking your thanks button now.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post