2.1 Latency increase with openVPN
-
I've noticed when using openVPN the latency on pfsense goes up to over 500ms and then effectively kills the connection when I need to access stuff on the web, so is there anything I can do to decrease the latency?
OpenVpn is configured:
persist-tun
persist-key
cipher AES-256-CBC
tls-client
client
remote [VPN IP Address] [Port] udp
tls-remote [VPN Server Certificate CA]
auth-user-pass
comp-lzoThe CA cert is set to 4096 bits which I would prefer to keep inorder to the keep the spooks in business if possible.
All subsequent net traffic is directed through the vpn and whilst the latency is fine when just accessing devices within the network via ssh, if I need to look up a webpage as this is now directed through the vpn this is when the 500+ms latency strikes. The net access is just an ADSL connection so I only get just under <1Mb upload but ATM I'm only using ssh to update devices or reconfig devices and I would prefer to keep all net traffic going through the vpn as this helps when I need to remote access another site which allows access from a known fixed ip's.
So is there anything I can tweak to reduce the latency?
TIA.
-
How are you accessing this?
From where to where? What protocol are you using for openvpn? TCP or UDP?
Is your client subnet range different that your server subnet range and that of pfsense?
Lots of things might effect latency.
-
UDP, TCP has too much of an overhead.
ATM I'm accessing the vpn from a neighbours wifi connection to test, but tried also from a friends broadband connection 40 miles away last night which is with a different ISP.
Pfsense is on a 10Mb/1Mb down/up connection, the neighbours and friends is no more than 4Mb down/500Kb up.The tunnel is a separate address range to the Lan interface, ie tunnel could be 10.10.1.x and the Lan could be 192.168.1.x.
The only time the latency shoots up is when I need to access something from the net, like look up a simple webpage which shows my ip address.
TIA.
-
Change your LAN address from something other than 192.168.1.1 - Maybe take that first "1" and make it a random number between 25 and 200.
Also, because of your very low upload speed and the neighbours very low upload speed, you can easily run into shaping on both ISPs which will exaggerate your latency. -
Change your LAN address from something other than 192.168.1.1 - Maybe take that first "1" and make it a random number between 25 and 200.
Done but no difference.
Also, because of your very low upload speed and the neighbours very low upload speed, you can easily run into shaping on both ISPs which will exaggerate your latency.
I've just added a vpn upload limiter to the main vpn allow rule and that seems to have stopped the dropped connection thanks!
512Kbps keeps the latency under 50ms and no more than 2% packet loss, a 768Kbps will see the latency increase to the highest seen of 312ms with no more than 4% packet loss, so I'll keep playing with this to find a sweet spot, possibly something around 600Kbps or just under as I still have to leave a bit spare.
Incidentally for anyone else who might be interested in the capacity of their vpn, Youtube is handy for testing this, just find a HD film and although Youtube starts off at what it thinks is best, ie 144p in my case, if I select 720p or 1080p thats when it will test the vpn and then you can see the latency and packet loss issues, alternatively do a search and then opening multiple websites from the results on new tabs can also trigger this sometimes as I first found out.
Anyway thanks again that seems to have done the trick and kept it reliable enough to not drop the connections.
-
Yep - I've never had that problem before, but the cure for ISP shaping induced latency is exactly what you did.
Make your own shaping and be sure to drop packets reasonably.
Thank you for the help. I'm clicking your thanks button now.