Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Speed issues reported by roaming users

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 3 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      naughtyusmaximus
      last edited by

      My setup is as follows:

      1 smb fileserver used for internal storage
      2 WAN connections
      1 pfSense router

      Now I have set up openvpn for my roaming users, they are all able to connect to the VPN without issue.  They can reach the file server, mount the shares, and browse directories.  I'm getting horrible reports though that opening and saving word/excel/pdf documents is going ridiculously slow, to the point where some people will assume that their computers have hung.

      The documents themselves are smallish, only ~25-100KB, and the internet pipe is large enough that actual throughput is not an issue.  Are there any recommended places that I look to for solving these problems?  Can I change any configuration in Word, or Windows?  Is there a timing setting in OpenVPN?

      Thanks for any advice!

      1 Reply Last reply Reply Quote 0
      • N
        naughtyusmaximus
        last edited by

        Here is a report from a user:

        "Browsing directories is usually quite slow.  It takes a long time for each
        folder to load up.  Saving goes VERY slowly.. sometimes it takes ~1-2
        minutes to save a large document, and about 40% of the time it freezes the
        computer and I have to force quit or sometimes restart, after which I often
        can't reopen whatever document it was that was involved in the freeze/crash
        as the computer says it is "damaged and cannot be repaired."  It is much
        better if I work off my hard drive, so I do that when I can.  Opening files
        is very slow.  Once in a while I will get a burst where everything works
        faster.  These bursts are infrequent, and I have no idea why they occur."

        1 Reply Last reply Reply Quote 0
        • N
          naughtyusmaximus
          last edited by

          Also, the settings I am using for each client looks like this:

          float
          port 1195
          dev tun
          dev-node mycompany
          proto udp
          remote mydomain.com 1195
          ping 10
          persist-tun
          persist-key
          tls-client
          ca ca.crt
          cert uname.crt
          key uname.key
          ns-cert-type server
          pull
          verb 4
          cipher AES-128-CBC
          route-delay 5

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            How fast is the connection of your Server?

            Do you have something like that in place:
            @http://forum.pfsense.org/index.php/topic:

            If you are using MultiWAN and your local LAN should be able to connect to the clients connecting to your network:
            you need to have a rule above your default rule (which has as gateway the loadbalancer)
            with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • N
              naughtyusmaximus
              last edited by

              Ok, just to clarify, my LAN subnet is: 192.168.10.0/24, the VPN subnet is 10.0.5.0/24.

              What I should do is add a rule on my LAN to allow 10.0.5.0/24 as the destination?

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                yes. a rule at the top with as Gateway: *

                How fast is the connection of your Server?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • N
                  naughtyusmaximus
                  last edited by

                  The VPN WAN connection is 2.5Mbps down and 1Mbps up, and when this connection was previously used by remote users to access a WebDAV share the speed issues were not apparent.

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    well dont expect wonders from a 1Mbit line.

                    Also:

                    sometimes it takes ~1-2 minutes to save a large document

                    It also depends on the line the users have on the remote side.
                    If they are at home, dont expect more than 500 kbit/s upload.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • N
                      naughtyusmaximus
                      last edited by

                      Well the thing is that the users were not complaining a week ago when they were accessing the file share through a WebDAV connection instead of through the VPN.

                      My initial reaction was to blow them off as whiners as well (as I have yet to duplicate the problems in my own environment).  I believe that the slowest uplink connection that any of the users have is 500kbps, and the user I quoted above is in a corporate LAN where the network speed is likely to be closer to 10mbps up and down

                      1 Reply Last reply Reply Quote 0
                      • N
                        naughtyusmaximus
                        last edited by

                        I've had an update from another user.  Many of his problems occur just while browsing the mounted drive.  Specifically after leaving his computer for a few minutes, he will come back.  OpenVPN will still show as being connected, but Windows will show the network drive as 'disconnected', and any attempt to browse the filesystem in Windows Explorer will hang Explorer to the point that the only fix is to kill the process.  The same is true of any Word documents which might have been open to files on the shared drive at the time.

                        1 Reply Last reply Reply Quote 0
                        • N
                          naughtyusmaximus
                          last edited by

                          Another thing I just noticed.  I just set up another site-site VPN connection, and used my 2nd WAN connection to connect.  This showed up in the log files for the client router:

                          openvpn[13018]: TCP/UDP: Incoming packet rejected from [WAN1_IP]:1197[2], expected peer address: [WAN2_IP]:1197 (allow this incoming source address/port by removing --remote or adding --float)
                          

                          Now I have set up the port range I'm using (1194-1197) to be 'not load balanced', or at least I thought I had.  Could this be a source of some of my problems?  And if so, is there something obvious that I must have done wrong?

                          1 Reply Last reply Reply Quote 0
                          • N
                            naughtyusmaximus
                            last edited by

                            I feel like a dork replying to all of my own messages, but I think it makes sense that the reply was coming through WAN1 instead of WAN2, as I have the following rule on my LAN side (of the server):

                            TCP  	 LAN net  	 *  	 *  	 HTTPsALL  	 Wan2FailoverWan1 
                            

                            Now my VPN is running over UDP, so it isn't caught by this rule, which means it could be load balanced.  What I don't quite get is how I can set up my VPN to both not load balance, but also allow users to connect to either WAN1 or WAN2.  I could expand the above rule to include UDP, but that would restrict me to using only WAN1 - does anyone know what I need to do to allow WAN2 as well?

                            1 Reply Last reply Reply Quote 0
                            • A
                              altom
                              last edited by

                              I have had the problems with vpn users and finally upgraded my pfsense hardware and finally got better through put, technically VPN used in pfSense increases the CPU usage, the Encrypting and the decrypting traffic is CPU intensive. Also the number of the concurrent VPN connections is a CPU concern.
                              To maximize the pfsense vpn horsepower First you have to use nics that don't burn too much of your CPU time, Intel should be fine because it has it’s own NIC processor built in the card,and the traffic doesn’t have to go through the CPU. Also pfSense supports multiprocessor systems, so you can install it in multi processor system to have faster processing specially for vpn.  ;D

                              1 Reply Last reply Reply Quote 0
                              • GruensFroeschliG
                                GruensFroeschli
                                last edited by

                                @naughtyusmaximus:

                                I feel like a dork replying to all of my own messages, but I think it makes sense that the reply was coming through WAN1 instead of WAN2, as I have the following rule on my LAN side (of the server):

                                TCP  	 LAN net  	 *  	 *  	 HTTPsALL  	 Wan2FailoverWan1 
                                

                                Now my VPN is running over UDP, so it isn't caught by this rule, which means it could be load balanced.  What I don't quite get is how I can set up my VPN to both not load balance, but also allow users to connect to either WAN1 or WAN2.  I could expand the above rule to include UDP, but that would restrict me to using only WAN1 - does anyone know what I need to do to allow WAN2 as well?

                                http://forum.pfsense.org/index.php/topic,7001.0.html

                                If you are using MultiWAN and your local LAN should be able to connect to the clients connecting to your network:
                                you need to have a rule above your default rule (which has as gateway the loadbalancer)
                                with destination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.

                                We do what we must, because we can.

                                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                1 Reply Last reply Reply Quote 0
                                • N
                                  naughtyusmaximus
                                  last edited by

                                  Yep, I have that rule

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.