Speed issues reported by roaming users



  • My setup is as follows:

    1 smb fileserver used for internal storage
    2 WAN connections
    1 pfSense router

    Now I have set up openvpn for my roaming users, they are all able to connect to the VPN without issue.  They can reach the file server, mount the shares, and browse directories.  I'm getting horrible reports though that opening and saving word/excel/pdf documents is going ridiculously slow, to the point where some people will assume that their computers have hung.

    The documents themselves are smallish, only ~25-100KB, and the internet pipe is large enough that actual throughput is not an issue.  Are there any recommended places that I look to for solving these problems?  Can I change any configuration in Word, or Windows?  Is there a timing setting in OpenVPN?

    Thanks for any advice!



  • Here is a report from a user:

    "Browsing directories is usually quite slow.  It takes a long time for each
    folder to load up.  Saving goes VERY slowly.. sometimes it takes ~1-2
    minutes to save a large document, and about 40% of the time it freezes the
    computer and I have to force quit or sometimes restart, after which I often
    can't reopen whatever document it was that was involved in the freeze/crash
    as the computer says it is "damaged and cannot be repaired."  It is much
    better if I work off my hard drive, so I do that when I can.  Opening files
    is very slow.  Once in a while I will get a burst where everything works
    faster.  These bursts are infrequent, and I have no idea why they occur."



  • Also, the settings I am using for each client looks like this:

    float
    port 1195
    dev tun
    dev-node mycompany
    proto udp
    remote mydomain.com 1195
    ping 10
    persist-tun
    persist-key
    tls-client
    ca ca.crt
    cert uname.crt
    key uname.key
    ns-cert-type server
    pull
    verb 4
    cipher AES-128-CBC
    route-delay 5



  • How fast is the connection of your Server?

    Do you have something like that in place:
    @http://forum.pfsense.org/index.php/topic:

    If you are using MultiWAN and your local LAN should be able to connect to the clients connecting to your network:
    you need to have a rule above your default rule (which has as gateway the loadbalancer)
    with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.



  • Ok, just to clarify, my LAN subnet is: 192.168.10.0/24, the VPN subnet is 10.0.5.0/24.

    What I should do is add a rule on my LAN to allow 10.0.5.0/24 as the destination?



  • yes. a rule at the top with as Gateway: *

    How fast is the connection of your Server?



  • The VPN WAN connection is 2.5Mbps down and 1Mbps up, and when this connection was previously used by remote users to access a WebDAV share the speed issues were not apparent.



  • well dont expect wonders from a 1Mbit line.

    Also:

    sometimes it takes ~1-2 minutes to save a large document

    It also depends on the line the users have on the remote side.
    If they are at home, dont expect more than 500 kbit/s upload.



  • Well the thing is that the users were not complaining a week ago when they were accessing the file share through a WebDAV connection instead of through the VPN.

    My initial reaction was to blow them off as whiners as well (as I have yet to duplicate the problems in my own environment).  I believe that the slowest uplink connection that any of the users have is 500kbps, and the user I quoted above is in a corporate LAN where the network speed is likely to be closer to 10mbps up and down



  • I've had an update from another user.  Many of his problems occur just while browsing the mounted drive.  Specifically after leaving his computer for a few minutes, he will come back.  OpenVPN will still show as being connected, but Windows will show the network drive as 'disconnected', and any attempt to browse the filesystem in Windows Explorer will hang Explorer to the point that the only fix is to kill the process.  The same is true of any Word documents which might have been open to files on the shared drive at the time.



  • Another thing I just noticed.  I just set up another site-site VPN connection, and used my 2nd WAN connection to connect.  This showed up in the log files for the client router:

    openvpn[13018]: TCP/UDP: Incoming packet rejected from [WAN1_IP]:1197[2], expected peer address: [WAN2_IP]:1197 (allow this incoming source address/port by removing --remote or adding --float)
    

    Now I have set up the port range I'm using (1194-1197) to be 'not load balanced', or at least I thought I had.  Could this be a source of some of my problems?  And if so, is there something obvious that I must have done wrong?



  • I feel like a dork replying to all of my own messages, but I think it makes sense that the reply was coming through WAN1 instead of WAN2, as I have the following rule on my LAN side (of the server):

    TCP  	 LAN net  	 *  	 *  	 HTTPsALL  	 Wan2FailoverWan1 
    

    Now my VPN is running over UDP, so it isn't caught by this rule, which means it could be load balanced.  What I don't quite get is how I can set up my VPN to both not load balance, but also allow users to connect to either WAN1 or WAN2.  I could expand the above rule to include UDP, but that would restrict me to using only WAN1 - does anyone know what I need to do to allow WAN2 as well?



  • I have had the problems with vpn users and finally upgraded my pfsense hardware and finally got better through put, technically VPN used in pfSense increases the CPU usage, the Encrypting and the decrypting traffic is CPU intensive. Also the number of the concurrent VPN connections is a CPU concern.
    To maximize the pfsense vpn horsepower First you have to use nics that don't burn too much of your CPU time, Intel should be fine because it has it’s own NIC processor built in the card,and the traffic doesn’t have to go through the CPU. Also pfSense supports multiprocessor systems, so you can install it in multi processor system to have faster processing specially for vpn.  ;D



  • @naughtyusmaximus:

    I feel like a dork replying to all of my own messages, but I think it makes sense that the reply was coming through WAN1 instead of WAN2, as I have the following rule on my LAN side (of the server):

    TCP  	 LAN net  	 *  	 *  	 HTTPsALL  	 Wan2FailoverWan1 
    

    Now my VPN is running over UDP, so it isn't caught by this rule, which means it could be load balanced.  What I don't quite get is how I can set up my VPN to both not load balance, but also allow users to connect to either WAN1 or WAN2.  I could expand the above rule to include UDP, but that would restrict me to using only WAN1 - does anyone know what I need to do to allow WAN2 as well?

    http://forum.pfsense.org/index.php/topic,7001.0.html

    If you are using MultiWAN and your local LAN should be able to connect to the clients connecting to your network:
    you need to have a rule above your default rule (which has as gateway the loadbalancer)
    with destination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.



  • Yep, I have that rule


Log in to reply