OpenVPN connection - Try not to laugh


  • So I'm new to pfSense 2.3.  Right now, I'm lovin' it.  Big upgrade on the DD-WRT solutions I've implemented in the past.

    I've got an OpenVPN setup on the pfSense box and I'd like to do everything I can to get this VPN running as fast as possible.  Now please, try not to laugh when I lay out this question.  Here she goes…

    • I've got my new pfSense 2.3 device acting as the DHCP/DNS/firewall/OpenVPN server at my main office.  We have bandwidth of 10/10 Mbps.  No, that's not a typo, it's just 10 by 10.

    • My satellite office right now is running the OpenVPN Client on a Win7 machine (i7, 16Gb memory, SSD).  I will eventually drop in a pfSense box there as well but right now I'm just trying to get things up and running.  That site has bandwidth of 60/6

    Question: What can I do to "speed" up the connection within pfSense?  STOP LAUGHING!  I know my connection speeds suck relative to the rest of the civilized world but in my area it is what it is.  Is there something I can do to enhance it.  Obviously if I had 100/100 connections at both locations this point would probably be moot.  I just need to know if I'm missing something.

    I had the OpenVPN connection running before on my DD-WRT routers which worked fine.  But often I would see the CPUs on those little routers pegged at 99-100% which I assumed was from the OpenVPN encryption/decryption process.  Hoping that using a much beefier CPU with pfSense would alleviate some of that.

    Hope everyone enjoyed a good chuckle today.


  • Since you have 10/10 and 60/6, it`s not going to be faster 10 one way and 6 the other.

    What you are missing is 100/100 connections…..


  • Yeah Pippin, I get that. I obviously am not expecting to get 100Mbps speeds over a 6Mbps connection. Not sure what universe that's possible in, but I'm pretty sure it's not ours.

    I'm just really wanting to know if there is some kind of setting or compression I could be using to send the data back and forth over the VPN where the processor can do some more work for me.


  • Other than making sure tunnel compression is enabled I don't know of anything else.  But I'm no expert on this.  Some others may know some tricks to make use of.

    P.S. I'm not laughing.  I'm crying for you. :'(  It's too sad to laugh.  :(


  • Lowering Encryption Algorithm can help, also setting SHA512 to SHA256 or lowering what you have set.
    Enabling/disabling compression depends on type of data flowing, but it can help.

    Even disabling the data channel encryption could be a option, depending on sensitivity of the data, you decide.

    Options as playing with MTU, I would not go there if there are no connectivity problems.

    I dont know what speed you getting but if its 80-90%, I think I would not bother.

    You don`t see me laughing…


  • If you have easy access to both sides of the tunnel, try testing your bandwidth over the VPN using iperf (or jperf, or any easy varient that uses a GUI).

    Correct, you'll only get the equivalent of 6/10mbps in ideal situations. iperf will verify what you're getting.

    If you're not getting around 6/10, with zero other traffic on your networks, then time to look at other causes. Is your 10/10 office hardware too low, causing CPU to max-out? You can also try fiddling with your MTU a bit, try 1360 and work up. Google how to use the Ping command to determine ideal MTU values.

    10/10 is not bad, especially for non-metro-city businesses. I'm running on 6/6, working fine for 30 people.


  • Moikerz, Pippen, NOYB, I really appreciate you guys replying back.  I've researched some things already that you all have mentioned and I'm going to do my best to dive in and start testing.  Wished I was looking for something simple in the GUI.  Guess not.

    I appreciate the sympathy on the matter.  I live in a state with only about 4 million people.  And I live in one of the larger cities if you wanna call it that.  I just refer to it as a big town.  So if we want more bandwidth, we have to cough up a heck of a lot.  The whole supply and demand thing.

    Right now I'm looking for a reason to switch out a few of my clients DD-WRT routers with a bigger gun, like pfSense.  Was hoping pfSense alone with little customization would provide a better OpenVPN experience.  Aside from the killer interface in pfSense I'm pretty much in the same place I started with DD-WRT.

    Thanks guys!  Hoping I can make pfSense work out for me.  I haven't had this much fun with tech in a long time.  I could play with that GUI for hours on end.  Just wish I had more time.  "Technology, why can't it be easy?"  Guess that's why we get paid the big bucks ;)