Messages

I am getting miserable OpenVPN performance when I connect to my VPN provider via OPNsense compared to when I use my computer behind OPNsense.

I am using Ookla speedtest with the same settings.

Two things come to my mind immediately :
- Ookla Server speeds can vary a lot !!
- Are you connected to the same OpenVPN Server with both and are you sure that Server has the same bandwidth capacity at both times ?

My Laptop using OpenVPN:
200Mb up
240Mb down

Wired or WiFi ?

Reason I am asking is because this makes no sense to me :

OpenVPN .opvn file:

Code Select Expand

tun-mtu 1500


I would expect that value to be lower because now it's equal to Ethernet ?!
Something like 1400 or so would be better I think, but I am not a MTU expert...

And perhaps it gets automatically lowered by the OpenVPN Client Software when using a WiFi connection ?

There are of course a lot of settings in the VPN providers .ovpn file that I cannot configure in OPNsense unfortunately.

Such as ??

1. I was using the exact same VPN settings for both my laptop and OPNsense OpenVPN. The settings file that is the first post...
2. I used the exact same server for both speed test at Ookla. (I also used fast.com as a sanity check)

3. Laptop was wired, but that shouldn't really matter. It was faster than OPNsense regardless of connection method. I just ran it again via WiFi with very similar results.

4. I would agree regarding the MTU settings, however that is what I am provided from my VPN provider.

5. These are the settings that are in the provided .ovpn file that cannot be configured in OPNsense OpenVPN:
(That said, I am not familiar enough with OpenVPN to know whether they matter or not)

Code Select Expand

persist-key
persist-tun
nobind
remote-random
pull
comp-lzo no
route-method exe
route-delay 2
mssfix 1200
verb 3
sndbuf 524288
rcvbuf 524288

Maybe you can try to set the MSS value to 1200 in the interface settings, presuming that you have assigned an interface to the OpenVPN instance.

I didn't know that was an option. That helped a bit. I get get 30-40Mb down and 120Mb up, so that tells me it isn't a CPU issue, but more likely a speed test provider issue limited my download now.

I wish there was a cleaner way to add in the tuneables for OpenVPN in the new OPNsense client.

tun-mtu 1500
fragment 1300
mssfix 1200
Without those enhancements what do you get?

It won't work at all without the fragment 1300, and I cannot set MSS Fix to anything other than enabled/disabled in OPNsense.

However, if I leave TUN MTU blank and MSS Fix unchecked (defaults), I don't get anything different.

It feels like some OPNsense setting somewhere outside of OpenVPN. Like hardware offloading or something. There is no way a simple setting could cause a 90% reduction in speed - right?

I am getting miserable OpenVPN performance when I connect to my VPN provider via OPNsense compared to when I use my computer behind OPNsense. I am using Ookla speedtest with the same settings.

My Laptop using OpenVPN:
200Mb up
240Mb down

OPNsense:
5Mb up
2Mb down

Server:

• Intel i7 6700K
• 16GB Memory
• WAN NIC - Intel i225V
• LAN NIC - Intel x710-DA2

OpenVPN .opvn file:

Code Select Expand

dev tun
fast-io
persist-key
persist-tun
nobind
remote server.com

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-GCM
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass
There are of course a lot of settings in the VPN providers .ovpn file that I cannot configure in OPNsense unfortunately.

What I do have configured in OPNsense to match the config file.

• Auth
• Data cypher
• Options - route-nopull
• Options - fast-io
• TUN device MTU - 1500
• Fragment size 1300
• MSS Fix - checked

What am I missing? I understand OpenVPN isn't as performative as some other protocols, but I should be seeing much better speeds on my hardware even with its poor performance.

I got it.

I needed to set the fragment size in the openVPN configuration. Once I did that everything worked as expected.

Thank you for your support!

I cannot ping anything external. I have tried many known IPs... I am only doing IP addresses to not deal with DNS at all, so DNS resolution isn't an issue at the moment.

The only things I can ping are my local networks and the virtual IPv4 address of the openVPN tunnel.

I am just guessing at openVPN configuration. If the firewall and policies are working (which they appear to be based on the packet captures), there isn't much left. Maybe I have a bad setting so it doesn't pull in the addressing into routing table? I am not sure. All I know is traffic isn't making it back on the openVPN interface.

To investigate run a packet capture. Select all interfaces, at protocol select ICMP and state 8.8.8.8 in the host field. Start the capture and try to ping 8.8.8.8. Then view the capture (less details).
You should see the packets on the wifi interface at least.

Maybe you missed a message I edited because it was a double and I edited after. (message 5)

I did run a packet capture. I ran it on the ExpressVPN interface. I am seeing the traffic there (as expected) so that tells me my firewall rules (at least in the outbound direction) are working fine. The ping is traversing the firewall rules and making it to the ExpressVPN interface. However, I never see an echo reply on the ExpressVPN interface. So that leads me to think it is a routing issue or a openVPN config issue.

If you did enable logging of the rule, you should see the pings in the log, even if you don't get a response. But maybe the rule is not applied.
Note that rule on interface groups and floating quick rules are probed before interface rules. So if any matches to the pings it will be applied.

I don't have any group or floating rules.

Based on the above, it doesn't appear to be a rule issue. It seems to be a routing one. The packets are making it to the correct VPN interface for egress. I just don't see any ingress back on that VPN interface.

I just did a packet capture on the ExpressVPN interface.

I can see my ICMP echo requests going out to the IPv4 address of the openVPN connection. The RFC1918 address.

I don't see any replies coming back on that interface.

Does that point to an issue on the openVPN configuration?

Looks well so far. Should work at least for IPs.
So for testing just ping 1.1.1.1 or 8.8.8.8 from the concerned device.

Check if the ExpressVPN gateway state is online in System: Gateways: Configuration.

Enable the logging of firewall rule and check if it is applied in the live log, after pinging.

I have been trying to ping 8.8.8.8 and nothing.

The gateway is listed as a valid gateway.


When I look in the live firewall view and filter on the IP (192.168.20.75) I don't know how to tell if it is working. When I ping my default gateway I can see the ICMP packet pass. I cannot see the ping to 8.8.8.8 at all. How can I tell that the rule for the gateway is applied?

Interestingly I can see random 'internet' traffic passing from that host, but the host is unable to ping anything. It is almost as if it is getting filtered on the return?

I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

An outbound NAT rule doesn't force any traffic to anywhere. It just translates the source IP in outbound packets on an interface to any other.
For proper working you have to select the interface as translation address.

Did you add this rule to the OpenVPN interface, which you have created before?

If it's not that, please give more details on your rules.

I am not sure I follow exactly.
These are my two rules I have created:

This rule is on the network (WIRELESS net (192.168.20.0/24)) interface the device (192.168.20.75) I want to take the VPN exists on:


This rule is on the NAT > Outbound manual rules:


Those are the only 2 firewall/NAT rules I created following the youtube guide.

I have been using OPNsense for awhile now and have gotten many things configured including a site-to-site wireguard VPN to another OPNsense box as well as client wireguard tunnels successfully.

I am trying now to make a 'always on' VPN using ExpressVPN via openVPN for a specific VLAN. I am using this guide so far https://www.youtube.com/watch?v=wDEHo9XJjeA

• I have gotten the openVPN connection established (at least the status is connected).
• I added a new interface for the openVPN connection and enabled it.
• My gateway table has updated with 2 new routes for the opnVPN connection (one IPv6 and one IPv4), the IPv6 connection says active for some reason.
• I enabled route-nopull in my openVPN configuration, so there is no route in my routing table for that connection.

Then things started to fall apart for me. I am testing right now, so I am trying to make a single client 'take the VPN path', so instead of using alias in the video I am using a single host IP.

• I added a firewall rule on the interface the device is connected to. It forces all traffic from that one source IP to use the openVPN interface as its gateway.
• I changed my outbound NAT to hybrid and added a new rule to force all traffic from that one source IP to use the openVPN interface as its gateway.

When I do all that I cannot ping anything anymore. I have been using 8.8.8.8 to eliminate any DNS issues as well.

I am not really sure where to even behind looking at logs or how to troubleshoot this. The firewall rules seem pretty simple in the way they operate, but I am not sure if it is firewall, openVPN, NAT rules, or the gateway/route configuration.