Troubleshooting OpenVPN Performance

[ati]

I am getting miserable OpenVPN performance when I connect to my VPN provider via OPNsense compared to when I use my computer behind OPNsense. I am using Ookla speedtest with the same settings.

My Laptop using OpenVPN:
200Mb up
240Mb down

OPNsense:
5Mb up
2Mb down

Server:

• Intel i7 6700K
• 16GB Memory
• WAN NIC - Intel i225V
• LAN NIC - Intel x710-DA2

OpenVPN .opvn file:

Code Select Expand

dev tun
fast-io
persist-key
persist-tun
nobind
remote server.com

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-GCM
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass
There are of course a lot of settings in the VPN providers .ovpn file that I cannot configure in OPNsense unfortunately.

What I do have configured in OPNsense to match the config file.

• Auth
• Data cypher
• Options - route-nopull
• Options - fast-io
• TUN device MTU - 1500
• Fragment size 1300
• MSS Fix - checked

What am I missing? I understand OpenVPN isn't as performative as some other protocols, but I should be seeing much better speeds on my hardware even with its poor performance.

[DEC740airp414user]

tun-mtu 1500
fragment 1300
mssfix 1200
Without those enhancements what do you get?


Even using the new instances with opnsense and my provider I can get better speeds than yours

I don't do any tweaking though

[ati]

tun-mtu 1500
fragment 1300
mssfix 1200
Without those enhancements what do you get?

It won't work at all without the fragment 1300, and I cannot set MSS Fix to anything other than enabled/disabled in OPNsense.

However, if I leave TUN MTU blank and MSS Fix unchecked (defaults), I don't get anything different.

It feels like some OPNsense setting somewhere outside of OpenVPN. Like hardware offloading or something. There is no way a simple setting could cause a 90% reduction in speed - right?

[viragomann]

I use a site-to-site OpenVPN between two OPNsense without any tweaking (apart from MMS fix ticked) to transmit backup data to the other site and I get 400 Mbit/s over it.
So no, the limit you're getting here might neither arise from OpenVPN nor from OPNsense in general.

I used an IPSec to a pfSense before. With this I had to enable MSS clamping to get a proper performance.

Maybe you can try to set the MSS value to 1200 in the interface settings, presuming that you have assigned an interface to the OpenVPN instance.

[ati]

Maybe you can try to set the MSS value to 1200 in the interface settings, presuming that you have assigned an interface to the OpenVPN instance.

I didn't know that was an option. That helped a bit. I get get 30-40Mb down and 120Mb up, so that tells me it isn't a CPU issue, but more likely a speed test provider issue limited my download now.

I wish there was a cleaner way to add in the tuneables for OpenVPN in the new OPNsense client.

[viragomann]

You can also configure Firewall: Settings: Normalization for more granular tweaking on the VPN interface. In only used this for MSS clamping, however, so cannot give detailed hints on this.

But maybe there exist also given limits from the VPN provider.

[nero355]

I am getting miserable OpenVPN performance when I connect to my VPN provider via OPNsense compared to when I use my computer behind OPNsense.

I am using Ookla speedtest with the same settings.

Two things come to my mind immediately :
- Ookla Server speeds can vary a lot !!
- Are you connected to the same OpenVPN Server with both and are you sure that Server has the same bandwidth capacity at both times ?

My Laptop using OpenVPN:
200Mb up
240Mb down

Wired or WiFi ?

Reason I am asking is because this makes no sense to me :

OpenVPN .opvn file:

Code Select Expand

tun-mtu 1500


I would expect that value to be lower because now it's equal to Ethernet ?!
Something like 1400 or so would be better I think, but I am not a MTU expert...

And perhaps it gets automatically lowered by the OpenVPN Client Software when using a WiFi connection ?

There are of course a lot of settings in the VPN providers .ovpn file that I cannot configure in OPNsense unfortunately.

Such as ??

[ati]

I am getting miserable OpenVPN performance when I connect to my VPN provider via OPNsense compared to when I use my computer behind OPNsense.

I am using Ookla speedtest with the same settings.

Two things come to my mind immediately :
- Ookla Server speeds can vary a lot !!
- Are you connected to the same OpenVPN Server with both and are you sure that Server has the same bandwidth capacity at both times ?

My Laptop using OpenVPN:
200Mb up
240Mb down

Wired or WiFi ?

Reason I am asking is because this makes no sense to me :

OpenVPN .opvn file:

Code Select Expand

tun-mtu 1500


I would expect that value to be lower because now it's equal to Ethernet ?!
Something like 1400 or so would be better I think, but I am not a MTU expert...

And perhaps it gets automatically lowered by the OpenVPN Client Software when using a WiFi connection ?

There are of course a lot of settings in the VPN providers .ovpn file that I cannot configure in OPNsense unfortunately.

Such as ??

1. I was using the exact same VPN settings for both my laptop and OPNsense OpenVPN. The settings file that is the first post...
2. I used the exact same server for both speed test at Ookla. (I also used fast.com as a sanity check)

3. Laptop was wired, but that shouldn't really matter. It was faster than OPNsense regardless of connection method. I just ran it again via WiFi with very similar results.

4. I would agree regarding the MTU settings, however that is what I am provided from my VPN provider.

5. These are the settings that are in the provided .ovpn file that cannot be configured in OPNsense OpenVPN:
(That said, I am not familiar enough with OpenVPN to know whether they matter or not)

Code Select Expand

persist-key
persist-tun
nobind
remote-random
pull
comp-lzo no
route-method exe
route-delay 2
mssfix 1200
verb 3
sndbuf 524288
rcvbuf 524288

[nero355]

5. These are the settings that are in the provided .ovpn file that cannot be configured in OPNsense OpenVPN:
(That said, I am not familiar enough with OpenVPN to know whether they matter or not)

Well... let's see what the ones that could affect speed are according to https://linux.die.net/man/8/openvpn then :

Code Select Expand

persist-key
persist-tun

You might need both :

--persist-tun
    Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.

--persist-key
    Don't re-read key files across SIGUSR1 or --ping-restart.

I have left some text out, but I think you could say that in general they are used to avoid weird disconnect issues just in case any occur for whatever reason...

Code Select Expand

nobind

Could be important :

--nobind
    Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option.

Code Select Expand

remote-random

Not sure about this one so please check yourself if it applies to your configuration :

--remote-random
    When multiple --remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure.

Code Select Expand

pull

This one seems mandatory :

--pull

This option must be used on a client which is connecting to a multi-client server.
- Additional text available at man page that I left out -

Code Select Expand

comp-lzo no

This could affect your speed because without it all the traffic is being compressed and I don't know how much CPU load that causes or if there are any specific CPU features that can lower the load like AES-NI does for Encryption of VPN connections for example.

Code Select Expand

route-method exe
route-delay 2

These two seem to be only Windows Clients related since the man page talks about TAP devices instead of TUN devices.

Code Select Expand

mssfix 1200

I guess you already figured out you need this one too...

Code Select Expand

verb 3

This is just for logging and the most regular logging level value.

Code Select Expand

sndbuf 524288
rcvbuf 524288

These two are modified a lot compared to the default values :

--sndbuf size
    Set the TCP/UDP socket send buffer size. Currently defaults to 65536 bytes.
--rcvbuf size
    Set the TCP/UDP socket receive buffer size. Currently defaults to 65536 bytes.

So that's something you will probably need to improve the speed I am guessing...


Soo...


I guess it's time to check which files to edit via SSH on your OPNsense ?!