Troubleshooting OpenVPN Performance

Started by ati, Today at 02:46:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 02:46:41 PM
I am getting miserable OpenVPN performance when I connect to my VPN provider via OPNsense compared to when I use my computer behind OPNsense. I am using Ookla speedtest with the same settings.

My Laptop using OpenVPN:
200Mb up
240Mb down

OPNsense:
5Mb up
2Mb down

Server:
  • Intel i7 6700K
  • 16GB Memory
  • WAN NIC - Intel i225V
  • LAN NIC - Intel x710-DA2

OpenVPN .opvn file:
Code Select
dev tun
fast-io
persist-key
persist-tun
nobind
remote server.com

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-GCM
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass
There are of course a lot of settings in the VPN providers .ovpn file that I cannot configure in OPNsense unfortunately.

What I do have configured in OPNsense to match the config file.
  • Auth
  • Data cypher
  • Options - route-nopull
  • Options - fast-io
  • TUN device MTU - 1500
  • Fragment size 1300
  • MSS Fix - checked


What am I missing? I understand OpenVPN isn't as performative as some other protocols, but I should be seeing much better speeds on my hardware even with its poor performance.
Today at 06:02:21 PM #1
tun-mtu 1500
fragment 1300
mssfix 1200
Without those enhancements what do you get?


Even using the new instances with opnsense and my provider I can get better speeds than yours

I don't do any tweaking though
DEC740 > USW-Pro-8-PoE> U6-Enterprise
Dec670. Retired / backup device
Today at 06:49:25 PM #2
Quote from: DEC740airp414user on Today at 06:02:21 PMtun-mtu 1500
fragment 1300
mssfix 1200
Without those enhancements what do you get?

It won't work at all without the fragment 1300, and I cannot set MSS Fix to anything other than enabled/disabled in OPNsense.

However, if I leave TUN MTU blank and MSS Fix unchecked (defaults), I don't get anything different.

It feels like some OPNsense setting somewhere outside of OpenVPN. Like hardware offloading or something. There is no way a simple setting could cause a 90% reduction in speed - right?
Today at 08:01:50 PM #3
I use a site-to-site OpenVPN between two OPNsense without any tweaking (apart from MMS fix ticked) to transmit backup data to the other site and I get 400 Mbit/s over it.
So no, the limit you're getting here might neither arise from OpenVPN nor from OPNsense in general.

I used an IPSec to a pfSense before. With this I had to enable MSS clamping to get a proper performance.

Maybe you can try to set the MSS value to 1200 in the interface settings, presuming that you have assigned an interface to the OpenVPN instance.
Today at 08:48:53 PM #4
Quote from: viragomann on Today at 08:01:50 PMMaybe you can try to set the MSS value to 1200 in the interface settings, presuming that you have assigned an interface to the OpenVPN instance.

I didn't know that was an option. That helped a bit. I get get 30-40Mb down and 120Mb up, so that tells me it isn't a CPU issue, but more likely a speed test provider issue limited my download now.

I wish there was a cleaner way to add in the tuneables for OpenVPN in the new OPNsense client.
Today at 09:01:34 PM #5
You can also configure Firewall: Settings: Normalization for more granular tweaking on the VPN interface. In only used this for MSS clamping, however, so cannot give detailed hints on this.

But maybe there exist also given limits from the VPN provider.
Print
Go Up Pages1
User actions