[SOLVED] slow vpn to NAS server directories since upgrade

[jljb66]

running

OPNsense 23.7.10_1-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

Since the upgrade, it takes minutes to show folders on my NAS server. 2 minutes to open up a 11kb pdf file.

I have tried smb v2,3 webdav, used openvpn, wireguard and tailscale to test if it the vpn software itself or the protocol. there is zero packet loss, 32ms ping repsonse.

NAS server works perfectly if in the office. Firewall is basically 0%cpu, state table 485. I'm at a loss.

[Monviech (Cedrik)]

Have you checked if its an mtu or mss problem? Maybe your packets are getting fragmented and there are a lot of retransmits and connections abort.

[jljb66]

I checked the max mtu size as via ping as 1392+ 28 = 1420. When I set that, the WAN took a dump and I couldn't connect at all, so I reset it to blank and its working again.

not sure how to test mss.

[Monviech (Cedrik)]

Heres an example how to set the right mss and mtu for wireguard.

https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

[jljb66]

OK  ...

I set the MSS normalization setting in firewall settings to 1380 for the wireguard group and things magically are superfast.

The ping response times and iperf3 times are the same though. Is there a way to see if a packet is indeed being fragmented? I see no drops before or now, so it must be fragmenation right?

BTW, Here is a good article to go by. https://gist.github.com/nitred/f16850ca48c48c79bf422e90ee5b9d95