This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Speed through SSL VPN - am I expecting too much?

Hi everybody,

here's a drawing of my setup.

 

 

The VPN tunnel is established between the left firewall (which is a Sophos UTM on a PC) and the QNAP NAS TS-453A. Data is mirrored from left to right using RSYNC through a VPN tunnel.

 

The Sophos has a Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz.

The NAS on the right has a 14 nm Intel® Celeron® N3150/N3160 1.6 GHz quad-core processor.

Both systems have plenty of free RAM.


Unfortunately the NAS on the right does not have a publicly available IPv4 address and QNAP requires the rsync job to start on the source machine of the copy job. So the NAS on the right connects to the Sophos on the left and through the tunnel it's available from the left side. The additional encryption layer makes sense anyway.

The result is a very stable connection, but "only" at around 2 Mbyte/sec.. Unfortunately that is not enough to mirror the daily delta of backups. I wouldn't complain if 2Mbyte/sec was really close to the limit of both of the internet connections.
But when logging in to the NAS on the right and downloading something from the left side circumventing the VPN (so directly over the internet), I can get up to more than 3 Mbyte/sec.. The left side can upload up until 4Mbyte/sec. The right side's download speed can normally support that.

I've already tweaked a bit with the encryption and compression settings to see if that is just overcharging any of the CPUs involved.
I've played between AES128-CBC and AES256 for the actual encryption and SHA256 to SHA512 for the packet authentication. I did not see much a change in transfer speed. Maybe an improvement of 100kbyte/sec, but nothing that would get me close to 3MByte/sec.
The MTU is identical on both sides of the VPN tunnel (1500). CPUs on both VPN endpoints are at less than 50% while transferring.
I've disabled IPS for traffic going to the NAS on the right.
UDP is used. I haven't tried TCP, but I've never read a post where TCP would lead to higher transfer speeds.

Unfortunately I do not currently have another device available on the right side to do a benchmark with another VPN client.


Of course using the VPN cannot make transfers faster than without it, but nowadays I'd think the encryption is not really that big of a deal for CPUs that were manufactured in the past five years.

Does anybody have experience with what is possible when going through a VPN over a WAN connection? Are my expectations just not realistic?



This thread was automatically locked due to age.
  • Hi  

    When measuring the bandwidth of a VPN connection, it is really important to consider the bottleneck of Speed on both sides. Since you need to copy data from Left to Right, the maximum speed for Data transfer you will get is the least of Upload from Left and Download from Right(which will be 3 Mbyte/Sec according to your data which is over the internet, not the SSLVPN). Now if you add any the layer of encryption for SSL VPN connection it will be further reduced from 3 Mbyte/Sec. Further, if the UTM on left has some other data going on the internet, it will further reduce the speed of SSL VPN connection.

    Regards

    Jaydeep

  • I don't think of SSL VPN as the fastest tunnel to build, rather IPsec.  With a new Intel processor that supports AES-NI (I don't think yours does), you can get max throughput using AES 128 GCM encryption in the UTM.  I have no idea if that's possible in the other device.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA