Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 5 subscribers
  • Views 19681 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

openVPN (SSL VPN) capped at around 20Mbit/s Up/down

direktor.sv3mira

Howdy :)


I'm a recent convert from PFSense. I now use Sophos UTM 9 (9.506-2) on the same hardware (Supermicro  A1SAi-2750F - so an Atom C2750 SoC)

I have a 100/100 Mbps Internet link. Everything works very good, as expected. Everything except Remote access SSL VPN (openVPN).


I did search the openvpn and Sophos forums and could not find a solution. The same setup saturates the entire bandwidth on the PFsense setup, so hardware limitations should not be an issue (And are  not - RAM usage never exceeds 50% of 8GB installed, and CPU is around 25% at peak loads)

My openVPN setup:

UDP, port 1194

encryption: AES-256-CBC
authentication: SHA 256
Key Size 2048
Compress traffic - enabled


(I did try other encryption and authentication combinations, with no effect - still capped @20Mps U/D)
Performance is measured using iperf, over the internet (from a 500/500 link, when connected over SSL VPN. When using other services (SFTP) I can consume the entire link, no problem. Tested with Windows10 machine, Linux Mint Machine, iphone iOS 9

Other stuff I did:

Exception for intrusion prevention for 1:65535 -> 1194 for all checks

Disabled QoS (for testing)


Added the following options to the openvpn.conf-default (and the client one as well):

sndbuf 393216
rcvbuf 393216
fragment 0
mssfix 0
tun-mtu 48000


With no effect. Basically whatever I do it is capped@ around 20 Mbps, so 20% of the reported link speed.


iperf log:



 

-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 10.242.2.2, port 6563
[  5] local 192.168.5.7 port 5201 connected to 10.242.2.2 port 6564
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-1.00   sec  2.50 MBytes  20.9 Mbits/sec
[  5]   1.00-2.00   sec  2.89 MBytes  24.2 Mbits/sec
[  5]   2.00-3.00   sec  2.88 MBytes  24.2 Mbits/sec
[  5]   3.00-4.00   sec  1.59 MBytes  13.4 Mbits/sec
[  5]   4.00-5.00   sec  2.05 MBytes  17.2 Mbits/sec
[  5]   5.00-6.00   sec  2.36 MBytes  19.8 Mbits/sec
[  5]   6.00-7.00   sec  2.39 MBytes  20.1 Mbits/sec
[  5]   7.00-8.00   sec  2.78 MBytes  23.4 Mbits/sec
[  5]   8.00-9.00   sec  3.05 MBytes  25.6 Mbits/sec
[  5]   9.00-10.00  sec  2.63 MBytes  22.1 Mbits/sec
[  5]  10.00-10.05  sec   139 KBytes  21.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.05  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.05  sec  25.3 MBytes  21.1 Mbits/sec                  receiver

 

 

EDIT: spelling, grammar,



This thread was automatically locked due to age.
  • 0

    What results do you get with:

    encryption: AES-128-CBC
    authentication: SHA 256
    Key Size 1024
    Compress traffic - NOT enabled

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to direktor.sv3mira

    Do you have I.P.S. enabled?  It inspects packet contents.  

    Are you seeing a C.P.U. spike to correspond with the latency?

    Have you reduced M.T.U. on the inside interface so that packets will not be fragmented when encapsulation overhead is added?

  • 0 in reply to BAlfson

    Slightly better performance with those settings. I am aiming for at least 50 Mbps (half my link)

     

     

    Connecting to host mylanpc.lan, port 5201
    [  4] local 10.242.2.3 port 12247 connected to 192.168.5.7 port 5201
    [ ID] Interval           Transfer     Bandwidth
    [  4]   0.00-1.00   sec  2.75 MBytes  23.0 Mbits/sec
    [  4]   1.00-2.00   sec  3.50 MBytes  29.4 Mbits/sec
    [  4]   2.00-3.00   sec  3.75 MBytes  31.5 Mbits/sec
    [  4]   3.00-4.00   sec  3.75 MBytes  31.4 Mbits/sec
    [  4]   4.00-5.00   sec  3.62 MBytes  30.4 Mbits/sec
    [  4]   5.00-6.00   sec  3.75 MBytes  31.4 Mbits/sec
    [  4]   6.00-7.00   sec  3.62 MBytes  30.4 Mbits/sec
    [  4]   7.00-8.00   sec  3.75 MBytes  31.5 Mbits/sec
    [  4]   8.00-9.00   sec  3.38 MBytes  28.3 Mbits/sec
    [  4]   9.00-10.00  sec  3.62 MBytes  30.4 Mbits/sec
    - - - - - - - - - - - - - - - - - - - - - - - - -
    [ ID] Interval           Transfer     Bandwidth
    [  4]   0.00-10.00  sec  35.5 MBytes  29.8 Mbits/sec                  sender
    [  4]   0.00-10.00  sec  35.5 MBytes  29.8 Mbits/sec                  receiver

    iperf Done.

  • 0 in reply to DouglasFoster

    Yes, IPS is enabled but there is an exception for all traffic (all to dest port 1194)

    There is a CPU spike, but a single core never exceeds 70%. There is no latency (that I care of). The problem is the throughput (bandwidth usage)

    I did not  reduce the MTU size. There is other traffic going thru internal (LAN) interface, so better way would be to configure MTUs for openVPN only.

    (also how is it possible to do without editing the conf files or is it the only way?)

  • 0 in reply to direktor.sv3mira

    Reducing M.T.U.will have minimal effect on other traffic - nothing you will notice.

  • +1 in reply to direktor.sv3mira

    The reduction for IPsec is 24 bytes, I think.  I don't know for OpenVPN, but at least 34.  I would try 1400, then 1450, then 1466.  Please report your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +3 in reply to direktor.sv3mira

    Everything I know is based on documentation from support . cisco . com

    On their site, click the magnifying glass icon on the upper right and search for this title.

    "IP Fragmentation and MTU Path Discovery with VPN"

    (I am not providing a link, because I don't think this forum allows links to anything non-Sophos related.)

    I read the document (or a previous draft) a long time ago, and cannot dive into the weeds of what it says, but this is the short version:

    Open the tunnel with the standard MTU settting.

    Use ping with the "don't fragment" option to find the largest packet that is not dropped.   On Windows, the syntax is

    ping -f -l (value)

    The result is your MTU.  I actually used an inside MTU value a little lower than this test result because their document led me to believe that the encryption  overhead had some variability.

  • +1 in reply to direktor.sv3mira

    We had this problem with users connected via an uplink witth DS lite.

    In client openvpn config a line

    link-mtu 1200

    helped

     

Unfiltered HTML