This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

openVPN (SSL VPN) capped at around 20Mbit/s Up/down

Howdy :)


I'm a recent convert from PFSense. I now use Sophos UTM 9 (9.506-2) on the same hardware (Supermicro  A1SAi-2750F - so an Atom C2750 SoC)

I have a 100/100 Mbps Internet link. Everything works very good, as expected. Everything except Remote access SSL VPN (openVPN).


I did search the openvpn and Sophos forums and could not find a solution. The same setup saturates the entire bandwidth on the PFsense setup, so hardware limitations should not be an issue (And are  not - RAM usage never exceeds 50% of 8GB installed, and CPU is around 25% at peak loads)

My openVPN setup:

UDP, port 1194

encryption: AES-256-CBC
authentication: SHA 256
Key Size 2048
Compress traffic - enabled


(I did try other encryption and authentication combinations, with no effect - still capped @20Mps U/D)
Performance is measured using iperf, over the internet (from a 500/500 link, when connected over SSL VPN. When using other services (SFTP) I can consume the entire link, no problem. Tested with Windows10 machine, Linux Mint Machine, iphone iOS 9

Other stuff I did:

Exception for intrusion prevention for 1:65535 -> 1194 for all checks

Disabled QoS (for testing)


Added the following options to the openvpn.conf-default (and the client one as well):

sndbuf 393216
rcvbuf 393216
fragment 0
mssfix 0
tun-mtu 48000


With no effect. Basically whatever I do it is capped@ around 20 Mbps, so 20% of the reported link speed.


iperf log:



 

-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 10.242.2.2, port 6563
[  5] local 192.168.5.7 port 5201 connected to 10.242.2.2 port 6564
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-1.00   sec  2.50 MBytes  20.9 Mbits/sec
[  5]   1.00-2.00   sec  2.89 MBytes  24.2 Mbits/sec
[  5]   2.00-3.00   sec  2.88 MBytes  24.2 Mbits/sec
[  5]   3.00-4.00   sec  1.59 MBytes  13.4 Mbits/sec
[  5]   4.00-5.00   sec  2.05 MBytes  17.2 Mbits/sec
[  5]   5.00-6.00   sec  2.36 MBytes  19.8 Mbits/sec
[  5]   6.00-7.00   sec  2.39 MBytes  20.1 Mbits/sec
[  5]   7.00-8.00   sec  2.78 MBytes  23.4 Mbits/sec
[  5]   8.00-9.00   sec  3.05 MBytes  25.6 Mbits/sec
[  5]   9.00-10.00  sec  2.63 MBytes  22.1 Mbits/sec
[  5]  10.00-10.05  sec   139 KBytes  21.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.05  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.05  sec  25.3 MBytes  21.1 Mbits/sec                  receiver

 

 

EDIT: spelling, grammar,



This thread was automatically locked due to age.
Parents Reply Children
  • The reduction for IPsec is 24 bytes, I think.  I don't know for OpenVPN, but at least 34.  I would try 1400, then 1450, then 1466.  Please report your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Everything I know is based on documentation from support . cisco . com

    On their site, click the magnifying glass icon on the upper right and search for this title.

    "IP Fragmentation and MTU Path Discovery with VPN"

    (I am not providing a link, because I don't think this forum allows links to anything non-Sophos related.)

    I read the document (or a previous draft) a long time ago, and cannot dive into the weeds of what it says, but this is the short version:

    Open the tunnel with the standard MTU settting.

    Use ping with the "don't fragment" option to find the largest packet that is not dropped.   On Windows, the syntax is

    ping -f -l (value)

    The result is your MTU.  I actually used an inside MTU value a little lower than this test result because their document led me to believe that the encryption  overhead had some variability.

  • We had this problem with users connected via an uplink witth DS lite.

    In client openvpn config a line

    link-mtu 1200

    helped

     

  • BUMP.

    Still testing and trying out settings. As of today no significant performance boost (I can get around 30 Mbps on a 100Mbs link of VPN bandwith) with all the suggested settings.

     

    Will try further testing and report my findings.

  • You can see if an MTU is too large with:

    ping -I 172.16.1.1 172.16.2.1 -s 1500 -M do

    172.16.1.1 is the IP of "Internal (Address)" for your local UTM and 172.16.2.1 is that of the remote device.

    Using that repeatedly, I found that the optimal MTU for the IPsec VPN between our lab and the UTM in AWS is 1378.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Been doing some testings as well and i've been capped to 2Mbps on a 1/1GB line. Switched from UDP to TCP and reach now around 20Mbps from a 4G road warrior workstation. I've done some other testing on a competitive solution with dedicated SSLVPN client/drivers and on the same setup i'm reaching 35/40Mbps this with all weak ciphers banned at the SSLVPN daemon from that solution..

    I'm using the latest OpenVpn client (openvpn-install-2.4.4-I601.exe) to reach my Sophos lab..

    Cheers,
    m

  • This is what my testing shows as well. As I weaken the ciphers i get faster speeds.

     

    Combination of MTU settings and other suggested stuff I get around 20-30 Mbps. On the other hand, I see no hardware bottleneck (CPU load and such).

    I have now assumed that this is how openVPN works on Sophos, and using it that way.

     

     

    Thanks all for your input1