This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why is my SSL VPN so much slower than the WAN?

We have recently had an internet speed upgrade which gives us 1Gbps Down & Up to the internet.

When running a speedtest connected directly to our network in the office we are getting around 950mbps.

When the client runs a speedtest while disconnected from their VPN they get around 650mbps

When the client runs a speedtest while connected to the UTM SSL VPN they get around 30-40mbps

Now I understand due to limitations of OpenVPN and Network overheads we wont see the full 650mbps that the client network is capable of but to get less than 10% of that possible speed seems way too low. Am I expecting too much or is there an issue? It just seems odd that if you signup to one of these big VPN providers like Nord, Express VPn etc you can get speeds similar to that of your actual WAN but the Sophos SSL VPN is less than 10%?

These are our settings;

Protocol: TCP (Have tried UDP and doesnt improve Speed)

Encryption Algorithm: AES-256-CBC

Authentication Algorithm: SHA2 256

Key Size: 2048

Compression: OFF

This thread was automatically locked due to age.
  • Like any encryption taking place, it will slow down over a VPN type connection, but it may also be due to hardware.  VPN shouldn't take that much of a hit - only about 10-20% performance, and there is other several factors that are not just the UTM side of things:

    - hops between clients; distance (this is why you may see better performance with some of those VPN centers you mentioned - location, location, location)

    - ISP issues on both client/server sides

    - client hardware issues

    - File copying is also something that will take a bigger hit - always has been with regards to VPN

    PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
    (Former Sophos UTM Veteran, XG Rookie)

  • I understand there will be some loss due to encryption and various other factors but not a 80-90% speed hit.

    - The distance between the UTM and client is minimal. I even tried a VPN connection from the same network as the UTM, out to the internet, the back in and took noticed the same speed hit

    - Both ISPs are dedicated fibre links and have no issues

    - The client is connected directly to the fibre link via ethernet and is a high end i7 CPU machine with no issues

    - The speeds i am quoting are not file copying speeds they are simple internet speedtests

  • Like I said, 10-20% is the normal for VPN speed loss, but I wouldn't rely on internet speed tests - UTM screws with the results and doesn't provide accurate readings of those tests.

    You may want to actually do some file test transfers as well to see any difference.  Is this a remote client to the office?  Is there an option to have something like a Site-to-Site connection?

    PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
    (Former Sophos UTM Veteran, XG Rookie)

  • I know the UTM screws with tests on but I've completed tests on other sites and get consistent results.

    The idea of our VPN connections is that the clients VPN via full tunnel so all their web traffic is protected by our UTM's settings. Therefore throughput to the actual internet is just as important as transfer speeds to our local LAN resources. So if a user is completing a download from say Microsoft visual studio, a 90% reduction in throughput over the VPN is no good at all.

    I have completed some file transfer tests and using FTP I see pretty much the same as the internet speedtests. When using SMB i see lower, I assume this is due to latency and the nature of how SMB is built. 

    There is no option for a site-to-site connection as these are client machines.

    I have also tried creating an IPSec VPN profile and tested it myself. I see almost the same speed limit as SSL VPN so something isnt quite right. 

  • For me this sounds like a MTU problem. Try lowering the mtu inside your clients LAN to 1320 for a first test.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Yeah I'd have to agree at this point, MTU would be a good place to start.

    PFSense Plus 23.05 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | Fiber Conn (awaiting ATT Fiber)
    (Former Sophos UTM Veteran, XG Rookie)

Reply Children
No Data