Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 5 subscribers
  • Views 19774 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

openVPN (SSL VPN) capped at around 20Mbit/s Up/down

direktor.sv3mira

Howdy :)


I'm a recent convert from PFSense. I now use Sophos UTM 9 (9.506-2) on the same hardware (Supermicro  A1SAi-2750F - so an Atom C2750 SoC)

I have a 100/100 Mbps Internet link. Everything works very good, as expected. Everything except Remote access SSL VPN (openVPN).


I did search the openvpn and Sophos forums and could not find a solution. The same setup saturates the entire bandwidth on the PFsense setup, so hardware limitations should not be an issue (And are  not - RAM usage never exceeds 50% of 8GB installed, and CPU is around 25% at peak loads)

My openVPN setup:

UDP, port 1194

encryption: AES-256-CBC
authentication: SHA 256
Key Size 2048
Compress traffic - enabled


(I did try other encryption and authentication combinations, with no effect - still capped @20Mps U/D)
Performance is measured using iperf, over the internet (from a 500/500 link, when connected over SSL VPN. When using other services (SFTP) I can consume the entire link, no problem. Tested with Windows10 machine, Linux Mint Machine, iphone iOS 9

Other stuff I did:

Exception for intrusion prevention for 1:65535 -> 1194 for all checks

Disabled QoS (for testing)


Added the following options to the openvpn.conf-default (and the client one as well):

sndbuf 393216
rcvbuf 393216
fragment 0
mssfix 0
tun-mtu 48000


With no effect. Basically whatever I do it is capped@ around 20 Mbps, so 20% of the reported link speed.


iperf log:



 

-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 10.242.2.2, port 6563
[  5] local 192.168.5.7 port 5201 connected to 10.242.2.2 port 6564
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-1.00   sec  2.50 MBytes  20.9 Mbits/sec
[  5]   1.00-2.00   sec  2.89 MBytes  24.2 Mbits/sec
[  5]   2.00-3.00   sec  2.88 MBytes  24.2 Mbits/sec
[  5]   3.00-4.00   sec  1.59 MBytes  13.4 Mbits/sec
[  5]   4.00-5.00   sec  2.05 MBytes  17.2 Mbits/sec
[  5]   5.00-6.00   sec  2.36 MBytes  19.8 Mbits/sec
[  5]   6.00-7.00   sec  2.39 MBytes  20.1 Mbits/sec
[  5]   7.00-8.00   sec  2.78 MBytes  23.4 Mbits/sec
[  5]   8.00-9.00   sec  3.05 MBytes  25.6 Mbits/sec
[  5]   9.00-10.00  sec  2.63 MBytes  22.1 Mbits/sec
[  5]  10.00-10.05  sec   139 KBytes  21.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.05  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.05  sec  25.3 MBytes  21.1 Mbits/sec                  receiver

 

 

EDIT: spelling, grammar,



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to DouglasFoster

    Yes, IPS is enabled but there is an exception for all traffic (all to dest port 1194)

    There is a CPU spike, but a single core never exceeds 70%. There is no latency (that I care of). The problem is the throughput (bandwidth usage)

    I did not  reduce the MTU size. There is other traffic going thru internal (LAN) interface, so better way would be to configure MTUs for openVPN only.

    (also how is it possible to do without editing the conf files or is it the only way?)

  • 0 in reply to direktor.sv3mira

    Reducing M.T.U.will have minimal effect on other traffic - nothing you will notice.

  • +1 in reply to direktor.sv3mira

    The reduction for IPsec is 24 bytes, I think.  I don't know for OpenVPN, but at least 34.  I would try 1400, then 1450, then 1466.  Please report your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +3 in reply to direktor.sv3mira

    Everything I know is based on documentation from support . cisco . com

    On their site, click the magnifying glass icon on the upper right and search for this title.

    "IP Fragmentation and MTU Path Discovery with VPN"

    (I am not providing a link, because I don't think this forum allows links to anything non-Sophos related.)

    I read the document (or a previous draft) a long time ago, and cannot dive into the weeds of what it says, but this is the short version:

    Open the tunnel with the standard MTU settting.

    Use ping with the "don't fragment" option to find the largest packet that is not dropped.   On Windows, the syntax is

    ping -f -l (value)

    The result is your MTU.  I actually used an inside MTU value a little lower than this test result because their document led me to believe that the encryption  overhead had some variability.

  • +1 in reply to direktor.sv3mira

    We had this problem with users connected via an uplink witth DS lite.

    In client openvpn config a line

    link-mtu 1200

    helped

     

  • 0 in reply to papa_

    BUMP.

    Still testing and trying out settings. As of today no significant performance boost (I can get around 30 Mbps on a 100Mbs link of VPN bandwith) with all the suggested settings.

     

    Will try further testing and report my findings.

  • +1 in reply to direktor.sv3mira

    You can see if an MTU is too large with:

    ping -I 172.16.1.1 172.16.2.1 -s 1500 -M do

    172.16.1.1 is the IP of "Internal (Address)" for your local UTM and 172.16.2.1 is that of the remote device.

    Using that repeatedly, I found that the optimal MTU for the IPsec VPN between our lab and the UTM in AWS is 1378.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to direktor.sv3mira

    Been doing some testings as well and i've been capped to 2Mbps on a 1/1GB line. Switched from UDP to TCP and reach now around 20Mbps from a 4G road warrior workstation. I've done some other testing on a competitive solution with dedicated SSLVPN client/drivers and on the same setup i'm reaching 35/40Mbps this with all weak ciphers banned at the SSLVPN daemon from that solution..

    I'm using the latest OpenVpn client (openvpn-install-2.4.4-I601.exe) to reach my Sophos lab..

    Cheers,
    m

  • 0 in reply to Mokaz

    This is what my testing shows as well. As I weaken the ciphers i get faster speeds.

     

    Combination of MTU settings and other suggested stuff I get around 20-30 Mbps. On the other hand, I see no hardware bottleneck (CPU load and such).

    I have now assumed that this is how openVPN works on Sophos, and using it that way.

     

     

    Thanks all for your input1

Unfiltered HTML