openVPN (SSL VPN) capped at around 20Mbit/s Up/down

Question

Howdy :) I'm a recent convert from PFSense. I now use Sophos UTM 9 (9.506-2) on the same hardware (Supermicro A1SAi-2750F - so an Atom C2750 SoC) I have a 100/100 Mbps Internet link. Everything works very good, as expected. Everything except Remote access SSL VPN (openVPN). I did search the openvpn and Sophos forums and could not find a solution. The same setup saturates the entire bandwidth on the PFsense setup, so hardware limitations should not be an issue (And are not - RAM usage never exceeds 50% of 8GB installed, and CPU is around 25% at peak loads) My openVPN setup: UDP, port 1194 encryption: AES-256-CBC authentication: SHA 256 Key Size 2048 Compress traffic - enabled (I did try other encryption and authentication combinations, with no effect - still capped @20Mps U/D) Performance is measured using iperf, over the internet (from a 500/500 link, when connected over SSL VPN. When using other services (SFTP) I can consume the entire link, no problem. Tested with Windows10 machine, Linux Mint Machine, iphone iOS 9 Other stuff I did: Exception for intrusion prevention for 1:65535 -> 1194 for all checks Disabled QoS (for testing) Added the following options to the openvpn.conf-default (and the client one as well): sndbuf 393216 rcvbuf 393216 fragment 0 mssfix 0 tun-mtu 48000 With no effect. Basically whatever I do it is capped@ around 20 Mbps, so 20% of the reported link speed. iperf log: 
 
 ----------------------------------------------------------- Server listening on 5201 ----------------------------------------------------------- Accepted connection from 10.242.2.2, port 6563 [ 5] local 192.168.5.7 port 5201 connected to 10.242.2.2 port 6564 [ ID] Interval Transfer Bandwidth [ 5] 0.00-1.00 sec 2.50 MBytes 20.9 Mbits/sec [ 5] 1.00-2.00 sec 2.89 MBytes 24.2 Mbits/sec [ 5] 2.00-3.00 sec 2.88 MBytes 24.2 Mbits/sec [ 5] 3.00-4.00 sec 1.59 MBytes 13.4 Mbits/sec [ 5] 4.00-5.00 sec 2.05 MBytes 17.2 Mbits/sec [ 5] 5.00-6.00 sec 2.36 MBytes 19.8 Mbits/sec [ 5] 6.00-7.00 sec 2.39 MBytes 20.1 Mbits/sec [ 5] 7.00-8.00 sec 2.78 MBytes 23.4 Mbits/sec [ 5] 8.00-9.00 sec 3.05 MBytes 25.6 Mbits/sec [ 5] 9.00-10.00 sec 2.63 MBytes 22.1 Mbits/sec [ 5] 10.00-10.05 sec 139 KBytes 21.2 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth [ 5] 0.00-10.05 sec 0.00 Bytes 0.00 bits/sec sender [ 5] 0.00-10.05 sec 25.3 MBytes 21.1 Mbits/sec receiver

EDIT: spelling, grammar,

DouglasFoster · Accepted Answer

Everything I know is based on documentation from support . cisco . com 
 On their site, click the magnifying glass icon on the upper right and search for this title. 
 "IP Fragmentation and MTU Path Discovery with VPN" 
 (I am not providing a link, because I don't think this forum allows links to anything non-Sophos related.) 
 I read the document (or a previous draft) a long time ago, and cannot dive into the weeds of what it says, but this is the short version: 
 Open the tunnel with the standard MTU settting. 
 Use ping with the "don't fragment" option to find the largest packet that is not dropped. On Windows, the syntax is 
 ping -f -l (value) 
 The result is your MTU. I actually used an inside MTU value a little lower than this test result because their document led me to believe that the encryption overhead had some variability.

BAlfson · Answer

The reduction for IPsec is 24 bytes, I think. I don't know for OpenVPN, but at least 34. I would try 1400, then 1450, then 1466. Please report your results. 
 Cheers - Bob

papa_ · Answer

We had this problem with users connected via an uplink witth DS lite. 
 In client openvpn config a line 
 link-mtu 1200 
 helped

BAlfson · Answer

You can see if an MTU is too large with: 
 ping -I 172.16.1.1 172.16.2.1 -s 1500 -M do 
 172.16.1.1 is the IP of "Internal (Address)" for your local UTM and 172.16.2.1 is that of the remote device. 
 Using that repeatedly, I found that the optimal MTU for the IPsec VPN between our lab and the UTM in AWS is 1378. 
 Cheers - Bob

Mokaz · Answer

Been doing some testings as well and i've been capped to 2Mbps on a 1/1GB line. Switched from UDP to TCP and reach now around 20Mbps from a 4G road warrior workstation. I've done some other testing on a competitive solution with dedicated SSLVPN client/drivers and on the same setup i'm reaching 35/40Mbps this with all weak ciphers banned at the SSLVPN daemon from that solution.. I'm using the latest OpenVpn client ( openvpn-install-2.4.4-I601.exe ) to reach my Sophos lab.. 
 Cheers, m