Slow OpenVPN Speeds over Gigabit WAN
Posted: Thu Mar 12, 2020 2:58 pm
Hi Guys
This is my first post in this forum! Thanks for having me.
I am having troubles getting a good performance on an OpenVPN installation using latest Access Server and OpenVPN Connect Client.
We are a medium sized media group and due to the current situation in europe with the virus, we are looking to have a VPN solution that is trimmed to performance, instead of high security! On the Server side we have a symmetrical gigabit WAN connection, and the ESXI installation is connected over 40Gb/s fiber optics. We do have a Firewall running between the switches/OpenVPN Server and the WAN connection, so that is something to keep in mind. Speedtest of this Gigabit WAN to the nearest available external speedtest server gives us something around 800mbit/s up and download.
On the client side on a completely other ISP in a building 6 miles away i am also testing with a symmetrical gigabit connection. With speedtests i am coming in at around 700mbit/s up and down. So theoretically the highest available bandwith in this scenario on paper is 700mbit/s
I am running the Access Server ESXI virtual machine on 24 Cores Xeon CPU, 16GB RAM with the Virtual Harddrive having a tested 300-400MB/s read and write speeds. On the client side i am testing with a 8-Core MacOS client and a 12-Core Windows 10 client, both with a gigabit connection to a switch on the same gigabit WAN connection.
I have tested the speeds below with iperf3 both on the MacOS and Windows 10 VPN Client to iperf3 running on the VPN Access Server itself over the VPN Tunnel by using
When i just set up OpenVPN Access Server and disable the cipher by setting "cipher none", i am getting around 60-80mbit/s
I have followed this guide to disable the cipher:
https://openvpn.net/vpn-server-resource ... ss-server/
I have then followed this guide and read through it to do some more testing and performance improving:
https://community.openvpn.net/openvpn/w ... orks_Linux
The best i could get was 200-250mbit/s by using the following settings on both the server and the client:
However, this only reflects in MacOS, in Windows it is still at 60-80mbit/s
Those speeds i am seeing, pretty closely resemble what i am getting when transfering files over AFP on the MacOS and SMB on the Windows 10 machine. For this, i am using a 140TB fileserver we have in the same local subnet as the VPN Access Server connected over multi 20Gbit/s fiber optics. Local speeds on this fileserver over gigabit ethernet are saturating a gigabit connection with around 120MB/s.
Somewhere in the guide, it states that using MTU changes doesn't help if you're going over the WAN, but i'm not sure how that translates to my setup, since it seems tuning the MTU gets me alot better performance. Also what's kind of strange is that they get speeds with that are nearly close to saturating a gigabit connection. A lot in this article is mainly for tuning the cipher and encryption method, so for me, this means i should see speeds closer to 600-700 mbit/s on both MacOS and Windows even without tuning most of the things in their guide, since i am using no encryption at all except that i have not set
I am using only UDP for the VPN, i only opened up this Port and the HTTPS for the Webclient on the Firewall. I have set the VPN Server to use multi-daemon mode, and have set it accordingly to my 24 Core CPU to 24 daemons. I have checked CPU usage on both clients and the Server and it is pretty much zero as expected since i am not using any encryption for the traffic. I am not sure how to use the setting, because i think we do want authentication to the VPN by using local db users or RADIUS, and not just anybody can connect. But i am not sure if that is the same, or if this is some different auth setting...
The Firewall that is in between really is just configured to route traffic through from the WAN to the OpenVPN Server, i am not sure if it does anything with the packages. I will try to get more info on that by our partner that did the Firewall installation, but maybe we can find a solution that doesn't require reconfiguring the firewall but just optimizing the VPN itself.
Sorry if i forgot any important infos. Panic broke out here the last few days in the company because of COVID and that's why i had to look into OpenVPN really quick and dirty yesterday and have worked my way onto a working solution in just one day, but i am in no means a pro when it comes to OpenVPN! Thank you alot in advance for every single tip you can give me regarding Performance boosts!
This is my first post in this forum! Thanks for having me.
I am having troubles getting a good performance on an OpenVPN installation using latest Access Server and OpenVPN Connect Client.
We are a medium sized media group and due to the current situation in europe with the virus, we are looking to have a VPN solution that is trimmed to performance, instead of high security! On the Server side we have a symmetrical gigabit WAN connection, and the ESXI installation is connected over 40Gb/s fiber optics. We do have a Firewall running between the switches/OpenVPN Server and the WAN connection, so that is something to keep in mind. Speedtest of this Gigabit WAN to the nearest available external speedtest server gives us something around 800mbit/s up and download.
On the client side on a completely other ISP in a building 6 miles away i am also testing with a symmetrical gigabit connection. With speedtests i am coming in at around 700mbit/s up and down. So theoretically the highest available bandwith in this scenario on paper is 700mbit/s
I am running the Access Server ESXI virtual machine on 24 Cores Xeon CPU, 16GB RAM with the Virtual Harddrive having a tested 300-400MB/s read and write speeds. On the client side i am testing with a 8-Core MacOS client and a 12-Core Windows 10 client, both with a gigabit connection to a switch on the same gigabit WAN connection.
I have tested the speeds below with iperf3 both on the MacOS and Windows 10 VPN Client to iperf3 running on the VPN Access Server itself over the VPN Tunnel by using
Code: Select all
iperf -c <local VPN Server IP> -P 10
I have followed this guide to disable the cipher:
https://openvpn.net/vpn-server-resource ... ss-server/
I have then followed this guide and read through it to do some more testing and performance improving:
https://community.openvpn.net/openvpn/w ... orks_Linux
The best i could get was 200-250mbit/s by using the following settings on both the server and the client:
However, this only reflects in MacOS, in Windows it is still at 60-80mbit/s
Code: Select all
cipher none
txqueuelen 1000
mssfix 0
tun-mtu 24000
Somewhere in the guide, it states that using MTU changes doesn't help if you're going over the WAN, but i'm not sure how that translates to my setup, since it seems tuning the MTU gets me alot better performance. Also what's kind of strange is that they get speeds with
Code: Select all
cipher none
Code: Select all
auth none
Code: Select all
auth none
The Firewall that is in between really is just configured to route traffic through from the WAN to the OpenVPN Server, i am not sure if it does anything with the packages. I will try to get more info on that by our partner that did the Firewall installation, but maybe we can find a solution that doesn't require reconfiguring the firewall but just optimizing the VPN itself.
Sorry if i forgot any important infos. Panic broke out here the last few days in the company because of COVID and that's why i had to look into OpenVPN really quick and dirty yesterday and have worked my way onto a working solution in just one day, but i am in no means a pro when it comes to OpenVPN! Thank you alot in advance for every single tip you can give me regarding Performance boosts!