tunnel throughput asymmetry on symmetric fiber

Post Reply
svar
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 14, 2020 8:20 pm

tunnel throughput asymmetry on symmetric fiber

Post by svar » Mon Sep 14, 2020 8:57 pm

I'm trying to figure out some asymmetric throughput issues on my openvpn VM running at my office. The office is on 500Mb symmetric fiber, and my home is on 1Gb symmetric fiber. I'm doing SMB file copies to/from my office file server VM. Inbound transfers to the file server run about 400Mb/sec, and outbound file transfers from the file server to me are about half, at around 200Mb/sec.

Wireshark on either end shows no fragmented packets, although on the originating side (either me or the file server) I can see the bytes in flight climb until openvpn starts dropping incoming packets and we get into a re-transmission sequence.

I'm using AES-128-GCM. aes-ni is working on the openvpn VM.

If the openvpn VM can't keep up, then why is the throughput asymmetric? Is it more difficult for openvpn to encrypt rather than decrypt?

Neither the file server vm nor the openvpn vm show any appreciable cpu utilization.

Also, the file server vm and the openvpn vm share the same lag team. There are 5 team members (1Gb) and since it's the same virtual switch, the inter-vm data rates are high. Am I just blowing the receive buffer on eth0 on my openvpn server, and putting it into a re-transmission condition that is wrecking my outgoing throughput? I'm going to put the openvpn server on its own vswitch and run some additional tests. I just haven't gotten that far yet.

My access server version is 2.8.6 and my openvpn client version (windows) is 3.2.1.

Any ideas for testing would be appreciated.

Thanks.

svar
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 14, 2020 8:20 pm

Re: tunnel throughput asymmetry on symmetric fiber

Post by svar » Tue Sep 22, 2020 1:39 pm

The problem ended up being the net transport filter being applied to traffic from my file server to the openvpn vm. It was being set to internet. I created a destination prefix filter for my VM lan and set all that traffic to datacenter. That solved the dropped packet issues.

Now I'll just need to create a custom transport filter for the connection that maximizes the performance without blowing up the connection.

Post Reply