Relatively slow speed over OpenVPN

Virtual Private Networks OpenVPN
1

Hi
I am currently using OpenVPN on ipfire for remote access from abroad to my internal network at home.
ISP Speeds: Ipfire 150down / 40 up client: 200 down / 60 up
When using the VPN connection to access the Ipfire Network (upload to IPFire) I get speeds of around 20-25 mbit(iperf3). This seems rather low to me (expected at least 50mbit). Is this a reasonable expectation whith my current setup? If yes what do I have to change to get there? If no is there an alternative (other software/hardware etc.) to get there?

My hardware: fireinfo.ipfire.org - Profile 6c0dfc9c42368df336962559d937d348fac8d1df

My openvpn cpnfig (already changed some stuff by hand (see at the bottom + mssfix + mtu) and this gave me the best reslults so far):

#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local XXX.XXXXXXX.com
dev tun
proto udp
port 1194
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.134.165.0 255.255.255.0
tun-mtu 1500
route 10.134.166.0 255.255.255.0
mssfix 1300
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
ncp-disable
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-auth /var/ipfire/ovpn/certs/ta.key
push "dhcp-option DNS XXX.XXX.XXX.XXX"
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
# Log clients connecting/disconnecting
client-connect "/usr/sbin/openvpn-metrics client-connect"
client-disconnect "/usr/sbin/openvpn-metrics client-disconnect"
# added by hand
sndbuf 3399999
rcvbuf 3399999
push "sndbuf 3399999 "
push "rcvbuf 3399999 "

any help would be gratly appreciated!

2

Not an expert. I hope you get better suggestions from someone else.

I would check the speed from IPFire console using speedtest-cli (it’s available as a package). This should give you a more realistic speed from your IPFire box to and from the WAN.

Also I would check the speed from a host in green to IPFire with iprerf, this would give you a speed inside your lan and measure the throughput of your network cards.

Finally I would check the cpu activity during an ssh connection from internet to your box. Maybe the encryption/decryption is introducing a bottle neck in the cpu?

3

Thaks for your reply.
I already checked all the speeds. The connections from both networks to WAN are as advertised ±5mbit.
From a host inside the green network to ipfire is around 800mbit, so around what I would expect (gigabit).
As far as I can see the CPU is not the problem (systeminfoarmation page on IPfire web gui shows 28% peak usage over the last 2 days).

4

The following thread talks about OpenVPN slowness of speed.

https://community.ipfire.org/t/speed-openvpn-vs-ssh/4691

5

I think status/system in the WUI of IPFire reports the total % of CPU usage as a sum of all the cores. I do not know if/when the CPU activity in an OpenVPN session can be unloaded on all cores. If it cannot, you would see on the IPFire WUI a low number, like 28%, and in that number you would have a 25% of 1 core out of 4 completely maxed out. Just to be sure, while on a VPN session where you are using iperf, I would also open an ssh session to your IPFire terminal and use top to check what the different cores are doing. If you have 4 cores, and one of them is at 100%, there you have your bottleneck.

As an alternative hypothesis, do you have a quality of service activated?

Finally, experimenting with MTU values? See: Optimizing OpenVPN Throughput | Hamy - The IT Guy and this https://haydenjames.io/improving-openvpn-performance-and-throughput/

When I tested my MTU using the ping method, I found out that MTU of 1500 was too high and the correct value is 1470, which according to the link above, I set it for OpenVPN to 1430. I did not notice any particular change but I also did not test the speed with the two MTUs.

6

Thaks for the reply. QoS is not enabled.
I will look into the per-core CPU usage as well as the MTU values tomorrow and will report back then :slight_smile: