VPN is slow

IceDigger

[H]F Junkie
Joined
Feb 22, 2001
Messages
11,003
I have a vpn going from my work to home network. Using the built in openvpn on my Asus RT-AC68U router.

I have a 150/150 connection at work and I have a 1000/1000 connection at home.

When I connect in to the work network I average around 4MB/s from moving files from my work server to home.

Attached is the config for the routers openvpn settings.

Any recommendations on the settings?
screenshot.png
 

Eickst

[H]ard|Gawd
Joined
Aug 24, 2005
Messages
1,873
If you're moving files via SMB it's very latency sensitive. What's the latency to the server you are moving files to?
 

extide

2[H]4U
Joined
Dec 19, 2008
Messages
3,494
4MB/sec is 40-50Mbit, that's about as good as you can expect to get from OpenVPN on the lil 800Mhz ARM cores in there. You can try to reduce the encryption (that's where the bottleneck is), but it's always going to suck.

For better performance move to a PC based router using something like pfsense and use a CPU that has AES-NI.
 

EniGmA1987

Limp Gawd
Joined
May 2, 2017
Messages
429
Open VPN is single core, and the old ARM cores in these routers are not fast to begin with. So as other said it is probably the router speed as the #1 culprit. #2 culprit would be the windows file transfer will never really max out a connection across the internet either so you are losing some speed there too.

Using a 2.4GHz Kaby Lake CPU with hardware accelerated AES I am able to max out my connection speed of 75mb/s over VPN. I dont know how much higher it could go as my internet speed is already reached. So it is possible to get more speed than the 40~mb/s you have right now, you just need to have the right setup.
 
Joined
Mar 4, 2019
Messages
44
This is good info to have. I just tried to run NordVPN router based, and it knocked my 180Mb speed down to 15Mbps. I was beyond pissed. Cancelled that right quick. I have a spare Pentium-D based PC that I may throw PFSense on it. Thanks.
 

Joust

2[H]4U
Joined
Nov 30, 2017
Messages
3,924
I had a sophos box that was throttling me - atom based, I think. Swapped for a core2duo box with some RAM - MUCH better.

I have that same router. I put it and another one into AP duty for great WIFI!
 

EniGmA1987

Limp Gawd
Joined
May 2, 2017
Messages
429
This is good info to have. I just tried to run NordVPN router based, and it knocked my 180Mb speed down to 15Mbps. I was beyond pissed. Cancelled that right quick. I have a spare Pentium-D based PC that I may throw PFSense on it. Thanks.
If you run OpenVPN, you really want a more modern CPU with hardware accelerated AES built in. This will let the VPN run much faster on the CPU and will not be limiting you from your own processor, only the VPN server speed and extra hops at that point
 

Joust

2[H]4U
Joined
Nov 30, 2017
Messages
3,924
Do you consider it's worth it, then, to buy/build a little 1U server with something only a generation or two old and use that?
Could probably be older than that. It's not a terribly difficult task for modern standards. Very inexpensive gear should.be able to do it.
 
Joined
Mar 4, 2019
Messages
44
Could probably be older than that. It's not a terribly difficult task for modern standards. Very inexpensive gear should.be able to do it.
Sorry for the wicked late reply. Found a Dell PowerEdge R410 that has procs in it that support AES. Costs a whopping $120, so may snag that, and play with it. Thanks for the info.
 

IceDigger

[H]F Junkie
Joined
Feb 22, 2001
Messages
11,003
I got a bunch of ibm desktop i3 4th gens for free that I'm going to test out this week sometime for Nethserver with openvpn.
 

EniGmA1987

Limp Gawd
Joined
May 2, 2017
Messages
429
I got a bunch of ibm desktop i3 4th gens for free that I'm going to test out this week sometime for Nethserver with openvpn.
Haswell i3's should be good. Haswell Pentiums and Celerons do not support AES-NI.
Not all AES encryption types are accelerated, only the main ones are. So during your testing you should start with either AES-128-CBC or AES-256-CBC. I believe that -GCM is also supported, and GCM is faster for internet traffic VPN and more secure for internet traffic.
The higher the bit count the higher the security is, but the slower your speed will be. Above 256 really isnt practical right now unless you are doing military or other classified work over VPN. 128-bit encryption is the bare minimum nowadays.
Your DH key should be 4096-bit
 
Last edited:

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,658
To reiterate what EniGmA1987 said. You shouldn't be using and CBC ciphers at this point as your highest order suite. Everyone has moved the GCM variants above the CBC ones, so if choosing a suite always choose one with GCM as of 2020. Most web traffic on high volume sites seem to have settled on AES-128-GCM. Personally I'd just go the route of AES-256-GCM, DH 4096. Your not trying to do hundreds of connections, so there's not much in the way of optimization for you to worry about.
 
Top