Slow VPN Speed

[dfriestedt]

I'm running Untangle 7.1 on a Dell Optiplex with 1G ram, Duo Core 2.0 GHz processor, one onboard NIC and one Intel GT 1000 NIC.

This box is sitting on a comcast business class internet connection w/ 10M down and 2M up.

I've been testing the VPN speed with a single computer connecting to it. I consistently get 25 KB/sec. I've tried to connect to untangle from multiple locations and multiple computers. The remote locations all sit on comcast 20/4m connections and the remote computers are "supercharged" quad cores w/ 4g of ram.

I also tried a site to site vpn connection using another untangle box. Again, the remote location is on a 20/4m comcast connection and I'm still getting about 25 to 30 KB/sec...

Any ideas on how to improve the speed? On my pfsense setup over the same computers and inet connections I'm getting north of 200 KB/sec.

thx

[dmorris]

could be an MTU issue.

Thats all I can think of. Something is clearly wrong but I doubt its resource limited - that machine should be able to push far more data than your connection can handle.

I tested OpenVPN on a linksys box and got 700K/sec.

[Solignis]

What kind of NIC is the onboard one? I would look to that for a possible problem.

[dfriestedt]

Quote:

Originally Posted by Solignis

What kind of NIC is the onboard one? I would look to that for a possible problem.

Not exactly sure. I have the Intel NIC on the WAN and the onboard NIC on the LAN. It's a std Dell Optiplex, so I'm guessing the onboard NIC is intel. Unfortunately I don't have another slot available for another GT 1000 - this is a small form factor machine...

I forgot to mention that I had this same exact problem with another untangle setup where the OpenVPN server was on a xeon processor, 1 g ram, scsi drive, BUT with 2 realtek NICs. I was getting 25 - 30 KB/sec on that setup. I assumed it was the realtek NICs and unfortunately that machine will not recognize the Intel GT 1000 NICs so I moved to a completely new machine (the first one mentioned above) - but the speed is still really bad.

What should I expect to get? I was thinking 1MB/sec or more given that my upload speeds are consistently > 2 to 3 MB/sec and the computer load is < 1%.

[dfriestedt]

I finally put show traffic on a couple computers and basically what is happening is the traffic spikes to 200KB/sec and then back down to 0KB/sec. These spikes average out to about 30KB.sec. I turned off every component on untangle but for openvpn and it's still happening.

I setup an ebox to ebox tunnel using openvpn on the same equipment and inet connections and am getting about 200KB.sec. this is definately an untangle issue or my untangle setup.

ANy thoughts?

[dmorris]

still could be an MTU issue

is there anything in the eventlog? is it disconnecting every few seconds or something?

[dfriestedt]

OK - making some progress

cat daemon.log I get....


Apr 18 19:40:41 untangle ovpn-server[18039]: xx.xx.39.130:62161 Re-using SSL/TLS context
Apr 18 19:40:41 untangle ovpn-server[18039]: xx.xx.39.130:62161 LZO compression initialized
Apr 18 19:40:41 untangle ovpn-server[18039]: xx.xx.39.130:62161 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1562'
Apr 18 19:40:41 untangle ovpn-server[18039]: xx.xx.39.130:62161 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1504'
Apr 18 19:40:41 untangle ovpn-server[18039]: xx.xx.39.130:62161 [dfriestedt_home_desktop] Peer Connection Initiated with xx.xx.39.130:62161
Apr 18 19:41:36 untangle ovpn-server[18039]: xx.xx.39.130:52927 Re-using SSL/TLS context
Apr 18 19:41:36 untangle ovpn-server[18039]: xx.xx.39.130:52927 LZO compression initialized
Apr 18 19:41:37 untangle ovpn-server[18039]: xx.xx.39.130:52927 [dfriestedt_home_desktop] Peer Connection Initiated with xx.xx.39.130:52927

[dfriestedt]

I added

tun-mtu 1500

to the client config file and the two warning messages went away. However, now I'm getting

read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

And, my vpn connection keeps spiking to 200KB/sec then back to 0.

I've been doing a lot of reading about changing MTU... however there does not seem to be much about it w/ Untangle. Do I simply change MTU under admin - external interface?

Do I need to do anything with mssfix or fragment? If so, what specifically?

[dfriestedt]

I Inserted mssfix 1450 in the server and client config and when I do the following the error messages all seem to be gone...

root@untangle# /etc/openvpn # /etc/init.d/openvpn restart [root @ untangle]
* Stopping virtual private network daemon [ OK ]
* Starting virtual private network daemon WARN: could not open database for 1536 bits. Skipped
[ OK ]
root@untangle# /etc/openvpn # tail -f /var/log/daemon.log [root @ untangle]
Apr 18 20:42:28 untangle ovpn-server[7304]: SIGTERM[hard,] received, process exiting
Apr 18 20:42:29 untangle ovpn-server[8608]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Apr 18 20:42:29 untangle ovpn-server[8608]: /usr/bin/openssl-vulnkey -q -b 1536 -m <modulus omitted>
Apr 18 20:42:29 untangle ovpn-server[8608]: TUN/TAP device tun0 opened
Apr 18 20:42:29 untangle ovpn-server[8608]: /sbin/ifconfig tun0 172.16.0.1 pointopoint 172.16.0.2 mtu 1500
Apr 18 20:42:29 untangle ovpn-server[8617]: GID set to nogroup
Apr 18 20:42:29 untangle ovpn-server[8617]: UID set to nobody
Apr 18 20:42:29 untangle ovpn-server[8617]: UDPv4 link local (bound): [undef]:1194
Apr 18 20:42:29 untangle ovpn-server[8617]: UDPv4 link remote: [undef]
Apr 18 20:42:29 untangle ovpn-server[8617]: Initialization Sequence Completed
Apr 18 20:43:09 untangle ovpn-server[8617]: xx.xx.39.130:61881 Re-using SSL/TLS context
Apr 18 20:43:09 untangle ovpn-server[8617]: xx.xx.39.130:61881 LZO compression initialized
Apr 18 20:43:10 untangle ovpn-server[8617]: xx.xx.39.130:61881 [dfriestedt_home_desktop] Peer Connection Initiated with xx.xx.39.130:61881


however, I still have the spiking issue....

[dfriestedt]

this issue is driving me crazy..... I'm now starting to think it's an issue with the internet coming into the VPN server location.

I ran http://n5.netalyzr.icsi.berkeley.edu/analysis/ at remote #1 and everything came back OK. Same for remote #2.

At VPN server location I got a ton of errors...

Major Abnormalities

* Your ISP's DNS server is slow to lookup names
* No DNS Port Randomization

Minor Aberrations

* Certain TCP protocols are blocked in outbound traffic
* Certain UDP protocols are blocked in outbound traffic
* The measured packet loss was somewhat high
* The network measured bursts of packet loss
* None of the server's bandwidth measurement packets arrived at the client
* An HTTP proxy was detected based on added or changed HTTP traffic
* Virus filtering appears to be present on your host or network
* The network blocks some or all EDNS replies
* The DNS resolver may have problems with DNSSEC
* Your DNS server accepts unusual glue records
* We received unexpected and possibly dangerous results when looking up important names
* Your computer's clock is slightly slow

Need to research further.