Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Slow VPN

  1. #1
    Untangler
    Join Date
    Aug 2011
    Posts
    80

    Default Slow VPN

    I've read a few thread about this topic, but each thread had the suggestion to not hijack it, but rather to post a new thread, assuming each issue to troubleshoot would be specific to the poster. So, here's my post.

    Celeron G3900, 8GB RAM, dual gig NICs, SSD.

    My ISP generally gives me 170mbps when directly connected to the cable modem. Through pfsense, I was getting 150-170mbps. With PIA VPN, and pfsense, I Was getting 110-130mbps.

    With Untangle, same hardware, no VPN, 110mbps. With PIA VPN and Untangle, 35-55mbps.

    I am using udp and configured the tunnel based on the Untangle howto that was presented in some of the threads here (download the config file, make a few changes etc).

    Monitoring the CPU usage during normal traffic, CPU use is absolutely minimal (the layer 3 vs layer 7 argument).

    Looking for help on where I can begin to troubleshoot this.

    Thanks

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,346

    Default

    There is nothing to troubleshoot, Untangle is vastly heavier than pfSense, your CPU simply doesn't have the power to do what you're trying to do. If you want 100mbit through a VPN, you're going to need an i3 or something equivalent. If the Celeron you had was one of the hex or oct core models, it would probably work but that little dual core is straining just to push the wirespeed you've asked of it without the VPN. I'd expect that platform to stop out around 200mbit without any additional overhead.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Aug 2011
    Posts
    80

    Default

    Thanks for the reply. Curious why this (the CPU pegging) isn't visible in the CPU meter when traffic is flowing.... if the CPU is having trouble with the encryption, shouldn't I be seeing it as high CPU use?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,346

    Default

    Quote Originally Posted by tucansam View Post
    Thanks for the reply. Curious why this (the CPU pegging) isn't visible in the CPU meter when traffic is flowing.... if the CPU is having trouble with the encryption, shouldn't I be seeing it as high CPU use?
    Not always, indeed almost never. Windows has the same problem, the CPU readouts are for stuff in user land, but when the kernel is busy doing things the meters don't reflect it. And if you think about it, after a certain point you don't want the OS wasting time reporting on everything, because you'd never get anything else done.

    So with Untangle, you'll see CPU load if the UVM gets busy, but if your box is losing CPU cycles supporting the NICs because they're trash, or because they cannot offload encryption... all you get is slow.

    Windows servers acting as hypervisors suffer here as well, it's a constant fight trying to profile the systems.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Aug 2011
    Posts
    80

    Default

    Well, the NICs are Intel, and I bought the G3900 specifically because it supported AES. pfsense ran like a raped ape (I had a lot of problems with it, to be fair) and I understand Untangle being more resource intensive. I suppose I could look into an i3 or i5.....

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,346

    Default

    Quote Originally Posted by tucansam View Post
    Well, the NICs are Intel, and I bought the G3900 specifically because it supported AES. pfsense ran like a raped ape (I had a lot of problems with it, to be fair) and I understand Untangle being more resource intensive. I suppose I could look into an i3 or i5.....
    Just because the CPU supports it doesn't mean the software does, but I will admit that configuration sounds like it should be running fine. Sadly, the proof is in the benchmarks. And yes Untangle is VERY heavy, but once you meet the minimum bar it scales far better than pfsense does. I love both platforms for different purposes, I use them both heavily.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Aug 2011
    Posts
    80

    Default

    There is a checkbox under pf's general config that specifically tells it to use the CPU for AES; does UT have the same? I may test ipfire as well just to see what happens.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,346

    Default

    Quote Originally Posted by tucansam View Post
    There is a checkbox under pf's general config that specifically tells it to use the CPU for AES; does UT have the same? I may test ipfire as well just to see what happens.
    There is not within the UI, however you can get into the terminal and run this:

    and play with the stuff in here: https://www.cyberciti.biz/faq/how-to...-linux-system/

    I have never confirmed a system running Untangle to use AES-NI. I've sold systems that carry the hardware, but the clients that purchased them never afforded me the opportunity to confirm it. Such systems were huge Xeon servers, so the offloading wouldn't have changed much for them anyway, but in the case of these small celeron units, it would be nice.

    But even if your system has all this enabled, there's no guarantee the services on it would use it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Aug 2011
    Posts
    80

    Default

    Good link.

    Some commands work, some don't (cpuid).

    Some commands list AES, some commands don't.

    At the very least, 'openssl engine' does NOT show use of AES, although many of the other commands list AES clearly as a known cpu feature, etc (ie all of the commands prior to the section using 'cpuid' list AES.)

    So I guess the bottom line is, I still don't know if AES is being done on the CPU, or, more specifically, if Untangle is using the CPU to full advantage.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,346

    Default

    Some of the digging I've done on the topic indicates that OpenVPN 2.4 basically cannot have AES-NI disabled, so if you see it in OpenSSL, it's online and working. But those same discussion threads indicate that 2.4 butchered transfer speeds relative to 2.3.

    Sadly, I don't have much to go on myself because I don't have that type of hardware here to test with. However, I would be curious to know what your compress commands are in your OpenVPN module. I know Untangle has a separate module for the WAN VPN, but I think it still uses the same OpenVPN instance. And, one substantial issue here is that OpenVPN servers are single threaded. So if your single core CPU performance isn't strong enough, you'll get terrible throughput even with the offloading enabled. That seems to be what is happening in your case.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2