[GLLUG] Openvpn overhead?
John Edwards
john at cornerstonelinux.co.uk
Wed Apr 4 19:25:48 UTC 2018
Hi
On Wed, Apr 04, 2018 at 07:58:22PM +0100, Tim Woodall via GLLUG wrote:
> Hi all,
>
> I have a wifi link between two (debian) firewalls that are in separate
> premises. I'd like to put a wired link in but that requires getting some
> permissions so it won't be quick (although it's simple to do)
>
> Over the wifi link I can scp data at at least 1MB/s which isn't great
> but it's not too bad. iwconfig says the connection is at 150Mb/s so in
> theory I should be able to do 10x that. (One end is an access point into
> a 100Mb ethernet link while the other end is a USB wifi dongle so I'm
> not expecting 15MB/s)
>
> Over that wifi link I then run a udp openvpn link. I've tried both tun
> and tap devices.
> When I copy over the openvpn link I get around 100KB/s.
As an opposite data point, I can get about 5MBytes/s using OpenVPN
over an FTTC VDSL connection (without an Wi-Fi). So I don't think
that OpenVPN itself or the CPU should be a limiting factor.
> If, while the copy over the openvpn link is running, I the do another
> copy over the wifi link the wifi copy runs at around 800KB/s and the
> openvpn copy drops to about 10-20KB/s
>
>
> Does anyone have any ideas why the openvpn link is so slow? I've
> reducing MTU in case it was fragmentation problems.
I would check the OpenVPN logs at each end to check for problems,
especially things like "replay-window backtrack occurred" which might
indicate dropped or out of order packets.
I've had problems in the past with OpenVPN over unreliable Wi-Fi
connections (and most common wireless networking is unreliable to a
degress). My suspicions are that because OpenVPN uses UDP it does not
cope as well with dropped Wi-Fi packets as a straight TCP connection
like HTTP.
--
#---------------------------------------------------------#
| John Edwards Email: john at cornerstonelinux.co.uk |
#---------------------------------------------------------#
More information about the GLLUG
mailing list