Dear all,
I have one Mikrotik CHR on AWS and one Mikrotik is in my home. I have a gaming server and a Windows VM I want my gaming server and Windows VM to use the AWS route for the traffic.
I have a 1Gbps internet connection at my home.
So I enabled the SSTP server on CHR on AWS and the SSTP client on my home Mikrotik router created a mark-routing rule in Mangles and added it to the routing table in routes. (my Mikrotik at home is behind NAT & has no public IP)
but when I test the speed on my game server or on Windows VM it shows only 20 Mbps.
and when I check on my home internet it shows 1Gbps on the speed test.
If you’re using CHR, IPSec or WireGuard might be better choices than SSTP. MTU is pretty low with SSTP, so I’d imagine fragmentation maybe why your seeing slower speeds.
But if you were looking for performance, especially for games, you could skip the EC2+CHR, and setup either AWS Site-to-Site VPN or AWS DirectConnect directly to the Mikrotik. This avoid going through EC2 and CHR & likely have lower latency and better speed if you’re only use CHR as a VPN host for your home.
What is the model of your home MikroTik router?
Did you disable “fasttrack”?
Yes I have no FastTrack enabled. And I have Mikrotik 2011ui
I want to use aws vpn with my home mikrotik.
But i have no public ip on my home Mikrotik. Which way or method I will use for site to site and aws directly connect for Mikrotik.
For AWS VPN options to work, it needs to allow IPSec IKEv2… so ports 4500 and 500 must be forwarded by your ISP. If not, then AWS VPN won’t work here.
If you have V7, you can try using WG instead of SSTP to your current EC2 & see if that has better performance.
Alternatively, you can try lowering the MTU of SSTP Server (under PPP > SSTP Sever) to 1400 on the CHR side & see if that improves your performance. And make sure ICMP/ping is allowed through the AWS firewall and RB2011 firewall (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-ping).
Is it possible to use Wireguard S2S VPN without a public IP on the (Home) Client router?
Yes, as long as one side has a public IP, which EC2 give you. You do need to set keepalive in WG peers.
One note, the RB2011 is pretty old & any VPN will use the CPU, so speed is never going to be same as raw. But the 20Mb for SSTP over 1G uplink does seem like it’s MTU related, I try changing that first. e.g. SSTP VPN is likely getting fragmented, which almost certainly slowing down a TCP speedtest – but UDP game traffic actually may be faster that what your speedtest is reporting.
SSTP has 1500 MTU. Do I need to change this or reduce to 1400 or 1480?
I’d try 1420 (or 1400 which Window defaults for SSTP). I can’t promise it help, but simple to try.
Actually 20Mb is about the upper bound for all encrypting tunnels on the 2011. Only plain tunnels (GRE, IPIP) without encryption exceed that.
what do I need to do?
Buy a new router. E.g. an RB5009.
Do you mean I got the full speed with a new router RB5009 over the SSTP client VPN which I have established I will get full speed from AWS.