Hello kind Sirs and Ladys,
again I come to you with problems arisen from my limited understanding of the workings of RouterOS and computers in general.
I put RouterOS on my VPS and configured it as a VPN server with IPsec ike2.
I followed a tutorial by Nikita Tarikin and so far it went great.
Problem is: I get painfully slow throughput while using the VPN. Like it gets down from 50Mbit/s to just below 1Mbit/s and I just think that can’t be right.
Especially since I had the VPS running Ubuntu with strong swan before, using a similar setup, and got about the same speed as without the VPN.
I would really like to use RouterOS though, to continue to deepen my understanding of it’s miraculous workings.
This is my current configuration, chr.server on xx.xx.xx.xx is my VPS here:
# apr/16/2020 17:56:38 by RouterOS 6.46.5
# software id =
#
#
#
/interface bridge
add name=bridge-loopback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=bridge-loopback list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.0.88.1/24 interface=bridge-loopback network=10.0.88.0
/ip pool
add name="pool vpn.chr.server" ranges=\
10.0.88.2-10.0.88.254
/ip ipsec mode-config
add address-pool="pool vpn.chr.server" \
address-prefix-length=32 name=\
"modeconf vpn.chr.server" split-include=0.0.0.0/0 \
static-dns=10.0.88.1 system-dns=no
/ip ipsec policy group
add name="group vpn.chr.server"
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name="profile vpn.chr.server"
/ip ipsec peer
add exchange-mode=ike2 local-address=xx.xx.xx.xx name="peer xx.xx.xx.xx" \
passive=yes profile="profile vpn.chr.server"
/ip ipsec proposal
add auth-algorithms=sha256,sha1 lifetime=8h name=\
"proposal vpn.chr.server" pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=\
vpn.chr.server generate-policy=port-strict \
match-by=certificate mode-config=\
"modeconf vpn.chr.server" peer="peer xx.xx.xx.xx" \
policy-template-group="group vpn.chr.server" \
remote-certificate=client1@vpn.chr.server remote-id=\
user-fqdn:client1@vpn.chr.server
/ip ipsec policy
add dst-address=10.0.88.0/24 group=\
"group vpn.chr.server" proposal=\
"proposal vpn.chr.server" src-address=0.0.0.0/0 \
template=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept winbox from WAN" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"Allow UDP 500,4500 IPSec for xx.xx.xx.xx" dst-address=xx.xx.xx.xx \
dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp for xx.xx.xx.xx" \
dst-address=xx.xx.xx.xx protocol=ipsec-esp
add action=accept chain=input comment=\
"IKE2: Allow ALL incoming traffic from 10.0.88.0/24 to CHR" ipsec-policy=\
in,ipsec src-address=10.0.88.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=\
"IKE2: Allow ALL forward traffic from 10.0.88.0/24 to ANY network" \
dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment=\
"SRC-NAT IKE2:10.0.88.0/24 --> ether1 traffic" out-interface=ether1 \
src-address=10.0.88.0/24 to-addresses=xx.xx.xx.xx
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from VPN-client to ANY\"" ipsec-policy=in,ipsec \
new-mss=1360 passthrough=yes protocol=tcp src-address=10.0.88.0/24 \
tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from ANY to VPN-client" dst-address=10.0.88.0/24 \
ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp \
tcp-flags=syn tcp-mss=!0-1360
So if anyone could point me to where I went wrong, that would be much appreciated.
Thank you very much in advance and have a good day!
EDIT: readability
EDIT2: The input rule for esp shows no send or received packages. Looks suspicious.
EDIT3: SOLVED! Mr. Tarikin pointed out to me, that for traffic to go above 1Mbps on CHR an active Licence is required. With a Licence active, everything works as expected!