VPN Performance degradation due to MTU/MSS (PureVPN, BolehVPN)

szaa · May 1, 2017, 4:20pm

Hi All,

I experience the same issue with both PureVPN and BolehVPN, both with SSTP and L2TP
I set up the VPN connection according the the guide (e.g. https://support.purevpn.com/mikrotik-sstp).
Then some websites doesn’t load, just hang (e.g. speedtest.net, filmbuzi.hu).
After some investigation, I came across this page: http://www.marcinszymanski.pl/blog/configuring-vpn-on-mikrotik-routeros-part-1-purevpn/
I have also contacted PureVPN support to acquire the correct MTU and MSS values. I configured the MTU and MSS values (MTU=1400, MSS=1360).
All pages load now, however I can only reach 30 Mbps download speed. If I connect from the desktop client, I can reach 100 Mbps. I experience the same issue with SSTP and L2TP, both with PureVPN and BolehVPN, so it has something to do with the router.

Can anybody help out with this issue please?

Thanks

idlemind · May 1, 2017, 6:24pm

Oh, tiny router. How art thou’s CPU? So small in comparison to thee’s? My mighty Intel i7 can outpace you? How unfair. Ye must feel most betrayed.

I’m going to go out on a limb and say you are capping out the CPU on your MikroTik. Which product do you have and during a prolonged speedtest if you look at system resources do you see the CPU spiking?

szaa · May 1, 2017, 6:47pm

Hi idlemind,

Thanks for your reply. I tested it and you are indeed right. My i7 utilisation peaks during the speed test. I have the hAP ac model. Since I’m a bit of a noob here, my next question is: what type of VPN (other than PPTP) should I use that is more gentle on the CPU?

R1CH · May 1, 2017, 7:44pm

The hAP AC has no hardware crypto offload, so performance will be roughly the same regardless of protocol.

szaa · May 1, 2017, 7:47pm

Ah, that’s a bummer. Can you recommend any router below £200 which does have hardware crypto acceleration?

pe1chl · May 1, 2017, 7:49pm

The MikroTik RB750Gr3 (hEX 3) has hardware crypto, but it does not have WiFi.
You can keep the hAP AC for the WiFi function.

szaa · May 1, 2017, 7:54pm

Thanks pe1chl,

The MikroTik RB750Gr3 (hEX 3) says it has “IPsec Hardware encryption”. Does it apply to SSTP?

pe1chl · May 2, 2017, 7:41am

I don’t think so. But nobody looking for performance or stability would use SSTP anyway.
SSTP is a VPN over TCP. Those all suck.

szaa · May 2, 2017, 6:05pm

So what connection type do you recommend? L2TP/IPSec?

pe1chl · May 2, 2017, 7:24pm

It depends what you want. This is certainly a good solution for many purposes. But you can also use IPIP/IPsec, GRE/IPsec etc.
(when you want to link two networks that each have a router)

szaa · May 2, 2017, 7:39pm

I just want to use a VPN to anonymise my traffic (hence using PureVPN), but I’d like it to be fast.

idlemind · May 4, 2017, 4:07pm

The latest hEX is going to be the fasted item in the under $100 range regardless of protocol. In part because it for sure accelerates IPSec. Which crypto algorithms in particular I’m not certain. It also has a stronger CPU than the other small MikroTik platforms so for protocols that are punted to the CPU it will perform better likely.

An alternative is to load a CHR and buy a license for it. You can then run it on a beefy server CPU. You may find more performance there.

I’d grab one and see how it goes. My Internet here is limited to 30 mbps down otherwise I could offer to test for you as I have a hEX.

HarBenly · May 5, 2017, 12:55pm

I use Pure and Nord. I never had page loading issue nor I ever tempered with MTU MSS setting.

WildWurger · July 12, 2017, 12:59am

Hi szaa, you from Malaysia? since you mentioned BolehVPN.

Anyway I also having problem with slow VPN speed with PPTP and unable to load pages like you mentioned, fiddling around with MTU gets me to load some pages but it is super slow, changing MSS does not help alot too. MTU 1400 with MSS 1360. How are you able to get 30mbps? I am like always stuck in 2-3mbps.

My router is heX 750Gr3 and have tried with PureVPN, Nord, and Vypr…