Community discussions

MikroTik App
 
jaceqp123
newbie
Topic Author
Posts: 25
Joined: Wed Mar 01, 2017 4:42 pm

SSTP vs PPTP poor RDP responsiveness

Fri Jul 02, 2021 11:35 am

Hi there.
I have SSTP VN set up on RB2011xxx for RDP purposes.

What I've noticed is that RDP responsiveness is really poor via SSTP protocol compared to PPTP. Feels like way worse remote desktop screen refreshrate or something. Let's say scrolling a document file on RDP is pretty smooth on PPTP, and "glitchy" while on SSTP.
RB's CPU usage not exceeding 10%, I'm testing it on a single connected VPN client. Overall internet bandwidth shouldn't be a problem (I guess) since PPTP works well enough (unless SSTP takes way more data). Compression on/off has no noticeable impact on performance...

SSTP profile setup:
name="VPN_sstp" local-address=xxxxx remote-address=VPN_pool(xxxx) bridge-learning=default use-mpls=no 
     use-compression=yes use-encryption=required only-one=default change-tcp-mss=default use-upnp=no address-list="" 
     dns-server=xxxxxx on-up=:local CallerID $"caller-id";\r\n:delay 3s;\r\n/ip firewall address-list remove 
      numbers=[/ip firewall address-list find where address=$CallerID]; 
     on-down="" 
CA Cert parameters:
KEY TYPE: RSA
KEY SIZE: 4096
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: SSTP vs PPTP poor RDP responsiveness

Fri Jul 02, 2021 2:37 pm

RB2011 is an old design (10 years old as you can see from the type number) that does not offer any encryption acceleration.
Even a tiny RB750Gr3 will outperform it. And of course also the newer types like RB3011, RB4011, hAP AC3, etc.

However, that might not be your problem in this case. Poor performance can also be caused by MTU issues.
Try adding this to your configuration:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
Then try to connect again.
 
jaceqp123
newbie
Topic Author
Posts: 25
Joined: Wed Mar 01, 2017 4:42 pm

Re: SSTP vs PPTP poor RDP responsiveness

Fri Jul 02, 2021 2:58 pm

Just a quick info: I'm also running same RB (2011UiAS) on other site with 10-15 sstp clients simultaneously on average without lagging. Perhapse only difference is better ul/dl bandwidth from ISP.
Currently investigated location has up to 60Mbit/8Mbit WAN connection.
Last edited by jaceqp123 on Fri Jul 02, 2021 4:27 pm, edited 1 time in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: SSTP vs PPTP poor RDP responsiveness

Fri Jul 02, 2021 3:46 pm

SSTP and PPTP both use PPP underneath. There is a slightly greater overhead in the TLS encapsulation used by SSTP compared with GRE used by PPTP, but it could be network congestion triggering TCP-in-TCP meltdown - this is a fundamental issue with TCP-based VPNs.

As SSTP and the Mikrotik OpenVPN implementation use TCP using something IPsec-based would be best. Whilst PPTP doesn't suffer from the TCP-in-TCP issue MSCHAPv2 authentication and MPPE encryption is woefully insecure and should be avoid.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: SSTP vs PPTP poor RDP responsiveness

Fri Jul 02, 2021 4:01 pm

SSTP is TCP over TCP so you're not going to see the same level of throughput and responsiveness as a VPN protocol that's based on UDP, GRE, etc

We've found L2TP with ipsec to be one of the better performing VPN protocols if you want a similar design to an SSTP server.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: SSTP vs PPTP poor RDP responsiveness

Fri Jul 02, 2021 4:22 pm

Yes, L2TP/IPsec is certainly a much better option than SSTP or even PPTP.
 
jaceqp123
newbie
Topic Author
Posts: 25
Joined: Wed Mar 01, 2017 4:42 pm

Re: SSTP vs PPTP poor RDP responsiveness

Fri Jul 02, 2021 4:37 pm

We've found L2TP with ipsec to be one of the better performing VPN protocols if you want a similar design to an SSTP server.
I'd love to stay with L2TP+ipsec however (regional/overall isp issue?) I had planty of issues connecting via l2tp+ipsec on client side. Perhapse some NAT'tin issues on ISP side etc. I've also notices issues connecting more than one client sharing same internet source. None of those issues detected on SSTP (and PPTP btw but that one is a no-go for security reasons).
From my experience mobile network ISPs were least problematic using L2TP/IPsec. On the other hand many cable network ISP's = X_x
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: SSTP vs PPTP poor RDP responsiveness

Fri Jul 02, 2021 4:53 pm

And that's definitely the tradeoff. SSTP is way cleaner for NAT traversal and is hard to block since it's TCP/443.

We designed and built an SSTP HA VPN headend using CHRs for several thousand endpoints. It would then dynamically built BGP peerings using scripts to advertise the subnets at the remote locations. The main goal was designing around NAT traversal and locations that attempt to block VPN usage.

One of the engineers on our European team gave a MUM presentation on that design here:

https://mum.mikrotik.com/presentations/ ... 918854.pdf

Who is online

Users browsing this forum: anav, intania, patrikg, SlotTech and 84 guests