Community discussions

MikroTik App
 
Wyz4k
Member Candidate
Member Candidate
Topic Author
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Dismal OVPN performance

Thu Jun 23, 2022 4:11 pm

Hi everyone,

I'm keen for some input on why I'm getting such dismal OVPN throughput.

I'm running ROS 6.48.6 on both routers. The two routers are about 10,000km apart.
One router is an RB1100AHx2 and the other one is an RB1100AHx4.

According to the https://wiki.mikrotik.com/wiki/Manual:IP/IPsec page both routers have quite a bit of hardware support for encryption.

My server is configured to use sha1 as auth and aes 256 as Cipher.

I've got a couple of questions:
1. does ovpn actually use the hardware acceleration, or do I need to use IPSEC?
2. when the cipher says aes 256 is that aes-cbc, aes-ctr, or aes-gcm?

I haven't upgraded to ROS 7 yet which will hopefully unlock UDP OVPN as well which may help, but so far I haven't had much luck with stability on ROS 7.

https://ibb.co/FYghvkd
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Dismal OVPN performance

Thu Jun 23, 2022 4:41 pm

OpenVPN on RouterOS v6 always uses TCP transport and it will be affected a lot by long RTT (long distance).
It also does not use hardware acceleration.
It will likely work better when you use IPsec instead of OpenVPN.
 
Wyz4k
Member Candidate
Member Candidate
Topic Author
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Dismal OVPN performance

Fri Jun 24, 2022 4:51 am

I was able to eak out a little bit more performance on the link by forcing a 250 packet pfifo buffer on both sides of the connection. But this is only viable on router - router connections.
 
Wyz4k
Member Candidate
Member Candidate
Topic Author
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Dismal OVPN performance

Fri Jun 24, 2022 4:52 am

OpenVPN on RouterOS v6 always uses TCP transport and it will be affected a lot by long RTT (long distance).
It also does not use hardware acceleration.
It will likely work better when you use IPsec instead of OpenVPN.
Thanks for that. If it really doesn't use hardware acceleration as you mention that's a major pain.

Converting to IPSEC is easy enough if it was just router-router but as we've got 40+ clients connecting to it as well going IPSEC is a pain.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Dismal OVPN performance

Fri Jun 24, 2022 11:05 am

Having 40+ OVPN clients on a MikroTik router will be a pain no matter what...
OVPN really is the stepchild at MikroTik, even more so on v6 than on v7.
But do not blindly upgrade to v7 just in an attempt to fix that! Prepare (test) before you do that.

I am normally using L2TP/IPsec for "troublefree clients"... today you could also consider IKEv2 IPsec (when your clients support it).
 
Wyz4k
Member Candidate
Member Candidate
Topic Author
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: Dismal OVPN performance

Fri Jun 24, 2022 1:20 pm

Fortunately most users aren't on at the same time, but there are regular complaints about VPN performance which is not great.

I've just upgraded my home routers to ROS 7.3.1 which took a lot of effort due to space restrictions. I'll monitor for stability on them over the next few weeks before starting to upgrade the office ones.

I like that the ovpn client connections now show "Hw. Crypto" in the status bar. That's promising.

Thanks for the tips.

Who is online

Users browsing this forum: worm and 67 guests