Community discussions

MikroTik App
 
anv
just joined
Topic Author
Posts: 23
Joined: Mon Jul 04, 2011 5:19 pm
Location: Spain

OpenVPN sloooow

Tue Mar 05, 2019 6:06 pm

I am using openvpn to connect one mikrotik to another.
Documentation says it is faster than l2tp, but with the same routers, l2tp is 10 times faster than openvpn 200Mbit with l2tp, 20Mbit with openvpn). Same config, some firewall rules, same ip profile on the server, just disconnecting from one and connecting to the other.

By the way (one router is behind a nat and I was unable to use l2tp+ipsec), this is why I want to use openvpn that, I thin, will be moer secure than plain l2tp.

Openvpn server is RB1100AHx2 fw version 6.44 (stable)
Client is RB2011UiAS-2HnD fw version 6.44 (stable)
 
ksteink
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Thu Mar 31, 2016 6:54 pm

Re: OpenVPN sloooow

Tue Mar 05, 2019 6:15 pm

Mikrotik's implementation of OpenVPN simple sucks. They don't support UDP transport (only TCP) which creates problems for performance on tunnels (See this link for further information: https://openvpn.net/faq/what-is-tcp-meltdown/) and the lack of UDP support has been a looong request feature from the community to Mikrotik without any successful resolution. In top of that you need to consider that even assuming there is no TCP issues any VPN protocol needs to support Hardware Acceleration in their code.

That will avoid you to overload the router CPU and off-load this heavy task to a dedicated processor that will handle that. So depending on your Router Model may or may not have this external encryption processor. To add more spice to this even if your router supports Hardware Acceleration for encryption I have not seeing that those are supported on the OVPN code inside of RouterOS.

IPSec is the only supported HW acceleration protocol for routers that has this feature.

I deployed my networks originally with OVPN but over a 25 Mbps link I got 2 Mbps of throughput with constant disconnections (every hour) specially for Client to Site VPN connections. I have switched to L2TP / IPSec and I got a lot more better performance (15 Mbps) even without having a HW acceleration chip but I have noticed my router CPU spikes to 90% on some transfers.

I recommend you to switch to L2TP / IPSec or IPSec with IKEv2 to overcome this limitation with OVPN until Mikrotik finally fixes this issue with OVPN (if ever they do this). For L2TP / IPSec I use MRU and MTU of 1420 bytes instead of 1460 bytes (Default) and I got better performance.

Good luck with your setup.
 
wpeople
Member
Member
Posts: 358
Joined: Sat May 26, 2007 6:36 pm

Re: OpenVPN sloooow

Tue Mar 12, 2019 2:49 pm

by default, OpenVPN uses pfifo type queue, with queue size ~50packets.
Make your openvpn interface static (if the link comes up, do copy and rename it).
Now you have an interface, where you can change interface queue.

Make a new queue type called openvpn-default, with type pfifo and size ~250
set this queue type for openvpn interface.

After doing this, speed is much increased.
Keep in mind: do that for both sides, unless doing it, the speed will slow in that direction.

Other way is setting queue size for "default" queue to 250. (on both sides)

Please refer if that helps.
 
anv
just joined
Topic Author
Posts: 23
Joined: Mon Jul 04, 2011 5:19 pm
Location: Spain

Re: OpenVPN sloooow

Tue Mar 19, 2019 9:54 am


After doing this, speed is much increased.
Keep in mind: do that for both sides, unless doing it, the speed will slow in that direction.

Other way is setting queue size for "default" queue to 250. (on both sides)

Please refer if that helps.
I'm trying this.
I set up a new queue in the client with 250 packets and selected this queue for the openvpn interface. But in the srever side, there is one interface per client with "only hardware queue". The only way for changing queue for openvpn it is modifying the prfile for the clients then I selected the new queue in the profile of the server. The speed is the same as before (about 20/30mbits). But in the interface queue the list indicates only-hardware-queue for each of the clients and cannot be changed.
 
wpeople
Member
Member
Posts: 358
Joined: Sat May 26, 2007 6:36 pm

Re: OpenVPN sloooow

Tue Mar 19, 2019 1:02 pm


After doing this, speed is much increased.
Keep in mind: do that for both sides, unless doing it, the speed will slow in that direction.

Other way is setting queue size for "default" queue to 250. (on both sides)

Please refer if that helps.
I'm trying this.
I set up a new queue in the client with 250 packets and selected this queue for the openvpn interface. But in the srever side, there is one interface per client with "only hardware queue". The only way for changing queue for openvpn it is modifying the prfile for the clients then I selected the new queue in the profile of the server. The speed is the same as before (about 20/30mbits). But in the interface queue the list indicates only-hardware-queue for each of the clients and cannot be changed.
It definitely CAN be changed.
When the client connects to server, it will have a dynamic (D) interface. Yes, you cannot change queue type for a dynamic interface.
BUT you can copy that dynamic interface. Once reconnect, the static (copied) interface would be used, and you can change the interface for that.
 
Mjoelner
just joined
Posts: 2
Joined: Wed Mar 20, 2019 4:28 pm

Re: OpenVPN sloooow

Thu Mar 21, 2019 11:09 am

Hello,

I am also a OpenVPN user, but new to MikroTik and MikroTik OpenVPN. Sorry for hijacking the thread, but facing buffer issue(I think) and also slow speed.

Using clients with OpenVPN to connect to inside network, and have troubles sending big packed out and back to client. Inside network it works fine, but the OpenVPN fails above 34000'ish bytes
From Client "ping 172.16.210.40 -n 1 -4 -l 32000" works, but "ping 172.16.210.40 -n 1 -4 -l 35000" fails.

In wireshark I can see it stops after 23 fragments and cannot reassemble it of cause.

Please be nice, I am new to MikroTik, but tried to fix it by creating new pfifo que of 500 parcels on "/webfig/#Queues.Queue_Types" and then use that config in "Que Type" on page "/webfig/#PPP.Profiles.1" which is my OpenVPN profile. However it does not change anything, after I reconnect the OpenVPN connection. Does this not fix/change the que buffer?
 
wpeople
Member
Member
Posts: 358
Joined: Sat May 26, 2007 6:36 pm

Re: OpenVPN sloooow

Thu Mar 21, 2019 1:05 pm

Hello,

I am also a OpenVPN user, but new to MikroTik and MikroTik OpenVPN. Sorry for hijacking the thread, but facing buffer issue(I think) and also slow speed.

Using clients with OpenVPN to connect to inside network, and have troubles sending big packed out and back to client. Inside network it works fine, but the OpenVPN fails above 34000'ish bytes
From Client "ping 172.16.210.40 -n 1 -4 -l 32000" works, but "ping 172.16.210.40 -n 1 -4 -l 35000" fails.

In wireshark I can see it stops after 23 fragments and cannot reassemble it of cause.

Please be nice, I am new to MikroTik, but tried to fix it by creating new pfifo que of 500 parcels on "/webfig/#Queues.Queue_Types" and then use that config in "Que Type" on page "/webfig/#PPP.Profiles.1" which is my OpenVPN profile. However it does not change anything, after I reconnect the OpenVPN connection. Does this not fix/change the que buffer?
I'm sorry, but i dont really undestand what you want to do.
Ethernet frames usually 1500bytes. OpenVPN can tunnel 1500byte frames even on 1450byte PPPoE connection with fragmentation and reassemble.
a single package should not be bigger than 1500byte.

I'm sorry about WebFig, i don't use it at all. Use CLI or Winbox instead.
 
Mjoelner
just joined
Posts: 2
Joined: Wed Mar 20, 2019 4:28 pm

Re: OpenVPN sloooow

Thu Mar 21, 2019 5:13 pm

Hello,

Thanks for the fast reply!

Trying to send big frames or packets which of cause gets fragmented.
I was thinking it was buffer related, why I wanted to change the que size. The webfig states the pfifo que is in packets, but 35000 bytes is less than 50 packets which is default que size. Setting it 500 did not change anything either.

Big parcels gets fragmented of cause - but it fails above 34000'ish bytes. Se below - have also attached the overview from wireshark from the command below.
λ ping 172.16.210.40 -n 1 -4 -l 32000 && ping 172.16.210.40 -n 1 -4 -l 35000
Pinging 172.16.210.40 with 32000 bytes of data:
Reply from 172.16.210.40: bytes=32000 time=13ms TTL=64

Ping statistics for 172.16.210.40:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 13ms, Average = 13ms

Pinging 172.16.210.40 with 35000 bytes of data:
Request timed out.

Ping statistics for 172.16.210.40:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Regarding fragmentations and max single packet size - forcing no fragmentations gives a limit on 1472 bytes, it looks like.
λ ping 172.16.210.40 -n 1 -4 -l 1472 -f && ping 172.16.210.40 -n 1 -4 -l 1474 -f

Pinging 172.16.210.40 with 1472 bytes of data:
Reply from 172.16.210.40: bytes=1472 time=1ms TTL=64

Ping statistics for 172.16.210.40:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

Pinging 172.16.210.40 with 1474 bytes of data:
Packet needs to be fragmented but DF set.

Ping statistics for 172.16.210.40:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Big packet also fails on the ping to the router, not only towards device, but works on the OpenVPN (tap) adaptor itself.
λ ping 172.16.210.220 -n 1 -4 -l 65500 && ping 172.16.210.1 -n 1 -4 -l 65500

Pinging 172.16.210.220 with 65500 bytes of data:
Reply from 172.16.210.220: bytes=65500 time<1ms TTL=128

Ping statistics for 172.16.210.220:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging 172.16.210.1 with 65500 bytes of data:
Request timed out.

Ping statistics for 172.16.210.1:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
You do not have the required permissions to view the files attached to this post.
 
wpeople
Member
Member
Posts: 358
Joined: Sat May 26, 2007 6:36 pm

Re: OpenVPN sloooow

Thu Mar 21, 2019 6:51 pm

Mjoelner, i don't really got the point why you want to push 30K sized ICMP packets...

TCP and UDP frames will not be sized bigger than 1500bytes as they live you NIC, and OpenVPN will deal with those packets.
Yes, thruput will be slower than using like 1350-1400byte tunnel MTU (where OpenVPN dont have to deal with refragment)

Also using EoIP, what can push hundreds of mbps in a tunnel with proper frame size and very limited using bigger frame size.
(like 300mbps vs 20mbps)

For application using TCP can discuss MTU (or it can be forced) - but what happens with UDP frames?
 
aeiouy
just joined
Posts: 2
Joined: Sun Jan 19, 2020 3:50 pm

Re: OpenVPN sloooow

Sun Jan 19, 2020 4:15 pm

by default, OpenVPN uses pfifo type queue, with queue size ~50packets.
Make your openvpn interface static (if the link comes up, do copy and rename it).
Now you have an interface, where you can change interface queue.

Make a new queue type called openvpn-default, with type pfifo and size ~250
set this queue type for openvpn interface.

After doing this, speed is much increased.
Keep in mind: do that for both sides, unless doing it, the speed will slow in that direction.

Other way is setting queue size for "default" queue to 250. (on both sides)

Please refer if that helps.
THANK YOU!!!

I was looking for solution of slow Site to site VPN over a year and after above instructions Openvpn site to site works much faster (sometimes with max speed).

My site 1 600/100 Mbps
site 2 600/60 Mbps
With queue ~50 packages maximum speed what I have received was maximum 4 Mbps (average ~355KB/s) on OpenVPN.
It was very slow for me, specially that I chooses new 4011 Mikrotik device after Internet upgrade, because previous router was too slow. After upgrade to Mikrotik VPN was slower, than on previous TP-link with OpenWRT.

Now speed act like a wave from speed 20 up to 121Mbps, but average speed is awesome -> ~50Mbps.

Thank YOU!
Regards
You do not have the required permissions to view the files attached to this post.
Last edited by aeiouy on Sun Jan 19, 2020 4:32 pm, edited 1 time in total.
 
akarpas
Member Candidate
Member Candidate
Posts: 118
Joined: Tue Mar 20, 2018 4:46 pm

Re: OpenVPN sloooow

Sun Jul 19, 2020 11:40 pm

by default, OpenVPN uses pfifo type queue, with queue size ~50packets.
Make your openvpn interface static (if the link comes up, do copy and rename it).
Now you have an interface, where you can change interface queue.

Make a new queue type called openvpn-default, with type pfifo and size ~250
set this queue type for openvpn interface.

After doing this, speed is much increased.
Keep in mind: do that for both sides, unless doing it, the speed will slow in that direction.

Other way is setting queue size for "default" queue to 250. (on both sides)

Please refer if that helps.
THANK YOU!!!

I was looking for solution of slow Site to site VPN over a year and after above instructions Openvpn site to site works much faster (sometimes with max speed).

My site 1 600/100 Mbps
site 2 600/60 Mbps
With queue ~50 packages maximum speed what I have received was maximum 4 Mbps (average ~355KB/s) on OpenVPN.
It was very slow for me, specially that I chooses new 4011 Mikrotik device after Internet upgrade, because previous router was too slow. After upgrade to Mikrotik VPN was slower, than on previous TP-link with OpenWRT.

Now speed act like a wave from speed 20 up to 121Mbps, but average speed is awesome -> ~50Mbps.

Thank YOU!
Regards
Hi,
How did you manage to do this, as I may create a new queue based on connection and speed is increased to accepted level but once I disconnect from the VPN queue is broken and next time you reconnect you have to re-setup queue. Tried to do via profile settings but by default, OpenVPN is tided to only-hardware-queue type and cannot be changed

Who is online

Users browsing this forum: brianahona, eworm, packet1524 and 107 guests