[HELP] VPN Throughput Variance

After i've set up a VPN on router, i've encountered an issue:
The bandwidth that i get through the VPN while i connect from my PC, and the bandwidth i get through the same server, but when it is connected from router is almost 10 times slower on a router.

1 Like

What kind of VPN, which router, what is your ISP upstream/downstream bandwidth, and what bandwidth are you seeing?

First though is that you're CPU limited on the router

Router: Xiaomi Mi 3G, LuCi reports about 5% CPU load.
VPN: Windscribe VPN, UDP, Various ports, Various servers
ISP: 100Mbps Up/Down
VPN Bandwidth:

  • From PC: 50-80 Mbps (depending on the server)
  • From Router: 5-15 Mbps (on the same server+port combination)

Your 5% load was while doing speed test or similar over the VPN? because I'm guessing probably not, VPN requires considerable cpu.

Yes, it was measured during heavy load(downloading a large game on Steam)

I'm not sure why would VPN be especially CPU intensive though. It's just a couple of additional records in a routing table and a quick LZO compression.
Also, this router have quite a beefy hardware, so 5% usage is a considerable load in comparison to the idle .

Well, most people use encryption on their VPN but if yours is only compression, then that's a different story. Encryption takes a considerable amount of CPU, unless hardware encryption chips / instructions are available, and the software uses them.

Yeah, I kinda forgot about encrypting the traffic. Anyway, that is still besides the point of this thread and my issue at large.
The highest CPU usage i have seen was at 15%. That's still quite a long way from being the bottleneck of such magnitude.

Rather than look at percentage used, look at percentage idle, used may be in userland and not including softirq, io, kernel threads etc. What is percent idle during large VPN transfer

Here's a snip of Top during speedtest.

So idle is plenty large. I don't think you're maxing CPU. Are you running sqm ?

Unless it's something that's running by-default on LEDE, no, i don't.

I can think of a few reasons why a VPN connection might stall. One would be if you have a rate-limiting setup, and that's what SQM is. but you don't have that. The other might be UDP packets not being delivered, or delivered out of order, or checksums/errors or lost or delayed acknowledgement packets or stuff like that. One thing you might try is doing a packet capture on the interface and seeing if you're getting a lot of re-sent packets. Can you turn on TCP rather than UDP? That might help if lost or damaged packets are the issue.

It is rather mysterious.

What's the best way to do that?

Switching to TCP I've seen slightly higher Download speeds, and significantly lower Upload speeds.

This is expected behavior. A PC has a multi-core processor, likely clocked >2GHz, with AES encryption processing built in, whereas the Xiaomi Mi 3G has a dual core 880 MHz CPU

  • To demonstrate the processing difference, issue the following command on your PC and on your router, then compare.
    • openssl speed rsa

yes, but his Mi 3G isn't getting anywhere near 0% idle according to his tests (assuming the test is working right), and also up and down are asymmetric... and UDP vs TCP makes a big difference in Upload... so something's wrong other than just CPU.

I'd expect to get maybe 20mbps on the Mi 3G both directions if CPU were the only issue. A PC will do about 100 without AES-NI and 300 with AES-NI.

Without configs and logs, it's nothing more than grasping at straws.

How are you doing a speedtest on your router?

Possibly it could also mtu related... Due to tunneling the header is not the same as without.
With openvpn i had very different throughputs with different mut settings.

Good call, to test this you could manually set the MTU of the VPN interface to something like 1400 which is virtually guaranteed to be small enough to avoid this issue, and then see what happens.

another question: is this VPN running on ipv6? Could it be lack of proper icmpv6 for mtu discovery?

1 Like

OpenVPN utilizes an entirely different MTU for it's TCP packets, which are encapsulated in UDP packets since TCP cannot efficiently encapsulate itself. The interface MTU shouldn't have any effect whatsoever, as the tunnel MTU would be what would affect throughput, and since both client and server configs must echo the exact same tunnel MTU value, this is not the issue.

Again, it is pointless to attempt to troubleshoot this without @VoidChronos' configs and logs. The most likely reason there's a disparity is because of the low hardware specs on the router, but again, without logs and configs, it's pointless to try and troubleshoot this.

1 Like

try with this in your openvpn.conf

sndbuf 524288
rcvbuf 524288

(kinda old but i'm still seeing it with some clients, so i push it from the server)

agreed that 800mhz is hardly enough for 50mpbs .. but 10 seems low

1 Like