OpenVPN download speed very slow

Bernd · June 7, 2019, 9:25pm

I have made an OpenVPN client connection to a VPN Service Perfect Privacy, but the OpenVPN connection is extremely slow.

Without VPN I have: 120 Mbit/s download and 10 Mbit/s upload.
With VPN I have 1,5 Mbit/s download and 9 Mbit/s upload.

Here is my configuration:

config openvpn 'PP_Amsterdam1'
	option dev 'tun0'
	option fragment '1300'
	option mssfix '1'
	option tun_ipv6 '1'
	option comp_lzo 'adaptive'
	option route_method 'exe'
	option ncp_disable '1'
	option persist_key '1'
	option persist_tun '1'
	option client '1'
	option remote_cert_tls 'server'
	option verb '4'
	option log '/var/log/openvpn.log'
	option log_append '/var/log/openvpn.log'
	option script_security '2'
	option tun_mtu '1500'
	option persist_remote_ip '1'
	option auth_user_pass '/etc/openvpn/userpass.txt'
	option proto 'udp'
	option auth 'SHA512'
	option cipher 'AES-256-CBC'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/Amsterdam1_cl.crt'
	option key '/etc/openvpn/Amsterdam1_cl.key'
	option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA'
	option tls_auth '/etc/openvpn/Amsterdam1_ta.key 1'
	option key_direction '1'
	option nobind '1'
	option route_delay '2'
	option ping '5'
	option ping_restart '120'
	option resolv_retry '60'
	option redirect_gateway 'def1'
	option mute_replay_warnings '1'
	option tls_timeout '5'
	option reneg_sec '3600'
	option hand_window '120'
	list remote '85.17.28.145'
	option port '1149'
	option enabled '1'

Firewall Settings:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'PP_VPN wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'PP_Firewall'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'PP_VPN'

config forwarding
	option dest 'PP_Firewall'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

Can anyone help me?

Edit: My Router is Asus RT-AC56U

Soberia · June 8, 2019, 6:18am

When downloading something check CPU usage with "top" command for a potential CPU bottleneck

Bernd · June 8, 2019, 2:24pm

I downloaded 1 GB testfile.

Here is the output of top command after 10 minutes:

Does I have CPU bottleneck?

Bernd · June 12, 2019, 12:31am

The solution is:

flash snapshot or wait for OpenWRT 19.X and use the option "OVPN configuration file upload".

system · June 22, 2019, 12:31am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.