Slow throughput with VPN servers behind OpenWrt router

I have several VPN servers (OpenVPN, L2TPA) running behind an OpenWRT router (TP-LINK Archer C7) with OpenWrt 18.06.1

If I connect from outside to these VPN servers I have a very poor throughput of about 1 MBit/s or lower. I am quite sure that I got normal speed values in the past (maybe before I upgraded from OpenWRT version 17.x, but I cannot tell it exactly when it started to break)

I first thought it might be related to SQM QoS on the router but even after disabling that, I still have a very bad performance.

It is currently almost unusable that way.

If I connect directly from my internal network, everything seems to be fine.

Has anybody an idea what is happening here?

Thanks a lot!

Consumer grade routers are usually equipped with weaker CPUs to handle a VPN connection, thus, you'll see lower speeds when connecting.

If you're connecting from WAN to your router's VPN server, you're restricted to the upload speed of your ISP plan.

As to OpenVPN, you can tune your config, so please post the output of your server and client configs (within code boxes please), removing your DDNS address and port numbers.

The VPN servers do not run on my router. They are running on a Raspberry Pi 03 and a Synology NAS behind the router. The CPU load (with TOP) on my router during speed tests does not really increase and the router is still about 93-95% idle.

I see the same throughput with L2TPA connections so I do not think it is a OpenVPN issue. After disabling SQM again in the Web GUI and also run "/etc/init.d/sqm stop" and "/etc/init.d/sqm disable" and also rebooting the router the values are a bit better now.

VPN Download: about 2 Mbit/s (with Cable Upload of 5 MBit/s)
VPN Upload: about 2 MBit/s (with Cable Download of 100 MBit/s)

Although the VPN download increased a bit, it is still les than 50% of the Cable upload speed and the VPN download is far away from the Cable download speed.

So I hink this is not "normal". Or do you think these values are ok and cannot be improved?

Since L2TP isn't encrypted, if you're experiencing the same throughput on it as on OpenVPN, it's your upload speed.

Your VPN upload and download speeds will always be in relation to the ISP upload speed, regardless if you're downloading/uploading over the VPN (i.e. ISP download speed will never be a factor)

So you mean, less than half of the real upload speed of my ISP is then a normal throughput which cannot be improved?

I'm not saying that's normal throughput.

If you get only ~2mbit/s, I'd reach out to your ISP. If you do get ~5mbit/s, use a mobile device to connect to your VPN (disconnect from WiFi first):

  • if it's ~2mbit/s, it would seem to imply it's the hardware
  • if it's ~5mbit/s, it's likely due to higher neighborhood upload usage when your utilizing your VPN over WAN, especially if non-cable internet.
    • The reason why ISPs don't guarantee their upload/download speeds is because a neighborhood shares from a throughput pool that will go down in throughput as more devices in the neighborhood upload to, or download from, WAN. This is less likely to happen if your ISP is providing cable internet, however it does still occur, just with less frequency than if utilizing DSL.

If you post your OpenVPN configs, I can at least tell you what to add/modify to tune OpenVPN.

With Speedtest I do get with Desktop and Mobile Device from my local LAN / WIFI every time about 100MBit/s for Download and 5 MBit/s for Upload.

If I use Speed test from my mobile device via my mobile carrier without VPN I get about 10 MBit/s for Upload and about 13 MBit/s for Upload.

If I connect with my mobile device to my VPN servers (independent of OpenVPN or L2TP/IPSec) via my mobile carrier I do get about 2-2,5 MBit/s Downlod and about 2-2,5 MBit/s Upload.

If I connect my mobile to my normal Wifi network or another Wifi network which I have for my IoT devices then I do get around 100 MBit/s for Download and almost 5 MBIt/s for upload.

BTW: The different Wifi networks are created by a Ubiqiti Access Point. I do not use the Wifi interface of my Openwrt router

It appears the slow throughput when connected to your VPN is due to the hardware the VPN server is running on

So this must then be true for both the Raspberry Pi and the Synology NAS station? Not sure if this is the case. Why is the throughput then normal if I connect from my IoT Wifi (which is on a different subnet and VLAN) as the VPN servers) to both VPN servers for example?

A short search of your name tells that you are a german person. In germany the cable internet ISP's often use DS-Lite. DS-Lite backbones of the ISP is known to make issues with pure VPN traffic. This is known to the ISP's. You have to contact the ISP support and tell them about the VPN slowdown and request a switch from this DS-Lite thing to normal DualStack.
There are much more informations about this VPN traffic issues in the inofficial german cable forums.

PS: If somehow possible(available) for you, i highly recommend to switch to a much better and stable internet connection using VDSL and 100Mbit down + 40Mbit up (17a + Vectoring without FTTB or 30a profile when FTTB). Then you can use a Lantiq XRX200 device with openwrt directly at your line and dont have to deal with closed source software networking devices running at your home that create the cable connection. I would even recommend you to switch to a 50 or 25Mbit connection and use a Lantiq xrx200 device. With the 50Mbit line you would in general have 10Mbit upload and with the 25Mbit line you would have stable 5Mbit upload like you have now.

I am not using DS-Lite nor Dual Stack on my cable internet but a pure IPv4 connection.

Unfortunately Cable internet is currently the only fast speed option I have here. But as I said before: Although I cannot prove it, I still would say that I did not have that throughput issue in the past. I cannot say if it started by upgrading from Openwrt 17 to 18 or if I changed something else in the meantime unfortunately.

Could you test that out? Backup your config and jump through some images using sysupgrade before you switch back to 18.06.1. For testing VPN speed this should be really easy and doable in just few minutes.

BTW: I can not recommend using the outdated OpenVPN/Cisco vpn. If not already using it, i highly recommend to use WireGuard. Its faster and use up to date crypto. Its also simpler to set up with far less points to fail.

Unfortunately I cannot do much testing as this is a production router and I will not take the risk of flashing new firmware versions just for doing a test.

I am curious if anybody else has Openwrt 18.x running with VPN servers behind it and what experience these users have?

Regarding Wireguard: I do have thought about it already. However I would need a more commonly available standard at the moment. I might be able to run that on the Raspberry but on the Synology NAS this is not yet available.

1 Like