ER8411 Slow OpenVPN
I am confused, so for some reason I can't get decent vpn speeds. Site has 3gb sym, remote 1.5gb/1gb. I'm getting 300/300. Wire guard is the slowest with about 170/90. CPU on router about 8%. Is the controller doing something, should I get rid of it and be in standalone? I really don't understand that's going on, my latency is like 5ms. MTU settings? Site is running 1474 MTU with 1434 MSS. Required due to ISP.
Any help would be greatly appreciated.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Radmeister
Thanks for posting in our business forum.
Here's the performance:
What's the network size on ER8411?
Do you have enabled DPI and IDS which may require high CPU performance features?
Is ER8411 the server or the client?
What's the other router you have? What's the performance of it? Datasheet, please.
As you are using the beta firmware, try to downgrade to the previous one and test it. I think it has nothing to do with the firmware but I still want to verify that.
If you can share the censored config from the OVPN on the other router if it is the server, that'd be best.
Controller has nothing to do with the speed. It only syncs the configs and collects the data to display the stats.
Please mosaic your sensitive information. Here is a list of information considered sensitive:
1. Public IP address on your WAN if your WAN is.
2. Real MAC address of your device.
3. Your personal information including address, domain name, and credentials.
For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.
- Copy Link
- Report Inappropriate Content
Hi Clive,
The network size is small, at most 15 users connected, 7 hard wired and 8 or so on wifi.
I don't have DPI enabled - the option is not available on the controller.
IDS is disabled ER8411 is the server.
In front of the ER8411 is a Bell Gigahub modem placed in brige mode and only converting fibre to cat 7, which goes into a TP-Link 10gb SFP transmitter (authentic)
Also i see that you added GCM support, but there is no option in the creation of the server, or way to edit the file easily to change to AES-128-GCM or AES-256-GCM.
config server 'server0'
option account_pwd 'on'
option full_mode 'on'
option ifconfig_pool_persist '/tmp/ipp0.txt'
option ca '/etc/openvpn/ca.crt'
option indexname '0'
option status '/tmp/openvpn_status_server0.log 5'
option cid '67041887'
option enabled 'on'
option proto 'udp'
option duplicate_cn '1'
option cert '/etc/openvpn/server_server0.crt'
option client_cfg '/etc/openvpn/client_server0.cfg'
option ca_cert '/etc/openvpn/ca.key'
option persist_tun '1'
option authtype 'local'
option auth_user_pass_verify ''\''/usr/bin/lua /lib/openvpn/openvpn-password.lua'\'' via-env'
option dh '/etc/openvpn/dh1024.pem'
option persist_key '1'
option port '1194'
option wan 'WAN1'
option verb '2'
option comp_lzo 'no'
option setenv 'SECTIONNAME 67041887'
option cipher 'AES-128-CBC'
option cname 'EmnorOpenVPN'
option username_as_common_name '1'
option local_network '0.0.0.0/0'
option key '/etc/openvpn/server_server0.key'
option keepalive '10 120'
option status_version '2'
option management '127.0.0.1 7510'
option dev 'tun_server0'
option client_ovpn '/etc/openvpn/client_server0.ovpn'
option client_to_client '1'
option server '192.168.10.0 255.255.255.0'
option vlocalip '192.168.10.1'
CLIENT
client
dev tun server0
proto udp
float
nobind
cipher AES-128-cbc
compress
fast-io
ncp-disable
sndbuf 512000
rcvbuf 512000
txqueuelen 2000
reneg-sec 0
resolv-retry infinite
remote-cert-tls server
verb 2
persist-key
persist-tun
ping 10
ping-restart 120
auth-user-pass
explicit-exit-notify
remote x.x.x.x 1194
tun-mtu 1350
mssfix 1310
- Copy Link
- Report Inappropriate Content
See the below screenshot of a speed test when connected to vpn
- Copy Link
- Report Inappropriate Content
Hi @Radmeister
Thanks for posting in our business forum.
Radmeister wrote
Hi Clive,
The network size is small, at most 15 users connected, 7 hard wired and 8 or so on wifi.
I don't have DPI enabled - the option is not available on the controller.
IDS is disabled ER8411 is the server.
In front of the ER8411 is a Bell Gigahub modem placed in brige mode and only converting fibre to cat 7, which goes into a TP-Link 10gb SFP transmitter (authentic)
Also i see that you added GCM support, but there is no option in the creation of the server, or way to edit the file easily to change to AES-128-GCM or AES-256-GCM.
config server 'server0'
option account_pwd 'on'
option full_mode 'on'
option ifconfig_pool_persist '/tmp/ipp0.txt'
option ca '/etc/openvpn/ca.crt'
option indexname '0'
option status '/tmp/openvpn_status_server0.log 5'
option cid '67041887'
option enabled 'on'
option proto 'udp'
option duplicate_cn '1'
option cert '/etc/openvpn/server_server0.crt'
option client_cfg '/etc/openvpn/client_server0.cfg'
option ca_cert '/etc/openvpn/ca.key'
option persist_tun '1'
option authtype 'local'
option auth_user_pass_verify ''\''/usr/bin/lua /lib/openvpn/openvpn-password.lua'\'' via-env'
option dh '/etc/openvpn/dh1024.pem'
option persist_key '1'
option port '1194'
option wan 'WAN1'
option verb '2'
option comp_lzo 'no'
option setenv 'SECTIONNAME 67041887'
option cipher 'AES-128-CBC'
option cname 'EmnorOpenVPN'
option username_as_common_name '1'
option local_network '0.0.0.0/0'
option key '/etc/openvpn/server_server0.key'
option keepalive '10 120'
option status_version '2'
option management '127.0.0.1 7510'
option dev 'tun_server0'
option client_ovpn '/etc/openvpn/client_server0.ovpn'
option client_to_client '1'
option server '192.168.10.0 255.255.255.0'
option vlocalip '192.168.10.1'
CLIENT
client
dev tun server0
proto udp
float
nobind
cipher AES-128-cbc
compress
fast-io
ncp-disable
sndbuf 512000
rcvbuf 512000
txqueuelen 2000
reneg-sec 0
resolv-retry infinite
remote-cert-tls server
verb 2
persist-key
persist-tun
ping 10
ping-restart 120
auth-user-pass
explicit-exit-notify
remote x.x.x.x 1194
tun-mtu 1350
mssfix 1310
OK. Third-party server, looks like it is based on the LINUX? You did not share the specs of the machine(server).
So, you import this file to the computer that is connected to the ER8411 which can get an Internet speed of that high-speed level, do the speed test, what's the result on this cellphone?
- Copy Link
- Report Inappropriate Content
No third party, that's the server configuration file when I export the files from my OC300 controller for r&d.
On my cellphone, iPhone 15pro, same deal 250 down max, 325up max. No vpn 1.1gb/1gb
- Copy Link
- Report Inappropriate Content
Also, you are correct firmware is not the issue, I downgraded back to stable, exact same thing.
The extra settings in the client are me trying to improve performance, it made no difference from just editing the downloaded file from the router and changing the ip to my dyndns adress.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 451
Replies: 6
Voters 0
No one has voted for it yet.