VPN Client Speed Issue

Comments

16 comments

  • Avatar
    Firewalla

    Not all VPN services can handle higher speed.   Can you install the same profile on a phone or PC, then try test out the speed of the service first?

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    Sorry, I should have mentioned that iVPN, when connected directly using its native macOS client on this same machine, gets ~150Mbps download speeds.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Is the client the standard OpenVPN client?  If you can, try to use that and see how fast the VPN goes. 

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    Which client are you asking about?  The native macOS client I'm using on this machine is supplied by iVPN - that gets about ~150Mbps down.  The client in the Firewalla Gold is whatever it is, I guess.  Sorry to be confused...

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    What I mean is try another VPN client on the MacOS that's NOT provided by the VPN provider.  And see if this is faster or not.  Some of the VPN provider client may optimize to the location of the servers, and the one you configured may not be optimal.  By using a different VPN client, you can lock down on the VPN server, and try the same on the Firewalla Gold as well.   This helps to isolate the problem and see if it is the router, the VPN server, or the client. 

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    I think I understand...  The iVPN native OpenVPN client says that the Phoenix server is the fastest from my location - that gets ~150Mbps over that client.  Using the same Phoenix server profile in setting up the Firewalla Gold, I'm only seeing ~25Mbps.  So - same server, two clients, big difference in speed.

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    Further testing seems to confirm that running the OpenVPN client in the Firewalla Gold drastically reduces the throughput versus using a native macOS OpenVPN client - both connecting to the same VPN server.  I have to assume that this is a bottleneck in the Firewalla Gold.  Does Firewalla plan on enabling Wireguard support in the Gold?  Thank you.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The VPN on the Gold is far more capable than 20mbits.   To verify that you can simply go inside your Gold unit. https://help.firewalla.com/hc/en-us/articles/115004397274-How-to-access-Firewalla-using-SSH-

    then type "top"

    While running a speed test via VPN;  If you see the OpenVPN process using 100% of one core, then please send help@firewalla.com, we need to take a look.

    But, if you see OpenVPN is not using much CPU, it is likely something else is slowing it down.  

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    I don't seem to be able to figure out how to ssh into my Gold box...  I am *not* a tech guru...

    I did what was suggested above re the SSH Console configuration in the iOS app, and applied it to "LAN".

    But ssh pi@192.168.1.1 in Terminal gives this response:

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ECDSA key sent by the remote host is
    SHA256:Oo8uXesDVqO3ThENsYmob+TKMvEUqONZlhq2aIWCDxg.
    Please contact your system administrator.
    Add correct host key in /Users/hft/.ssh/known_hosts to get rid of this message.
    Offending ECDSA key in /Users/hft/.ssh/known_hosts:1
    ECDSA host key for 192.168.1.1 has changed and you have requested strict checking.
    Host key verification failed.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    you will need to edit /Users/hft/.ssh/known_hosts file and remove the first line.  Then it should work.

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    Ah!  Yes, that worked.  I'm going to send an email to help@firewalla.com demonstrating my test with/without the Firewalla VPN Client connected - even though it doesn't look like the Gold CPU is getting hammered, the difference in download speed is drastic - ~30Mbps vs ~450Mbps.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    One theory we have (and we have seen this before) is some VPN service provider throttles down the speed if the client is like a router.  

    The reason I am asking about OpenVPN CPU is, due to how that process was designed, it is a single-threaded process.  It means, it's CPU usage is a direct reflection of speed.  If you see that process not eating CPU, it means, something is not feeding it enough data to crunch. 

    Anyway, shoot us some more data, we can take a look.

     

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    I've just sent an email - but, annoyingly, I somehow managed to attach the same demonstration screenmovie twice - I'll resend the intended other screenmovie ASAP.  Sorry.

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    I've sent several emails directly to help@firewalla describing my attempts to get to the bottom of this issue.  However, just now, I've run into an even worse issue...  Most of the day today, my Firewalla VPN Client connection to iVPN (over TCP, port 80) has been okay - running at about 75Mbps down.  About 20 minutes ago, that throughput dropped to under 1Mbps.  I rebooted the Firewalla, but that didn't help.  And, as is usual, connecting to the same iVPN server over the same protocol and port realizes about 150Mbps down.  I have no idea what has gone off the rails, nor do I have any idea how to troubleshoot this.  Please advise.  Thank you.

    UPDATE: Things seem to have gone back to what they were - I'm suddenly seeing ~50Mbps down again through the Gold.  Go figure...

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Can you let me what is the ticket number you have?  if you do not have one, I have created one for you, you should see that in your email. 

    As of the problem, it is very likely you are getting throttled by the VPN service. Can you check with them to see if they do something like that?  

    0
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    Again, I have to first thank you guys for your incredibly responsive support.  It is appreciated.

    Here's my [Ticket ID: 735398].

    My last email to help@firewalla copied a response I got from iVPN (my VPN provider) stating that they *never* throttle.

    0
    Comment actions Permalink

Please sign in to leave a comment.