Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User Woolwich
(committed) Sat 20-Jun-20 14:31:10
Print Post

VPN site to site connection speeds


[link to this post]
 
I have a couple of FritzBox routers at two locations set up with a site to site VPN always on. Works well, easy to see and access files at the 'other' location.

But when it comes to transferring large amount of data its quite slow. And my FTTC connection isn't anywhere near saturated. There's going to be some overhead for the VPN, but how much?

There's a 80/20 FTTC connection at one end sending to a 40/10 on the same ISP. So you'd think you could send at getting on for 20 Mb/s less what ever for the VPN as the receiving end can easily download that bandwidth. Especially as there's nothing else on the connection over the weekend.

Currently it sending at around 5000kb/s. The receiving FritzBox agrees! Surely I could be transferring at around twice that, maybe even up to 15 Mb/s?
Standard User caffn8me
(eat-sleep-adslguide) Sat 20-Jun-20 15:39:26
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
I haven't played with Fritz!Box VPNs but their website does make mention of slow VPNs for the 7490 at https://en.avm.de/service/fritzbox/fritzbox-7490/kno...

My home internet connection is showing averaged speed test results of 73.0Mbps down and 18.6Mbps up over the past week.

I've just tested with iperf3 over a VPN to a site in France and I can get 68.5Mbps down and 17.3Mbps up. That's 93-94% of the direct internet speed so less than 7% overhead.

I do have dedicated business grade firewalls at both sites though with a maximum rated VPN throughput on the slower device of 250Mbps. I'm using the highest grade encryption with PFS that the devices have shared support for, and IKEv2 IPSec.

Other VPN methods will have slightly different overheads but I would imagine usually less than 10%

I think in your case the Fritz!Box it's likely to have run out of steam due to the encryption processing required. There are reports that the really inexpensive Ubiquiti Edgerouter X can cope with much higher VPN throughputs and I will likely have one to play with next week. I'll let you know how I get on.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User prlzx
(experienced) Sat 20-Jun-20 16:24:59
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
VPN endpoints which can use AES-GCM (a type of counter mode) often perform better for IPSec throughput.

From experience I'm aware that both pfSense and EdgeMax router have hardware assisted/accelerated IPSec throughput and subject to being able to choose an encryption algorithm which both ends can take advantage of.

Wireguard also looks interesting as something to watch.



prlzx on iDNET: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)

Edited by prlzx (Sat 20-Jun-20 16:44:43)


Register (or login) on our website and you will not see this ad.

Standard User Woolwich
(committed) Sat 20-Jun-20 16:54:54
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
I haven't played with Fritz!Box VPNs but their website does make mention of slow VPNs for the 7490

I'd seen that page but assumed it was a general article rather than specific to that router.
t the really inexpensive Ubiquiti Edgerouter X can cope with much higher VPN throughputs and I will likely have one to play with next week. I'll let you know how I get on.


Yes please. And a link meanwhile cos I can't see much mention on the page I found. I like the FritzBox, it does everything I want in a single box - modem, 1GB four port Ethernet, DECT and VoIP (& WiFi!). Plus we have more than two to create VPN links between offices. Maybe I need some kind of VPN firewall type thing? If that's the case, where does it physically fit in my setup?

Thanks!
Standard User prlzx
(experienced) Sat 20-Jun-20 17:03:48
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
For EdgeMax router, I've found the following KB articles useful in the past

Hardware Offloading support

Site-to-Site IPSec VPN, Route based (VTIs)

Now that pfSense has VTI support I will be reviewing the latter for some more inter-site work.
I wish Ubqiuiti would implement the GCM offload - seems to depend what the SoC vendor / SDK / is able to expose though.



prlzx on iDNET: FTTC (VDSL) at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Standard User Woolwich
(committed) Sat 20-Jun-20 17:24:00
Print Post

Re: VPN site to site connection speeds


[re: prlzx] [link to this post]
 
In reply to a post by prlzx:
For EdgeMax router, I've found the following KB articles useful in the past

OK, er, thanks! So its cheap but it's all command line. And according to the reviews it takes a day to set it up - if you know the flavour of Linux it speaks.

If I accept the VPN on the FritzBox is my problem, can't I get a simple VPN box that's simple to set up via a GUI to do the connections?

Or, maybe the FB is F'd and need replacing. How could I test the speed to see if its running at full steam on the LAN. Cos if its not, different solution maybe required.
Standard User caffn8me
(eat-sleep-adslguide) Sat 20-Jun-20 17:59:04
Print Post

Re: VPN site to site connection speeds


[re: Woolwich] [link to this post]
 
The Edgerouter X (ER-X) does have a web interface which can be used to set up VPNs. I've never done an ER-X to ER-X VPN but I've done an ER-X to WatchGuard VPN using virtual tunnel interfaces and it worked well.

It should be possible to connect the ER-X to a port on the Fritz!Box and set the ER-X's LAN IP address as a static route on the Fritz!Box for the remote LAN IP subnet. Obviously you need to do this at both ends. Whether or not you can set up a static route may depend on Fritz!Box model. It's certainly doable on the 7490 because there's a guide here. I'll have a look at the 7530 in a minute or three.

I haven't actually tried this but there's no reason it shouldn't work. You may need to play around with MTU and/or TCP MSS on the ER-X to get maximum throughput.

I'll get an ER-X to play with next week and let you know how I get on. I've got several at client sites but not in a VPN scenario.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
ISP Representative uno
(isp) Sat 20-Jun-20 18:07:08
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
I'll get an ER-X to play with next week and let you know how I get on. I've got several at client sites but not in a VPN scenario.


WireGuard is worth a try too. Config is manually done and you have to load some third party software but performance is far better what the ER and even USG3/4 come with (similar Vyatta core).

Matt

uno Communications
t: 0333 773 7700
uno Speedtest
The above post has been made by an ISP REPRESENTATIVE (although not necessarily the ISP being discussed in the post).
Standard User caffn8me
(eat-sleep-adslguide) Sat 20-Jun-20 18:08:38
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
Whether or not you can set up a static route may depend on Fritz!Box model. <snip> I'll have a look at the 7530 in a minute or three.
No, it doesn't seem to be possible on a 7530 as taken brand new out of the box. I can't see a VPN option either but I may be blind. Food is calling smile

Edit: Enable advanced settings and static routes are possible on the 7530 smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Sat 20-Jun-20 18:10:31)

Standard User Woolwich
(committed) Sat 20-Jun-20 18:22:37
Print Post

Re: VPN site to site connection speeds


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
The Edgerouter X (ER-X) does have a web interface which can be used to set up VPNs.


Lots to research 'n' learn then.....

I have the 7490, don't care about the others. In fact we have four and at leats three are connected together on LAN to LAN VPNs. So my solution needs to allow for VPN links between three or four locations so each can access both the HQ and other branch locations.
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to