VPN Speeds - AITA

[mike_seps]

Quick question for everyone, mostly want to know if my IT dept. is full of crap...

 

Our current internet speeds via speedtest.org -

 

VPN off - 617 Mb/s

VPN on - 23 Mb/s

 

Now, I'm no network specialist, yet, but I feel like a 96% drop in speed is a bit extreme for a VPN (Sophos). I have raised my concern to IT, as we are working from a remote annex building, so we have to be on the VPN in order to access our server, and his response is "that's normal for VPNs."  I feel like all the times I have used a VPN in the past for personal use, it has never been THAT big of a knock on my speeds, maybe I'm wrong though. Just seems extreme.

 

Now for the question - Am I totally wrong and expect too much from our VPN, or is he wrong and just doesn't want to admit that he has a crap provider?

[Clarkius]

It is normal for a VPN connection to be slower than a connection without the VPN, as the VPN is adding in extra steps between your computer and your internet connection, so you will see some drops in speeds due to this, but it should only be about 10-20% on average if I remember correctly

[Levent]

Without knowing the internet speed your VPN server has, I cant decide who to talk shit about. Getting 100mbps and higher through a VPN requires some serious tweaking.

[Alex Atkin UK]

27 minutes ago, Clarkius said:

It is normal for a VPN connection to be slower than a connection without the VPN, as the VPN is adding in extra steps between your computer and your internet connection, so you will see some drops in speeds due to this, but it should only be about 10-20% on average if I remember correctly

There is some loss from overheads but there can also be a loss from CPU overhead on the server itself.  If its serving a lot of clients, it can be significant.

 

24 minutes ago, Levent said:

Without knowing the internet speed your VPN server has, I cant decide who to talk shit about. Getting 100mbps and higher through a VPN (especially through TCP) requires some serious tweaking.

I can comfortably do 224Mbit to my VPS with the VPN running over UDP, no tweaking at all.  It only becomes a problem as you add more clients especially using OpenVPN which is very CPU heavy and single-threaded.

So the CPU of the client and server can be very important to getting a good speed.  This is why Wireguard is highly regarded now, it more-or-less eliminates the CPU bottleneck.

[mike_seps]

2 minutes ago, Levent said:

Getting 100mbps and higher through a VPN (especially through TCP) requires some serious tweaking.

I'd be so excited about 100. hell even 75 would be 3x our current speed.

 

3 minutes ago, Alex Atkin UK said:

If its serving a lot of clients, it can be significant.

Knowing our IT department, I wouldn't be surprised if all our remote traffic is routed through our HQ server, and then forwarded to the actual office servers in our different cities. So maybe when I open a folder in our Charlotte server, it's actually going though the central VPN, to our HQ server in Pittsburgh, then to the Charlotte branch, then flip it and reverse it for the delivery? Instead of a direct link from me to VPN to Charlotte

[Levent]

5 minutes ago, Alex Atkin UK said:

I can comfortably do 224Mbit to my VPS with the VPN running over UDP, no tweaking at all.  It only becomes a problem as you add more clients especially using OpenVPN which is very CPU heavy and single-threaded.

OpenVPN bandwidth depends on the cipher, protocol and your hardware you use. Wireguard performs significantly better but I do not like running VPN traffic over UDP.

[Alex Atkin UK]

15 minutes ago, Levent said:

OpenVPN bandwidth depends on the cipher, protocol and your hardware you use. Wireguard performs significantly better but I do not like running VPN traffic over UDP.

Why?  TCP is a very bad protocol to use for a VPN because you end up with TCP over TCP which is problematic as you have the VPN connections congestion control trying to maximise the link while the content within the VPN is also trying to do the same.

[LIGISTX]

Sounds like someone needs to set up a split tunnel….

[Alex Atkin UK]

6 minutes ago, LIGISTX said:

Sounds like someone needs to set up a split tunnel….

Indeed, all my VPNs are on my router so they are only used as a back-door into my VPS servers so I don't have to leave the admin portals open to the public Internet.

I mean I really don't want DNS going over the VPN as I need local lookups to work and its just adding latency for no good reason.

[Levent]

12 minutes ago, Alex Atkin UK said:

Why?  TCP is a very bad protocol to use for a VPN because you end up with TCP over TCP which is problematic as you have the VPN connections congestion control trying to maximise the link while the content within the VPN is also trying to do the same.

TCP443 is an easy way to get around DPI / censorship / typical blocks. Not to mention for some reason android hotspot does not NAT UDP traffic.

[Alex Atkin UK]

27 minutes ago, Levent said:

TCP443 is an easy way to get around DPI / censorship / typical blocks. Not to mention for some reason android hotspot does not NAT UDP traffic.

True, although its best to only use it when absolutely necessary because of the issues mentioned.

 

Definitely not true about Android hotspot though, just checked on my Galaxy S10 and I can connect to my home Wireguard server with my Macbook over its hot spot with no issues.

I lose about 10% download speed (compared to my home upload speed) on overheads, and for some reason 25% reduction on upload compared to the RAW 4G upload speed.