openVPN (SSL VPN) capped at around 20Mbit/s Up/down

What results do you get with:

encryption: AES-128-CBC
authentication: SHA 256
Key Size 1024
Compress traffic - NOT enabled

Cheers - Bob

Will try and report back.

Do you have I.P.S. enabled?  It inspects packet contents.  

Are you seeing a C.P.U. spike to correspond with the latency?

Have you reduced M.T.U. on the inside interface so that packets will not be fragmented when encapsulation overhead is added?

Yes, IPS is enabled but there is an exception for all traffic (all to dest port 1194)

There is a CPU spike, but a single core never exceeds 70%. There is no latency (that I care of). The problem is the throughput (bandwidth usage)

I did not  reduce the MTU size. There is other traffic going thru internal (LAN) interface, so better way would be to configure MTUs for openVPN only.

(also how is it possible to do without editing the conf files or is it the only way?)

Yes, IPS is enabled but there is an exception for all traffic (all to dest port 1194)

There is a CPU spike, but a single core never exceeds 70%. There is no latency (that I care of). The problem is the throughput (bandwidth usage)

I did not  reduce the MTU size. There is other traffic going thru internal (LAN) interface, so better way would be to configure MTUs for openVPN only.

(also how is it possible to do without editing the conf files or is it the only way?)

Reducing M.T.U.will have minimal effect on other traffic - nothing you will notice.

What should I redouce it to?

The reduction for IPsec is 24 bytes, I think.  I don't know for OpenVPN, but at least 34.  I would try 1400, then 1450, then 1466.  Please report your results.

Cheers - Bob

Everything I know is based on documentation from support . cisco . com

On their site, click the magnifying glass icon on the upper right and search for this title.

"IP Fragmentation and MTU Path Discovery with VPN"

(I am not providing a link, because I don't think this forum allows links to anything non-Sophos related.)

I read the document (or a previous draft) a long time ago, and cannot dive into the weeds of what it says, but this is the short version:

Open the tunnel with the standard MTU settting.

Use ping with the "don't fragment" option to find the largest packet that is not dropped.   On Windows, the syntax is

ping -f -l (value)

The result is your MTU.  I actually used an inside MTU value a little lower than this test result because their document led me to believe that the encryption  overhead had some variability.

We had this problem with users connected via an uplink witth DS lite.

In client openvpn config a line

link-mtu 1200

helped

BUMP.

Still testing and trying out settings. As of today no significant performance boost (I can get around 30 Mbps on a 100Mbs link of VPN bandwith) with all the suggested settings.

Will try further testing and report my findings.

You can see if an MTU is too large with:

ping -I 172.16.1.1 172.16.2.1 -s 1500 -M do

172.16.1.1 is the IP of "Internal (Address)" for your local UTM and 172.16.2.1 is that of the remote device.

Using that repeatedly, I found that the optimal MTU for the IPsec VPN between our lab and the UTM in AWS is 1378.

Cheers - Bob

Been doing some testings as well and i've been capped to 2Mbps on a 1/1GB line. Switched from UDP to TCP and reach now around 20Mbps from a 4G road warrior workstation. I've done some other testing on a competitive solution with dedicated SSLVPN client/drivers and on the same setup i'm reaching 35/40Mbps this with all weak ciphers banned at the SSLVPN daemon from that solution..

I'm using the latest OpenVpn client (openvpn-install-2.4.4-I601.exe) to reach my Sophos lab..

Cheers,
m

This is what my testing shows as well. As I weaken the ciphers i get faster speeds.

Combination of MTU settings and other suggested stuff I get around 20-30 Mbps. On the other hand, I see no hardware bottleneck (CPU load and such).

I have now assumed that this is how openVPN works on Sophos, and using it that way.

Thanks all for your input1