I’ll preface this by saying that my networking knowledge is very limited.
I have an OpenVPN server running on an XG-1537 and a 10Gbit fiber network as well as a Synology RS3618xs with a bunch of SSDs in it. Both devices are connected a single rackmounted switch.
When connecting from another location over Viscosity (VPN app), it results in extremely poor sequential reads from the NAS (right about 8MB/s max), even I can download files at well above that speed (gigabit+ speeds).
This goes for smb on both mac and pc, and the Synology web interface. It seems capped at right about that number. All traffic is redirected over the server (send all traffic in Viscosity as well as on the pfsense server setting) and if you do a regular speedtest you can easily get high speeds downloading just about anything else.
What I’ve tried:
- Changing encryption settings, encryption on/off, different algorithms, excluseviley 256-GCM or 128-GCM with AES-NI enabled.
- Changing MTU values on the synology from 1500 to 9000 and lower, enabling SMB2 as max, enable opportunistic locking, disable encryption
- Changing the MTU values in the pfsense openvpn server settings, buffer settings, and setting things such as fast-io, sndbuf 524288 , rcvbuf 524288.
- Redirect IPv4 Gateway on and off, different compression settings (currently decompress incoming and disable compression)
- Tried switching from UDP to TCP
- Monitor hardware performance, absolutely no issues there from what I can see
- There is an ipsec tunnel to Azure which to a fiew 10.0 networks, but the phase two records are all outside the range 10.0.3.0/24, for instance. I’ve also tried changing the ipv4 tunnel network on the VPN server.
The OpenVPN server is running over its own 10.0.8.0 network, the synology is on a 172.16.0.0 network together with the firewall which on the same subnet. NAT outbound has the 10.0.8.0/24 default rules defined.
This is what the .ovpn settings look like:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote *HIDDEN* 1194 udp
setenv opt block-outside-dns
lport 0
verify-x509-name "XX" name
auth-user-pass
ns-cert-type server
route-delay 5
route-method exe
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----
...
..
<cert>
-----BEGIN CERTIFICATE-----
<key>
-----BEGIN PRIVATE KEY-----
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
</tls-auth>
key-direction 1
Any ideas what to try?