PFS 2.6CE packet loss across OpenVPN

Hi all, whilst I have followed Tom and his channel for a long time, I figured its a good time to start being part of this community.

I would like some guidance or direction on a problem I have noticed on one of my PFS servers. First to explain the setup. I am running PFS 2.6CE, on a vmware virtual machine. The machine has 4 cores and 4gb ram. The actual cpu is an intel Xeon E5-2673. Storage is more than sufficient.

I run openvpn between remote servers and this pfs machine. I have a total of 30 remote servers that connects to a private network 192.168.80.xx

Certificates are used for the authentication.

Problem I have noticed the voice services on these remote servers has been suffering, so I done some investigation and found doing basic ping tests, I was seeing packet loss.

I did some packet captures on the firewall but could not see anything obvious. So i decided to step back, and tackle from a different angle.

I created another VPN Server, using the existing CA Cert, but a new private network range, lets say 192.168.81.xx.

When testing, I get the expected low ping replies of a few MS. Whereas the original / existing VPN network, its all over the place, going up to several 100’s MS.

I have now idea why this is happening, has anyone seen this before, or have ideas how I can troubleshoot this further? Thanks a lot.


Just a guess but perhaps you can look into the traffic shaping options to see if applying any of the algorithms helps. I’ve only used it to address buffer bloat myself but there are a raft of possibilities from what i can see.

Thanks for your reply. I did check that, but there is no traffic shaping defined. Another admin built this fw, so I have been going through as many details as possible to find the root cause. Sure, I have a work-around, but thats like cheating right?

I would rather find the true cause and fix it.

Thanks, Colin.

Does anyone have any troubleshooting tips for traffic across OpenVPN. ?

I am still lost as to why we are experiencing this packet loss. Thanks for your time.

Is it possible that you NIC does not support some or all of the offloading tools? I had problems with my WAN on my server because the card was just old enough to not support one of the offloading things. Checked the box to stop NIC offloading and things started to get better. Might be something to look into.

Also don’t rule out your ISP, what I’m seeing is that when PFsense gets to about 25-30% packet loss, it stops the connection. And my Tmobile Home Internet has been really poor lately!

Thank you for your reply Greg.

We did move the WAN connection to another ISP, but we cannot replicate any packet loss on either of the ISP connections. We also got them to check for line errors as well.

The issue only appears to happen when this one particular VPN server is used. It’s very odd. I have purchased a hardware pfsense (not netgate) and will restore the backup to that. If we still cannot fix the issue, I might create a tac case. Either way, if I find the answer, I will share here.

Just to comment on your other point. The NIC is a HPE quad 1Gb interface module in the HP Proliant server. The server is a Gen 9 HPE server and whilst its not new in today’s money, its still fully supported (i believe) for vmware 7 that we are hosting the PFS on.