horrible speeds over VPN

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I'm Here A Lot
Posts: 6

Re: horrible speeds over VPN


@Datalink wrote:

Have a look at my additional "Edit" above.  There is an update in the works, just not sure if its going to be included in the next one or two updates.  I'll inquire about any progress on this.  

 

First thing that comes to mind is a cable issue.  Its possible that the problem is beyond your cable system, somewhere between the local tap, which you are connected to, and the neighbourhood node.  As I indicated above, the first item that comes to mind when tech support can't push an update is a cable issue.  Since your cabling was replaced very recently, I would suspect some issue further upstream, in which case tech support should have dispatched a senior tech, not a contractor tech.  

 

Then there is always the possibility of some configuration change witin the Cable Modem Termination System (CMTS).  Your modem connects to the CMTS via the neighbourhood node.  Any configuration change, accidental or deliberate can result in issues for users.  

 

Are you running IPV6 by any chance, and if so, does your transfer target use IPV4 or IPV6?  If you're running IPV6, I wouldn't be surprised if there was a configuration change with the CMTS which is causing IPV6 problems for users connected to that particular CMTS. 

 

You should be able to log into the modem using 192.168.0.1 or 192.168.100.1 if the modem is in Gateway mode, or by using 102.168.100.1 if the modem is in Bridge mode with a router behind it.  You can log into the modem thru the router.  

 

If you can log into the modem and its running in Gateway mode, you will see two WAN addresses in the upper right hand data block on the Status page.  That page is displayed automatically when you log into the modem.  The upper right hand corner is the WAN address block and it will show both IPV4 and IPV6 addresses if the modem is running IPV6.  


So tech has been onsite and reluctantly changed modem.  It was quick, only an hour, but alas no change.

 

To answer some of your questions:

- Since the modem is getting 600+ Download with regular traffic, Rogers is declaring success and basically writing my issue off

- IPv4 only

- Can see modem, but can't login since I have static IPs (tech alluded that customers are not responsible enough to be entrusted with login rights on the device when static IPs are involved.)

 

It's irritating because for such a long known about issue, not a single person at Rogers seems to know anything about this - the one veteran tech (he's been with the outsource company Rogers contracts for almost 1 whole year) I spoke to on the phone yesterday has didn't know Rogers had forum sites, he tried telling me these were run by a unaffiliated 3rd party.

 

Time to cancel.  Just have to figure out who will deliver into this building.

I'm Here A Lot
Posts: 6

Re: horrible speeds over VPN

We will see how long it lasts, but it just magically started working again.  from 200K to 40Mb in 1 second.  No change from this end...

Resident Expert
Resident Expert
Posts: 6,149

Re: horrible speeds over VPN

Are you on a business plan?   Just wondering why the static IPs would prevent the user from logging into the modem?

 

Alternatives are to go with a fibre provider, if one is available in the building, or with a TPIA, which will only be able to give you reduced overall data rates as neither Rogers, Bell or other large providers will allow TPIAs to run high speed services.  The gain out of this situation is that you wouldn't necessarily be using a Puma 6 modem.  A fibre provider will supply a totally different modem, for a TPIA you would just have to be careful and avoid any Puma 6 modems they might offer.  

 

40 Mb/s thru the IPSEC VPN?  Is that correct? 

 

The only people who are in the know concerning the Puma modem IPSEC VPN performance are the engineering staff and a few people on this forum.  Tech support and the field techs won't know anything about this. 



I'm Here A Lot
Posts: 6

Re: horrible speeds over VPN


@Datalink wrote:

Are you on a business plan?   Just wondering why the static IPs would prevent the user from logging into the modem?

 

Alternatives are to go with a fibre provider, if one is available in the building, or with a TPIA, which will only be able to give you reduced overall data rates as neither Rogers, Bell or other large providers will allow TPIAs to run high speed services.  The gain out of this situation is that you wouldn't necessarily be using a Puma 6 modem.  A fibre provider will supply a totally different modem, for a TPIA you would just have to be careful and avoid any Puma 6 modems they might offer.  

 

40 Mb/s thru the IPSEC VPN?  Is that correct? 


Yes, we are on IgniteForBusiness 1GB with 5 static IP addresses.  I think the fear is that I was to misconfigure my ip addresses/gateway in the modem I could pentially create an duplicate IP address with someone near by - they didn't feel the need to explain why, just said no.  Yes, 40Mb UP with IPSEC VPN into Azure (we get about 100 down from it because I won't upgrade my gateway on the Azure site.)  I'm running pfSense on a high-end system, so I could get near lines-peed for the encryption as long as the network will transmit the packets...

 

TPIA is something I've been considering.  The fibre into the building was install by Bell on behalf of Telus but was installed in a way that it's dedicated for Managed service only (don't ask, neither knows how to get it straightened out) so Fibre isn't an option.  And we don't have line of site to go with a TeraGo, so something like a TekSavvy might be our only option.

 

We have Primus in here, but it's bonded sDSL so it's got a cap of about 20Mb.

Resident Expert
Resident Expert
Posts: 6,149

Re: horrible speeds over VPN

That's not terribly shabby, 100 down 40 up thru the IPSEC VPN.  I'm actually impressed with that upload speed thru the 4582 modem.  Higher than what I would have expected.  Is the Azure ingress point nearby, or is that at some distant point, just curious.  

 

Sounds like there isn't much choice in your building.  Ugh....

 

Looks like Teksavvy might be "up to 250 Mbps Down / 20 Mbps Up",  half the rate of your current upload.  You would have to check with Teksavvy's site to see if the upload rate is the same for your location.  The only modems that would be suitable would be the SmartRG SR808ac or TP-Link TC7650.  I think Teksavvy has a request in with Rogers to test and approve a Broadcom BCM-3390 based modem. 

 

https://help.teksavvy.com/hc/en-us/articles/200315110-Approved-Cable-Modems-Rogers-Network-Ontario-

 

You would want to avoid the Hitron and Cisco modems and the Technicolor DPC3848V
as they are all Puma 6 modems.  Technicolour took over Cisco's modem line from what I remember. 



I've Been Here Awhile
Posts: 2

Re: horrible speeds over VPN


@Datalink wrote:

Hi @flyboy50

 

 

Looking around I came across the latest build of OpenVPN, which appears to be v 2.4.6.  There is a note in the following page which indicates that a newer driver will be included in an upcoming Windows Installer.  Have a look at the NordVPN version of OpenVPN and if that is an older version, consider loading the newer version.  To do that, on the pc, navigate to Start …. Programs and Features.  Have a look to see if OpenVPN is listed and what version is loaded.  Don’t quote me on this, but you should be able to load the newer version over the existing version.  The latest version has improved IPv4/IPv6 dual stack support which might be useful in improving the throughput.  I’d bookmark the following page and keep an eye on it for updates to OpenVPN:

 

https://openvpn.net/index.php/download/community-downloads.html

 

While doing this I came across a comparison between ExpressVPN and NordVPN.  The comparison indicates that NordVPN’s North American servers run slow.  Looks very much like the results that you saw.  That in itself might be the sole reason behind the slow performance.  Take a read thru the following July 2018 comparison:

 

https://restoreprivacy.com/expressvpn-vs-nordvpn-comparison/

 

https://www.bestvpn.co/nordvpn-vs-expressvpn/

 

Can you run a speedtest thru some of NordVPNs servers in Europe?  I’m thinking maybe the servers in the UK, Netherlands and Germany.  Have a look to see if there are major differences in the throughput rates, as suggested in the comparison.

 

VPN throughput rates. Reading thru some of the pages spread across various site, the subject of encryption comes up.  This makes sense, as you use higher encryption levels, the encryption/decryption load goes up.  Have you run any tests to see what effect if any occurs when you select a different encryption standard?  It might be that your throughput is so low, that it doesn’t matter which encryption standard you choose.

 

Can you have a look at the modem’s VPN passthrough settings. Log into the modem and navigate to SECURITY …. VPN Passthrough. My modem is running in Bridge mode at the moment so I don’t have access to that page.  Previous versions had an IPSEC, PPTP and L2PT Pass-Through.  Can you have a look to see if SSL is available as those other settings won’t help.  If there is an SSL or SSL/TLS selection, please enable it, save the setting and reboot the modem …. ADMIN ….. DEVICE RESTART …. Reboot.

 

Food for thought:

 

I’d like to see the results for a speedtest thru a European Nordvpn server, just to see what difference there is.   This might answer the question on its own. 

 

Reading thru various pages, it looks like OpenVPN is a pig to run.  It might be an idea to load a different VPN application to see if you end up with better results.  I don’t know what applications are out in the wild, either free or licenced.  In either case, I’d be looking for AES-NI support to get the pc’s VPN throughput running at its maximum.  Looks like Windows has its own Microsoft VPN Client built in.  It might not be as fancy as the OpenVPN client, but, it’s probably worth looking at for test purposes.

 

OpenVPN appears to run UDP or TCP/IP.  UDP is a fire and forget type of protocol.  It will either get to its end destination or it won’t.  TCP/IP requires packet receipts, so, once a packet is sent, it should arrive or be retransmitted.  One way or the other, it will get to its end destination.  Problem is, the TCP/IP transmit/receipt protocol slows traffic.  So, fwiw, you could try running UDP and see what you get for results, both in terms of reliability, and in speed.

 

Here’s an interesting line that I came across in the following link:

 

https://en.wikipedia.org/wiki/OpenVPN

 

“When OpenVPN uses Transmission Control Protocol (TCP) transports to establish a tunnel, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem"[17][18]

That shouldn’t be an issue given the bandwidth that you have available, but, it’s rather interesting.

 

OpenVPN supports IPV6.  Just for test purposes, try disabling IPV6 in the modem and see what happens to the VPN performance, if anything.  Navigate to BASIC …. GATEWAY FUNCTION, and change the Router Mode from Dual (stack) to IPV4.  Save the changes.  It will take a couple of minutes for the modem to switch to IPV4 “only” mode.  I usually reboot the modem after this.  Run the ADMIN …. DEVICE RESET …. Reboot function.  At the same time, reboot the pc.  After the reboots, run another test thru the VPN to see what you end up with for results.

 

I came across a post for OpenVPN running on PfSense, which is a firewall operating system that is loaded on a pc.  The post indicated that OpenVPN is a single thread application, so, it doesn’t matter how many processor cores there are, or if the processor has hyper-threading running, this is a single thread application.  The only way to run the VPN faster is to run a faster processor.  So this is rather interesting.  When you’re running the VPN, bring up the Windows Task Manager and select Performance …. CPU to look for CPU loading.  It would be interesting to know what the CPU loading is when the VPN is running.  I came across a request in the OpenVPN Wishlist to include multi-core support, so, this looks like a problem.  This gets back to the AES-NI support which should direct encryption processing to the onboard hardware processor, assuming that there is one built into the CPU.  The question in this case is whether or not that processor is tied to the CPU clock rates, or if it can operate independently of the CPU?  The CPU load might be a hint, low load, maybe the processor is doing the work, high load, the CPU is doing the work, in which case, what’s the status of the AES-NI support in the NordVPN OpenVPN application.  Hopefully you can see why I’m asking this. 

 

Fwiw, there is an upcoming firmware change for the CODA-4582 modem to improve the performance of IKE/IPSEC which is used by MACs when they connect with NordVPN.  I don’t know if that will result in any corresponding improvement in VPN performance.  Right now, the Hitron modems will limit IKE/IPSEC to 25 Mb/s.  That's either a firmware problem, or a firmware limit that's existed since 2008 from the original Puma 5 modem manufactured by Texas Instruments (my guess).  This might be part of the problem that you're seeing, although I still don't understand how you're using IKE/IPSEC in the first place.  

 

Ok, so, this is a little bit of homework.  As I indicated earlier, there doesn’t appear to be a single magic bullet that will solve the problem.  One item that does come to mind is to call NordVPN tech support and ask the Customer Service Rep if AES-NI is already running in their OpenVPN client, and if not, what has to be done to enable AES-NI.  I haven’t found any specific info for it, so, maybe the support is built in.  If you do have to enable it, you might not find any difference in throughput rates if all of their North American servers are running very slow.  It’s entirely possible that you could put a great deal of effort into this and not get anywhere due to their server throughput rates.  Only way to determine that is to try different servers, or possibly even a different VPN provider. 

 

What setting are you using for the encryption?  AES-128-CBC, AES-192-CBC or AES-256-CBC?

 

 

 

 

 

 



Thanks, This is helpful.

I've Been Around
Posts: 1

Re: horrible speeds over VPN

I am a rogers internet customer with an Ignite 150 plan using the Hitron/CODA gateway (modem/router)

I bought a router that has the ability be a VPN client. I initially set-up this router on a Bell network and preformed speed tests for various configurations (wired, wired w/VPN, wireless, wireless/w/out/VPN). Please take my word for it that the speeds differences were greater than any reasonably acceptable differences. 

My Hitron/CODA has the residential gateway turned off, so I assume the Hitron/CODA is acting solely as a modem. 

 

1) Can this discrepancy be explained by Rogers? (e.g. is throttling of VPN traffic a thing?)

2) Is there anything Rogers can do from their end? (ISP side of the modem)

3) Does Rogers have another modem option that treats VPN traffic more efficiently? 

 

Any other insights would be greatly appreciated. 

Resident Expert
Resident Expert
Posts: 13,949

Re: horrible speeds over VPN

VPN data shouldnt be throttled.. that being said i have never got full speeds on mine.. BUT there is a lot of things into that as to possibly why as well.

Just to make sure, your router is connecting to a VPN itself?  So then all traffic through the router, is then VPNd, etc?

The questions I have, are what and where is the VPN connecting to?  What address, and where is that located?
As that can make all the difference in the world as well.

For example, without it.. do a speed test to one of the closer test points to yourself.. then start choosing ones farther away.  The results will drop, as the distance can make quite a difference.
If the VPN endpoint that your connecting to is further away.. could make a difference.

That being said.. could be some routing stuff too.  The route to that VPN location, could be taking a different, less efficient route than say bell has?

Thoughts @Datalink 



Resident Expert
Resident Expert
Posts: 6,149

Re: horrible speeds over VPN

All of the above plus:

 

1. What protocol is the VPN using, UDP or TCP/IP?  

2.  What VPN is it (for future reference purposes)

3.  Please confirm that you have the white Hitron CODA-4582.  I thought that the modem was only being used for 500 Mb/s service and above these days, unless you were assigned the modem when the requirement was an unlimited plan, no matter what data rate was being used.  

 

Just to note, the Intel Puma chipset has issues with certain protocols.  Much of this dates back to the previous black Hitron CGN3xxxx (Intel Puma 6) models, and most likely predates that, back to the original Texas Instruments Puma 5 chipset (2008).  Intel bought the Puma modem line from Texas Instruments in 2010.  From the Rogers firmware update list comes the following note at the bottom of the post:

 

  • Non TCP/UDP/ICMP traffic (such as ESP/IPSec without NAT-T) is slowed down below 25 Mbps

So, Encapsulating Security Payloads, more specifically IPSEC has been seen to run slow on the previous CGN3xxx modems.  That hasn't been so much of an issue with the CODA-4582, most likely due to the lack of users with the 4582 who are actually attempting to run a VPN.  There is a fix slated for release at some point which will address the ESP/IPSEC issue, but, I don't know when that will be release.  I'd hope to see it in the next release but, who knows?  The additional question here is, are there firmware problems with any other VPN protocols?  It would be nice to see a list published by Intel that would provide that, but, that's dreaming in technicolor.  Intel will never publish a list that provides those details, so, the end customer continues to suffer with poor VPN performance. 

 

In addition to checking other ingress points with your VPN company, look at the protocol that happens to be in use and look at the encryption level as well.  If you have a choice of protocols, select the other protocols for test purposes to see if that makes a positive change.  If you can drop the encryption level and still meet your security goals, that might result in a higher data rate.  

 

My personal thoughts are that the original firmware design in 2008 limited the VPN data rates for some reason that was determined by a firmware engineer at that point in time.  Those limitations were probably carried forward into Intel's version of the modem which were the follow-up Puma 6 CGN3xxxx and then the Puma 7 4582 and others.  Don't know why Intel hasn't picked up on the growing trend of VPN use, which has been on the uptick now for several years, and addressed the issue for all protocols used by VPNs.  Faster processors used in the Puma 7 line does somewhat address this, but, the firmware limitations, if that is the problem, also have to be addressed. That's not a case of throttling, but, simply a default data rate that may have been selected a very long time ago for use by certain protocols, or, in the event that the modem ran into a protocol that wasn't on its list of "if you see this protocol, then use this data rate xxx Mb/s".  That default data rate might have made sense in 2008, but, it doesn't make sense anymore, given the processing capability that is available for VPN use these days. 

 

Out of curiosity, what router do you currently have, and, does it have hardware support for Intel's AES-NI, which is used for encryption.

 

Please let us know what you find. 

 

Edit:  what are your normal (non-VPN) data rates like?  Are you getting 150 Mb/s down / 15 Mb/s up?



Highlighted
I Plan to Stick Around
Posts: 16

Re: horrible speeds over VPN

I dont see the TC4400 as available on rogers through EBOX. sad face