Results 1 to 7 of 7
  1. #1

    Optimal MTU for Internet VPN

    Hi,

    I am running a linux - Centos 5.4 server with PPTPd.
    Users are able to connect to my server and surf the web.
    However download speed are very slow (0.5MB on a 5MB line).
    The server has a 1Gig connection to the internet sop bandwidth is not an issue.

    I was wondering what may be the reason for this and came to think of MTU size.
    So what is the optimal MTU size for a pptp vpn?
    Or is there any other possible causes for severe speed degradation?

    I'm attaching current server configurations:
    /etc/ppp/options.pptpd:
    Code:
    mtu 1428
    name pptpd
    refuse-pap
    refuse-chap
    refuse-mschap
    require-mschap-v2
    require-mppe-128
    ms-dns 8.8.8.8
    noproxyarp
    nobsdcomp
    novj
    novjccomp
    nologfd
    asyncmap 0
    crtscts
    /etc/ppp/ip-up.local:
    Code:
    /sbin/ip l s $1 mtu 1476
    /sbin/ip l s $1 multicast off
    /sbin/ip l s $1 allmulticast off
    iptables -L -t filter:
    Code:
    [root@30134 ~]# iptables -L -t filter
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pptp
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    Please help!
    Thanks,
    J.

  2. #2
    Join Date
    Jan 2010
    Posts
    28
    Hi

    Whats the output from mii-tool or ethtool eth0 (or which ever interface connects to the internet)

    and the two locations ie server and person downloading, where are they ?

    It maybe that the server is connected at Gige but the route in between maybe so bad that the max speed is only as good as those poor routes.

    Also has it always been this way ? or just recently maybe after an upgrade.

    Thanks

  3. #3
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,078
    A larger MTU is good for large files and fast speeds. It sounds like your users are probably on slower connections so you will be better off with a lower MTU. As far as the optimal, I don't know, you could try a few different ones and see if it helps.

    You may also look at the sysctl.conf and changing the buffers.

    It may also be something with which you can do little about if the users are far away it may just be a limit of the ISPs between. Even if it didn't happen after an upgrade if its one specific group of users it might have been a route changed to a less optimal one for your situation.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  4. #4
    Join Date
    Oct 2009
    Posts
    398
    tcpdump will tell you if the MTU is indeed the problem or not. (Look for the F or fragmentation flag.)

    Also check with your users that they are using their PC to connect to the VPN, not a WiFi router. Most home/soho routers lack the CPU power to do encryption at high speeds.

    BTW, why did you turn off compression?

  5. #5
    Quote Originally Posted by eth00 View Post
    A larger MTU is good for large files and fast speeds. It sounds like your users are probably on slower connections so you will be better off with a lower MTU. As far as the optimal, I don't know, you could try a few different ones and see if it helps.

    You may also look at the sysctl.conf and changing the buffers.

    It may also be something with which you can do little about if the users are far away it may just be a limit of the ISPs between. Even if it didn't happen after an upgrade if its one specific group of users it might have been a route changed to a less optimal one for your situation.
    1. I'm actually not sure its an MTU issue. I'm just guessing.
    2. I have increased the buffers and the window sizes.
    3. The ISPs are fine. I am able to download a file from the same server (the one that is used for the VPN) with fast speeds. while Via VPN it reaches around 10% of the orig. speed.

  6. #6
    Quote Originally Posted by zzhosting View Post
    Hi

    Whats the output from mii-tool or ethtool eth0 (or which ever interface connects to the internet)

    and the two locations ie server and person downloading, where are they ?

    It maybe that the server is connected at Gige but the route in between maybe so bad that the max speed is only as good as those poor routes.

    Also has it always been this way ? or just recently maybe after an upgrade.

    Thanks
    [root@atlanta ~]# ethtool eth0
    Settings for eth0:
    Link detected: yes

    - The server is in the US and the clients are all over the world.
    - The speed is considerably lower then the route speed between clients and server. Windows clients consistently get speeds around 10% of their connection. Linux clients are doing better.

    This happened after a reboot. But no upgrades. Before reboot all worked great.

  7. #7
    Quote Originally Posted by xnpu View Post
    tcpdump will tell you if the MTU is indeed the problem or not. (Look for the F or fragmentation flag.)

    Also check with your users that they are using their PC to connect to the VPN, not a WiFi router. Most home/soho routers lack the CPU power to do encryption at high speeds.

    BTW, why did you turn off compression?

    I'm looking at tcpdump captures with wireshark, there are no F flags (the MTU is lower then 1400-Len(GRE)).

    Regarding compression - i was under the impression that it needs a special kernel module or something of that sort. Am I wrong?

  8. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. FireWallSkip - VPN - Get Anonymous Internet
    By stuartornum in forum Other Hosting Offers
    Replies: 7
    Last Post: 11-15-2007, 04:57 PM
  2. vpn access to internet
    By help_james84 in forum Dedicated Server
    Replies: 4
    Last Post: 11-18-2005, 04:00 AM
  3. vpn access to internet
    By help_james84 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 11-17-2005, 10:33 PM
  4. vpn access to internet
    By help_james84 in forum VPS Hosting
    Replies: 2
    Last Post: 11-17-2005, 06:44 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •