Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Optimal MTU for Internet VPN

[JonathanP]

Hi,

I am running a linux - Centos 5.4 server with PPTPd.
Users are able to connect to my server and surf the web.
However download speed are very slow (0.5MB on a 5MB line).
The server has a 1Gig connection to the internet sop bandwidth is not an issue.

I was wondering what may be the reason for this and came to think of MTU size.
So what is the optimal MTU size for a pptp vpn?
Or is there any other possible causes for severe speed degradation?

I'm attaching current server configurations:
/etc/ppp/options.pptpd:

Code:

mtu 1428
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
noproxyarp
nobsdcomp
novj
novjccomp
nologfd
asyncmap 0
crtscts

/etc/ppp/ip-up.local:

Code:

/sbin/ip l s $1 mtu 1476
/sbin/ip l s $1 multicast off
/sbin/ip l s $1 allmulticast off

iptables -L -t filter:

Code:

[root@30134 ~]# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pptp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Please help!
Thanks,
J.

[zzhosting]

Hi

Whats the output from mii-tool or ethtool eth0 (or which ever interface connects to the internet)

and the two locations ie server and person downloading, where are they ?

It maybe that the server is connected at Gige but the route in between maybe so bad that the max speed is only as good as those poor routes.

Also has it always been this way ? or just recently maybe after an upgrade.

Thanks

[eth00]

A larger MTU is good for large files and fast speeds. It sounds like your users are probably on slower connections so you will be better off with a lower MTU. As far as the optimal, I don't know, you could try a few different ones and see if it helps.

You may also look at the sysctl.conf and changing the buffers.

It may also be something with which you can do little about if the users are far away it may just be a limit of the ISPs between. Even if it didn't happen after an upgrade if its one specific group of users it might have been a route changed to a less optimal one for your situation.

[xnpu]

tcpdump will tell you if the MTU is indeed the problem or not. (Look for the F or fragmentation flag.)

Also check with your users that they are using their PC to connect to the VPN, not a WiFi router. Most home/soho routers lack the CPU power to do encryption at high speeds.

BTW, why did you turn off compression?

[JonathanP]

Quote:

Originally Posted by eth00

A larger MTU is good for large files and fast speeds. It sounds like your users are probably on slower connections so you will be better off with a lower MTU. As far as the optimal, I don't know, you could try a few different ones and see if it helps.

You may also look at the sysctl.conf and changing the buffers.

It may also be something with which you can do little about if the users are far away it may just be a limit of the ISPs between. Even if it didn't happen after an upgrade if its one specific group of users it might have been a route changed to a less optimal one for your situation.

1. I'm actually not sure its an MTU issue. I'm just guessing.
2. I have increased the buffers and the window sizes.
3. The ISPs are fine. I am able to download a file from the same server (the one that is used for the VPN) with fast speeds. while Via VPN it reaches around 10% of the orig. speed.

[JonathanP]

Quote:

Originally Posted by zzhosting

Hi

Whats the output from mii-tool or ethtool eth0 (or which ever interface connects to the internet)

and the two locations ie server and person downloading, where are they ?

It maybe that the server is connected at Gige but the route in between maybe so bad that the max speed is only as good as those poor routes.

Also has it always been this way ? or just recently maybe after an upgrade.

Thanks

[root@atlanta ~]# ethtool eth0
Settings for eth0:
Link detected: yes

- The server is in the US and the clients are all over the world.
- The speed is considerably lower then the route speed between clients and server. Windows clients consistently get speeds around 10% of their connection. Linux clients are doing better.

This happened after a reboot. But no upgrades. Before reboot all worked great.

[JonathanP]

Quote:

Originally Posted by xnpu

tcpdump will tell you if the MTU is indeed the problem or not. (Look for the F or fragmentation flag.)

Also check with your users that they are using their PC to connect to the VPN, not a WiFi router. Most home/soho routers lack the CPU power to do encryption at high speeds.

BTW, why did you turn off compression?

I'm looking at tcpdump captures with wireshark, there are no F flags (the MTU is lower then 1400-Len(GRE)).

Regarding compression - i was under the impression that it needs a special kernel module or something of that sort. Am I wrong?