I have a VPN setup between a remote office with 2 ADSL connections (8Mb downstream, 512Kb upstream) and a main office with a 10Mb EFM connection (10Mb both up and down).
The VPN is an IPSec connection using a DrayTek 2930 router for the ADSL and a DrayTek 3200 router at the EFM end. However, I'm unable to get speeds over this connection (tested with iperf) of anything over 600Kb or so down from the main office (traffic will pretty much always be from the main office to the remote office)
Whilst I realise that there is an overhead and I'm never going to get the "full" bandwidth available over this VPN, I'd like to think that there's something I should be looking at that may help improve it.
I've tried using the DrayTek's built-in "VPN Trunking" features which are supposed to load-balance connections, but this doesn't seem to improve matters much.
I guess my question is – is this the kind of performance I should expect from this kind of setup and I'll just have to live with it, or should I be able to squeeze something more out of it through some VPN magic?
Best Answer
The problem is many cheaper routers with VPN server/clients cannot actually use the VPN functionality at wire speed (or even at full WAN speed).
I used to administer an organisation where the head office had a Draytek Vigor 2950 at head office originally connected to a 2Mb service which we upgraded to 50Mb. It typically had 10-15 remote sites connecting using Draytek Vigor 2800/2820's.
When we upgraded to 50Mb, we found sites we still unable to use more than around 2Mb of VPN bandwidth. I used my home pc as a VPN client to connect using a 10Mb connection and still saw similar results.
Then I replaced the head office 2950 with a pfSense router with 2 x Xeon p4's and suddenly found much more VPN bandwidth - redoing the same test with my home pc suddenly yielded pretty much near the full 10 Mb of bandwidth available to me to test with.
I intended to then test the 2950 with some 2800/2820's on the bench but with the improvement I saw once the 2950 was replaced with a pfSense I saw no point in persisting to use the 2950. The site 28*0's saw some speed increase but the sites with faster (over 10Mb) connections still could not make full use - I suspect due to limitations with the 28*0.
After doing a little more investigation I discovered a command to benchmark my pfSense router from the command line which showed the encryption throuughput would vary massively on packet size. I suspect the claimed 90Mb VPN throughput of the 2950 was using massive packets never to be seen in the real world although to be fair Draytek are not the only vendor guilty of such practises. If you can change your packet sizes with iperf I wouldn't be surprised if you can see differences.
Once you've considered whether your devices are powerful enough to sustain a VPN tunnel at speeds you hope for, the next step would be to consider WAN optimisation devices if your budget allows. There are devices made by the likes of Riverbed Technologies and Cisco that make efforts to reduce actual traffic sent over the VPN while causing no apparent difference at either end.
Also with your Drayteks you can try and enable vj compression to see if this helps.