Slow Softether Bridge

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
cousinhub
Posts: 6
Joined: Mon Jan 07, 2019 10:55 pm

Slow Softether Bridge

Post by cousinhub » Thu Jan 27, 2022 8:59 am

Hi,
I have an installation with a Softether VPN bridge between 2 different sites both on Fiber connection with speed around 800Mbps upload 500Mbps download. Both are recent compilations of latest 4.38.
Office :
Softether VPN Server installed on a old DLINK DNS320 (with Alt-F 1.0 Firmware) with one Ethernet adapter 1000Mbps , Virtual Hubs Office and Home both with local bridges bind to tap adapters. Linux bridge is established with Eth0 , tap_office and tap_home and IP assigned to the bridge.
Layer 3 Swith betwwen the 2 Virtual bridge
Home :
Softether VPN Bridge installed on a old Synology DS213 with one Ethernet adapter (Eth0) 1000Mbps and USB to Ethernet adapter (Eth1) 1000Mbps , Virtual Hub Home with local bridge bind to Eth1. Cascade
No secure NAT
If I connect with VPN Client to VPN server with the bridge down. I can download from Office to Home at around 14 Mbps.
If I connect VPN Bridge to VPN server. I can download from Office to Home at around 8-9 Mbps and download from Home to Office at around 2.8 Mbps.
I found theses speed incredibly low especially from Home to Office
I have tried nearly all setting (Disable UDP acceleration, increase or decrease number of TCP connections, Half Duplex or not) with more or less always the same results.
I am at lost to understand. Am I missing something ?
Any help will be highly appreciated.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Slow Softether Bridge

Post by eddiewu » Thu Jan 27, 2022 11:46 am

VPN is very CPU-intensive. Use a desktop CPU for any serious setup.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Slow Softether Bridge

Post by solo » Thu Jan 27, 2022 11:49 am

What's the direct LAN (non-VPN) throughput of DLINK DNS320 with Alt-F 1.0 Firmware? It may be abysmal.

While SecureNAT is generally slower, try it instead of the tap/bridge config.

cousinhub
Posts: 6
Joined: Mon Jan 07, 2019 10:55 pm

Re: Slow Softether Bridge

Post by cousinhub » Thu Jan 27, 2022 12:31 pm

eddiewu wrote:
Thu Jan 27, 2022 11:46 am
VPN is very CPU-intensive. Use a desktop CPU for any serious setup.
On the Office side : CPU is around 60-70% all the time (When I do big transfer) and on the Home side which is I believe the one posing more problems around 20-30%.
Should not it be 100% if the CPU was blocking anything ?

cousinhub
Posts: 6
Joined: Mon Jan 07, 2019 10:55 pm

Re: Slow Softether Bridge

Post by cousinhub » Thu Jan 27, 2022 12:43 pm

solo wrote:
Thu Jan 27, 2022 11:49 am
What's the direct LAN (non-VPN) throughput of DLINK DNS320 with Alt-F 1.0 Firmware? It may be abysmal.
No it is fairly normal around 100Mbps which are the values I expect with the load I have on this server.
solo wrote:
Thu Jan 27, 2022 11:49 am
While SecureNAT is generally slower, try it instead of the tap/bridge config.
I need to try but will I be able to access the server from remote VPN ?

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Slow Softether Bridge

Post by eddiewu » Thu Jan 27, 2022 3:16 pm

You won't get 100% utilization because it's not pure calculation work. 60-70% is already overwhelming.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Slow Softether Bridge

Post by solo » Thu Jan 27, 2022 10:21 pm

cousinhub wrote:
Thu Jan 27, 2022 12:43 pm
solo wrote:
Thu Jan 27, 2022 11:49 am
While SecureNAT is generally slower, try it instead of the tap/bridge config.
I need to try but will I be able to access the server from remote VPN ?
It works for me, read viewtopic.php?t=66601#p92701

As for performance, there are mixed reports, here is a promising one viewtopic.php?t=5364#p14395
In latest version of SoftEther, SecureNAT is faster than tap in Linux.

cousinhub
Posts: 6
Joined: Mon Jan 07, 2019 10:55 pm

Re: Slow Softether Bridge

Post by cousinhub » Mon Feb 07, 2022 7:26 am

Hi,
I took a bit of time this weekend to make it work with SecureNat and even with everything looking alright. no ping, no communication.
I am quite sure how it should work with VPNbridge.
One good news, on my Synology (VPNBridge side), I do not not how it happened but I had the Ethernet MTU fixed to 1968, I put it back to 1500 and now at least even if it is not fast I am not anymore restricted to 350Kbs on Bridge to Server , I sometimes have up to 700-800Kbs. Not fast but a little better.
Also I have managed to use Tap interface on the Synology because my Wifi did not like at all the USB-Ethernet dongle (The Synology is very close to the router-box) and I suspected the proprietary Linux of DSM (Synology) not to like it very much either, even If had been able to compile the drivers for it.

But I would still like to make it work with SecureNat. Can anyone help ? I did not find enough info in the docs (probably my fault).
These are my settings :

VPN Bridge side
Only one port open and forwarded for Softether on the router-box and listening on the VPNBridge software 19xxx
DHCP enabled on the router-box but addresss fixed set up on the Synology 192.168.6.202
Router on 192.168.6.1 (Route added 192.168.5.0 to 192.168.6.128)
Localbrige from VirtualHub BRIDGE to tap interface home
Cascase connection from VirtualHub BRIDGE to VirtualHub home on VPNServer
Linux bridge added and linked with both eth0 and tap_home, address deleted and transferred from eth0 to linux bridge (with gateway) 5 minutes after VPNbridge startup. (5 minutes to make sure Synology DSM had finished all hits work and does not interfere)

VPN server side
Only one port open and forwarded for Softether on the router-box and listening on the VPNServer software 19xxx
DHCP disabled on the router-box and addresss fixed set up on the DNS320 192.168.5.202
Router on 192.168.5.1 (Route added 192.168.6.0 to 192.168.5.128)
Localbrige from VirtualHub Home to tap interface home (Only VPNBridge connect to this VirtualHub)
Localbrige from VirtualHub Office to tap interface office (3 rented servers to a provider permanently connected to this VirtualHub with VPNClient + myself when I am working away)
Layer 3 switch between VirtualHubs Home and Office with adresses 192.168.6.128/24 and 192.168.5.128/24
Linux bridge added and linked with eth0 and tap_home and tap_office, address 192.168.5.202 deleted from eth0 and address 192.168.5.201 added to bridge (with gateway) 30 seconds after VPNserver startup.

From there how should I use SecureNat ?
Should I use it on both sides and all Virtual Hubs ?
I think I should also delete all Local Bridges , correct ?
What address plans should I use for the (1,2 or 3) secureNats ?
Should I use Virtual DHCP server or not ?

Thank you really for any help.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Slow Softether Bridge

Post by solo » Mon Feb 07, 2022 9:40 am

cousinhub wrote:
Mon Feb 07, 2022 7:26 am
From there how should I use SecureNat ?
...I think I should also delete all Local Bridges , correct ?
Yes, that's why SNAT is not working. SNAT and bridge are mutually exclusive. Do a speed test on the following, simplified topology:

- on DNS320 add a temporary 'test' vhub
- enable SNAT on the hub with this preset viewtopic.php?t=66601#p92701
- install SE client on another PC
- from the client connect to the 'test' hub and check net throughput to a LAN IP behind the SNAT

If SNAT's speed is indeed better than TAP in the context of your hardware/firmware then you can redesign the rest of your setup.

cousinhub
Posts: 6
Joined: Mon Jan 07, 2019 10:55 pm

Re: Slow Softether Bridge

Post by cousinhub » Mon Feb 07, 2022 1:43 pm

Thanks for the answer.
I, of course, tried deleting the local bridge with no success. It was not the reason it was not working.
I have no problem of speed when I use a client connected to VPNServer (for example my Internet servers) so I do not need do the test you suggested.
I have only problem of speed through the bridge and especially from VPNbridge to VPNServer.
What I really need are instructions on how to use SecureNat in Layer 3 Lan-to-Lan with VPNBridge and VPNServer.
But is it really possible ?
I begin to think that I have to live with that speed if I want to carry on with Softether.

cousinhub
Posts: 6
Joined: Mon Jan 07, 2019 10:55 pm

Re: Slow Softether Bridge

Post by cousinhub » Sat Feb 12, 2022 4:41 am

Just to come back one last time on the subject.
I finally decided to compile and implement an OpenVpn tunnel link between the 2 same machines (took me while but got it working this morning).
Result : the OpenVPN tunnel is 5 times faster than Softether Bridge technology.
Now, I agree with eddiewu , I am going to be limited to that kind of speed by the hardware
But there is something wrong in Softether Layer 3 lan to lan bridge. The limitation to 350kbs between Bridge and Server is not normal. And I am pretty sure that is software related because the speed never decrease or increase always flat which to my experience never happens on a network link.

Post Reply