SSTP vs L2TP performance

Hi all,

I have the latest rolling release of VyOS running as both an SSTP and L2TP VPN endpoint. On the other side of the VPN I have a fileserver. When connected via L2TP, I can get 6-8MB/sec download speeds on file transfer, with SSTP its like 1-1.5MB/sec.

Everything else is the same, ISP/internet etc, network layout.

Is this to be expected?

I love SSTP + certbot, its an amazing VPN stack, given its so much more reliable than L2TP (and forever free certs), but this is a huge performance difference :frowning:

Hello @kav, yes, this is a known issue with SSTP and big RTT (round-trip time). As an alternative you can try anyconnect implementation. https://phabricator.vyos.net/T2810
Note: If you want I can build accel-ppp package with some improvements for you.

hey @Dmitry, thanks will check out anyconnect. Had not heard of that before, will see how that goes and report back! Im running these as VM’s in AWS and noticed the instance type also makes a difference to performance.

Just googled accel-ppp, looks interesting, does that offer even better performance? Assume it does not come with built in vyos CLI support?

PS; the RTT is only 20ms in this testing scenario.

Hello @kav, VyOS utilized accel-ppp as SSTP daemon. In the latest accel-ppp mater branch added a couple of improvements, but at first, need detailed testing these things. Do you want to test?

Ah interesting, didnt know that.

Yes I would be happy to test! I have both a test instance and a production instance I can use for testing SSTP :slight_smile:

PS: this anyconnect setup, is this Cisco anyconnect requiring their client software?! Or else how is the client side configured?

Hello @kav, you can use Cisco anyconnect client or openconnect client https://www.infradead.org/openconnect/

Accel-ppp:
Upload package to your router and install

wget http://vyos.ml/accel-ppp.deb
sudo dpkg -i accel-ppp.deb

Then you need to reconfigure SSTP or just reboot the router.

ah OK, trying to avoid third party client software and sticking with in-built Win10 VPN client.

Just updated/installed the package you provided for accel-ppp. Works well, immediately I can see SMB transfers are much more stable.

I can get 2-2.5MB/sec consistently on download and 1.5-2MB/sec on upload. Previously, especially on upload it would fluctuate wildly.

This is using t3 instances on AWS by the way which have enhanced networking. When I used t2, there seemed to be an issue with uploading SMB traffic - it would just get stuck.

Will keep testing and if all good will roll out to production for real users to try, thanks!

Hi @kav, I’m glad to hear this, tell me please if your tests will be passed successfully and we will update accel-ppp in the rolling version.

Ok, I’m deploying this to one production site tonight. Will give that 2-3 days to run and will report back.

In my test environment though download performance is much improved… but that could be contention related.

@Dmitry, is accel-ppp also used for L2TP?

Hi @kav, yes. It used on 1.3 rollings.

hmmm SSTP was fine during testing but L2TP actually had intermittent issues.

Starting an SMB transfer over the VPN would sometimes fail to initiate, then it would seem to stop moving any traffic at all, the gateway on the other side is not reachable etc. Reconnecting seemed to fix it.

You need to check logs, I know that people often forget to change MTU/mss because IPSec and tunnel headers decrease payloads.

Hi @Dmitry, yeah I did not have that setup. I set an mss of ‘1420’ on the IPSEC dummy interface, but the issue on L2TP still seems there. Once logged in, I did an SMB transfer, about a minute later all traffic stops flowing.

Is there an ideal mss number? Tried using some online calculators for it but didnt get far…

SSTP has been running great in production however.

Hello @kav, can you try manually add iptables rule and delete rules from CLI?

delete firewall options interface dum0
commit
sudo iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

If some issues happen, remove this rule by the following command

sudo iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

hi @Dmitry,

Noticed you are major contributor to accel-ppp :slight_smile:

Has the latest rolling release of VyOS got the latest version of accel-ppp? I checked their versions and they seem to match (1.12.0-95) but they have different build numbers.

PS; didnt get a chance to test L2TP with those IP tables changes you mentioned, the client has been mostly transition to SSTP. I’ll see if I can do some testing myself.

Hi @kav,

Accel-ppp package updates on VyOS in the case when was found a CVE or implemented required features.