VPN Slowdowns - Anything I Can Do?

garak0410

We now have 6 people who work out of state. 4 in Texas, 1 in California and 1 in Maryland. They all have domain connected laptops that I pre-configure with our applications before they get them and they connect to our VPN via the build in VPN connector in Windows 10/11. Our VPN is provided by our Windows Server with port forwarding on our ISP provided Vigor firewall.

I understand issues like internet pipes and the "hops" it takes to get back to our office on VPN but we see some significant drops in speed. Some apps that require a lot of file transfers, are almost unusable.

Is there anything I can do on our end to aid in some speed increases? I'm also willing to spend money if we have to on software or a network appliance.

Thanks!

VoIP_n00b

@garak0410 WireGuard

EddieJennings

@garak0410 said in VPN Slowdowns - Anything I Can Do?:

I understand issues like internet pipes and the "hops" it takes to get back to our office on VPN but we see some significant drops in speed. Some apps that require a lot of file transfers, are almost unusable.

Any patterns to the problem? Are all locations affected? Is there a particular time of day when the connection seems slow? These are just a few things to look for when trying to determine causes for the problem.

scottalanmiller

So chances are the VPN isn't the slowdown itself, so moving to a "better" VPN might help, but likely only marginally. The fundamental issue is generally "WAN speed" vs. "LAN speed." There are generally three ways to tackle this depending on exactly what apps you use and how they work.

1. Switch apps to something that doesn't care about WAN speed as much. Sounds trite, but it's what a lot of us have done. It's the best answer at a technical level, the hardest politically. But long term, it's the investment in the future because almost always what you are seeing is exposing legacy components and antiquated systems that could be addressed directly, or just bandaided through a solution below...
2. Encapsulate the apps so that you "view" them remotely instead of doing transfers. Basically you literally stop being "remote" and start "remote controlling." This is most typically done through Windows RDS or VDI solutions (RDS when you can, VDI as a fallback.) This is the most common approach because it is simple, cheap-ish, and well understood. MS makes a killing making this outrageously expensive because they know that these kinds of apps trap customers and customers will pay a lot to not have to update the apps that they use. It is what it is, it's the common answer.
3. WAN acceleration. Sometimes this works magic, sometimes it is useless. Things like Riverbed systems that do tons and tons of high speed network reduction, latency faking, and compression. They use less actual bandwidth while making things seem to move faster. It's a lot of horsepower (and typically cost) but for certain workloads can literally make a night and day difference. For other workloads it can theoretically actually make it worse. So you have to test.

scottalanmiller

It is worth pursuing this thread because this was someone two weeks ago facing this same issue but trying to say that option 2 was the "only" option and that a legacy bandaid should be seen as a modern approach. It's an acceptable bandaid in many cases, but it is a 1998 way of fixing things. Legacy by any IT standard. That doesn't make it wrong or bad, but it is old and exists only to fix layers of the same problems.

https://mangolassi.it/topic/24043/vdi-options-modernization

Dashrender

funny - I was thinking about the second and third options, I hadn't thought about the first.. nice add.

scottalanmiller

@dashrender said in VPN Slowdowns - Anything I Can Do?:

funny - I was thinking about the second and third options, I hadn't thought about the first.. nice add.

Thanks!

1337

@scottalanmiller said in VPN Slowdowns - Anything I Can Do?:

So chances are the VPN isn't the slowdown itself, so moving to a "better" VPN might help, but likely only marginally. The fundamental issue is generally "WAN speed" vs. "LAN speed." There are generally three ways to tackle this depending on exactly what apps you use and how they work.

1. Switch apps to something that doesn't care about WAN speed as much. Sounds trite, but it's what a lot of us have done. It's the best answer at a technical level, the hardest politically. But long term, it's the investment in the future because almost always what you are seeing is exposing legacy components and antiquated systems that could be addressed directly, or just bandaided through a solution below...
2. Encapsulate the apps so that you "view" them remotely instead of doing transfers. Basically you literally stop being "remote" and start "remote controlling." This is most typically done through Windows RDS or VDI solutions (RDS when you can, VDI as a fallback.) This is the most common approach because it is simple, cheap-ish, and well understood. MS makes a killing making this outrageously expensive because they know that these kinds of apps trap customers and customers will pay a lot to not have to update the apps that they use. It is what it is, it's the common answer.
3. WAN acceleration. Sometimes this works magic, sometimes it is useless. Things like Riverbed systems that do tons and tons of high speed network reduction, latency faking, and compression. They use less actual bandwidth while making things seem to move faster. It's a lot of horsepower (and typically cost) but for certain workloads can literally make a night and day difference. For other workloads it can theoretically actually make it worse. So you have to test.

4. Local caching. Working on a local copy of a file that is being synced automatically and often transparently to central storage. Many things falls in this category such as cloud based storage like onedrive but also pure file sync applications.

5. Split tunneling. Don't route internet traffic over your VPN link. It's easy to have this enabled by default without realizing it. You want to make sure only traffic destined for your LAN is routed through the VPN link and the rest goes directly to wherever it has to go.

1337

@garak0410 said in VPN Slowdowns - Anything I Can Do?:

We now have 6 people who work out of state. 4 in Texas, 1 in California and 1 in Maryland. They all have domain connected laptops that I pre-configure with our applications before they get them and they connect to our VPN via the build in VPN connector in Windows 10/11. Our VPN is provided by our Windows Server with port forwarding on our ISP provided Vigor firewall.

I understand issues like internet pipes and the "hops" it takes to get back to our office on VPN but we see some significant drops in speed. Some apps that require a lot of file transfers, are almost unusable.

Is there anything I can do on our end to aid in some speed increases? I'm also willing to spend money if we have to on software or a network appliance.

Thanks!

You should do some basic investigation so you know what you should expect.

For instance:

• What is the speed in/out of your internet link to your VPN server?
• What traffic comes in/goes out over this link besides VPN traffic?
• Do you have any traffic shaping in the firewall?

It's very possible that low priority internet traffic, from clients in the office, is starving your VPN link of bandwidth.