VPN keeps running slow for user on one computer, but not on another

Got a problem with Viscosity or need help? Ask here!

KStroSec

Posts: 9
Joined: Wed Jul 17, 2019 2:23 am

Post by KStroSec » Wed Nov 30, 2022 5:40 am
We have a user in our company who is having issues with Viscosity VPN on their computer. The odd thing is that it works fine on their older computer, but not on the 2 newer replacement computers that we have sent out to them. Everything works fine when not using the VPN.

The user spoke with their ISP and were told that there is no issue on the ISPs end, of course. They use fiber internet.

It has been tested on both wifi and ethernet, same thing occurs on both.

the main differences that i can think of regarding the newer vs. older computer is that the newer one of course uses different hardware, and the newer one uses windows 11 and therefore uses the windows 11 viscosity driver.

However, we have plenty of other users, including myself, using the same model of computer with same version of windows and no issues at all. This would lead me to believe something is occurring in relation to their ISP possibly, but I can only assume it might then be related to the windows 11 viscosity driver in connection with their ISP. I say this, because, as mentioned above, the windows 10 machine using the windows 10 viscosity driver is not suffering the same issues.

Does this sound right? any suggestions on what can be tried? Also, any other ideas if this is incorrect?

Windows 11
Viscosity 1.10.3 (1763)

Aaron

Posts: 5
Joined: Wed Nov 30, 2022 2:53 pm

Post by Aaron » Wed Nov 30, 2022 3:18 pm
Hi,

Slowness can be caused by a number of issues. It could be a problem with the user's internet connection, it could be a problem with the user's router, or it could be caused by software installed on the user's machine. It could also be a problem with the OpenVPN server, but it sounds like you may have ruled that out if it's working for other users. Viscosity on Windows 11 should run at full performance without any problem.

I first recommend checking what other software is on the user's computer. Many security tools, in particular antivirus and security software will attempt to intercept network traffic (as part of filtering or security checking) which can often cause poor performance. In particular, many of these tools often come with VPN services, and may be tunnelling traffic through a third party provider, which will also cause performance problems. If this is a new computer, it often comes with "bloatware" that may be doing this without the user's knowledge. You'll want to find out what other software the user is running and try temporarily uninstalling it to see whether the slowness persists.

Routers can also be a source of VPN slowness if configured incorrectly (or if they are having issues). If possible try and bypass the router (such as having the user tether their computer to their phone) and see if the slowness persists.

MTU issues can also cause slowness, or access to resources timing out. Normally if the MTU is set too large for the user's internet connection their router/modem/computer should fragment the packets, however if MTU path discovery is broken for the user's connection (for example they have firewalled out ICMP packets) then this may not be happening, which can cause packet loss. This typically results in symptoms like extreme slowness, and access to web pages and resources timing out. If you suspect a MTU issue, try lowering the MTU for the VPN connection to something fairly safe (1380 is a common value) and see if the slowness persists.

Most ISPs will not attempt to filter or throttle VPN traffic, but some do. If you suspect this could be the case, you can try using a different port number, switching protocol, or have the user try connecting to a different OpenVPN server, and see whether the same slowness exists.

Finally, also keep in mind that while some users may have a fast internet connection, they could be attempting to use it over a flaky wifi connection. In particular, if they're using a new computer by an old wireless AP, there could be compatibility issues at play. I recommend having the user plug their computer in via a network cable as a test as well.

Regards,
Aaron
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

KStroSec

Posts: 9
Joined: Wed Jul 17, 2019 2:23 am

Post by KStroSec » Thu Dec 01, 2022 2:35 am
The users system is setup the same as everyone else in the company, and we remove those bloat apps from the computer before sending them to the user. Theirs was pretty bare bones compared to developers and some other users in our environment.

We already tried both wifi and ethernet

I did have the user try a public wifi at their local starbucks, it seemed to not have similar issues.

I do think it is something to do with their router or modem. But of course their isp said there wasnt anything that should be causing a problem, so I suppose I will have to get them to push on their isp xD.

Thanks,

Would I use this?

tun-mtu
Syntax: tun-mtu n

Take the TUN device MTU to be n and derive the link MTU from it (default=1500). In most cases, you will probably want to leave this parameter set to its default value.

The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. OpenVPN requires that packets on the control or data channels be sent unfragmented.

MTU problems often manifest themselves as connections which hang during periods of active usage.

It's best to use the fragment and/or mssfix options to deal with MTU sizing issues.

Therefore, one could lower the maximum UDP packet size to 1300 (a good first try for solving MTU-related connection problems) with the following options:

tun-mtu 1500 --fragment 1380 --mssfix

Aaron

Posts: 5
Joined: Wed Nov 30, 2022 2:53 pm

Post by Aaron » Fri Dec 02, 2022 12:12 pm
Hi,
Would I use this?
Yes, you can find the corresponding option in the Viscosity editor:
https://www.sparklabs.com/support/kb/ar ... networking

This will only impact outgoing packets from the person's computer (which may be enough, the ISP should be fragmenting incoming packets if there is a low MTU on the internet connection). Otherwise the option will need to be set on the server's end as well. But just try client side first and see how it goes.

Regards,
Aaron
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

KStroSec

Posts: 9
Joined: Wed Jul 17, 2019 2:23 am

Post by KStroSec » Tue Dec 06, 2022 10:01 am
Ok, thanks, tried adjusting the tun-mtu and the fragment options to no avail. gonna have them try getting another router to see if that helps.
5 posts Page 1 of 1