OpenVPN Client with Policy rules = Slow Internet

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

bmn1

Senior Member
I have OpenVPN client configured per the image attached on an RT-AC86U with Merlin 386.1_2. The router is connecting via PPPoE to an ISP supplied fibre modem/router. The latter has it's wifi/DHCP turned off, and the RT-AC86U DMZ'd.

"Force Internet traffic through tunnel"
  1. Set to "Yes" works fine for all clients.
  2. Set to "Policy Rules" or Strict works fine for a desktop connected to the router via a switch and for a laptop connected by 5Ghz wifi, but results in delayed loading of websites/content for a television connected directly to the router and for a cellphone connected via either 2.4 or 5GHz wifi. When I say delayed loading I mean, for example, when I try to open a website there is a few seconds of delay before things load, and certain items on the page may experience an additional delay before they pop up. Perhaps relevant, "The Weather Network" app on the television fails to load anything under this configuration (other apps work, with delayed load times from the internet). Doing a speed test on on the cellphone using dslreports shows a good bandwidth of 50 down, 30 up.
  3. Both scenarios above are routing through the VPN successfully.
I plan to use policy rules so that certain clients access the WAN directly, and others are routed through the VPN.

I appreciate any insights.

1615128116908.png
 

eibgrad

Very Senior Member
Page loading issues can be due to improper mtu size. Might try NOT using that directive in custom config. In fact, many of the custom config field entries are either redundant (e.g., tls-client, pull), irrelevant (e.g., remote-random only matters if you specify multiple servers (remote directives)), or occasionally even harmful (e.g., reneg-sec 0). I'm always a bit leery about anything the VPN provider suggests because of this. I suspect this is ExpressVPN given the 'fragment 1300', which I happen to know is required. But that's a rare exception.

But as a rule, I don't usually see a significant difference in performance or page loading between using and NOT using PBR (policy based routing), which seems to be the case here, at least as described.
 

bmn1

Senior Member
Thank you. I had previously tried MTU 1300 and on your suggestion I tried taking out the line altogether, but neither seem to solve the problem. You are correct - ExpressVPN, and yes, this does seem to be a problem related specifically to using the policy rules as everything works fine without them.
 

eibgrad

Very Senior Member
I would have suggested trying TCP instead, just to see if that made a difference, but last I recall, ExpressVPN didn't support TCP except w/ their client apps.

Still can't imagine how the use or NON use of PBR could make a difference. All PBR does is change the choice of routing tables. Beyond that, everything else is exactly the same.
 

eibgrad

Very Senior Member
What I would do is reboot both the router and the clients having problems. Or at the very least clearing the browser cache of those clients. Sometimes the network and/or apps can get into a weird state that can only be corrected using these techniques.

P.S. It wasn't clear to me from your initial post whether the ISP modem+router is in bridge mode, or router mode (thus double NAT'd). Not sure it matters, but at least for clarification.
 

bmn1

Senior Member
Thank you again eibgrad. The ISP modem-router doesn't have a bridge mode. Instead, I turned DHCP and wifi off for the ISP unit, and have the ASUS connect by PPPoE and in DMZ. The ASUS router config sees its WAN IP as the ISP assigned IP (ie not a LAN IP from the ISP modem-router).

I've tried several reboots of the routers one before the other and then reversed, restarting the affected clients, forgetting/reconnecting wifi configurations, and using different apps to test the internet -- all without success.

I was previously using a double NAT with my ISP modem-router taking care of non-VPN traffic and my ASUS taking care of VPN traffic, but was running into some minor UPnP issues so I thought to simplify my setup. Perhaps I'll go back to my old configuration.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top