We’ve set up SSL VPN, IPSec VPN and L2TP VPN. They seem to achieve around 100Mbps (edit: SSL VPN actually reaches 250Mbps when testing with google, gigabit connections both ends). What speeds is the XGS3100 actually capable of and is there anything we can do to improve this short of running a VPN service on a separate server?
Also, on the client side is it impossible to set up SSL VPN so all traffic is routed through the VPN? And conversely, is it impossible not to route all traffic over L2TP VPN?
N.B. it seems as though the ookla speed test at Speedtest.net can’t accurately measure download speeds when the Sophos L2TP VPN is connected, it shows around 20 down whereas other speed tests show 100. The SSL and IPSec don’t have the same issue.
Yes, you can send all traffic through the SSL VPN, just make sure “Use as default gateway” is switched on under “tunnel access”. We don’t use L2TP anymore because we require MFA, so I’m not sure about that one.
I get well over 100Mbps using the SSL VPN, typically around 75% of whatever the max bandwidth is wherever I am working from. There’s definitely some performance hit, but not enough to really notice in everyday use in my opinion.
Oh, and as far as speedtest.net, I’ve also noticed strange results through the XGS. I usually use fast.com or Google’s speed test and those results seem more accurate for me.
To test the speed you can use iperf. You set up a test server behind the xgs and a client on the other end of the vpn.
In addition you can try and test if you get same results with the firewall acceleration turned off.
Thanks! Unfortunately “Use as default gateway” means all users would have all their traffic routed through the VPN, I’d like to have most users not configured that way so it doesn’t matter if they’re streaming while working from home, but a few users routing all traffic through set on the client side rather than the server for IP whitelisted services. Is that possible? We’re mostly Macs so I’m using Tunnelblick which has a “Route all IPv4 traffic through the VPN” option which causes the connection to fail when checked. Our Windows users are using Sophos Connect which I don’t think has the option (the Mac version doesn’t).
I’m actually getting 250Mbps on SSL VPN having checked again with google, but it’s a gigabit connection on both ends. Any tips to speed up the connection? It doesn’t seem to be using much of the Sophos’ resources, CPU stays around 10% and memory 40%. The SSL VPN seems a lot slower at transferring many small files via SMB than L2TP, presumably due to encryption. L2TP is also supported natively on a Mac without 3rd party software, but I might ask some of our designers to try the SSL VPN with Tunnelblick and see which they prefer.
I’ve just switched to the google speed test as well, gave fast.com a shot now and it’s showing 66Mbps where google is showing 95Mbps so I guess I’ll stick with google or use iperf as suggested below!
Thanks, I’ll give iperf a shot to get more accurate results!
I’d not heard of firewall acceleration but it seems to be enabled by default so it’s probably on, I’ve not configured the firewall myself but I’m trying to figure out some of what our Sophos reseller is struggling with. I guess I should give the CLI a shot and take a look!
If you don’t want to send all SSL VPN traffic through the tunnel, turn off “use as default gateway”.
Is your SSL VPN using TCP or UDP? I believe UDP is generally faster, but if you change this setting, I think clients have to re-download their config file (not certain, I’ve never changed it).
It’s built in in Xgs devices and is enabled by default with v19 and later.
Worth a check if you have some wonky performance results.
The command to use it in the console:
system firewall-acceleration show
Then you can choose to enable or disable it to see of there are any changes
When “use as default gateway” is off, setting send all IPv4 traffic through VPN on the client side causes the VPN connection to fail so it seems to be all or nothing unfortunately.
It’s using TCP, thanks for pointing that out I’ll give UDP a shot (it does note in the interface that UDP has better performance) but I’ve read UDP is a less stable connection and can’t handle dropped packets, so with a lot of people working from home on not great connections I’m not sure we’ll be able to stick with it. Great thing about using more than one protocol is I can break the SSL VPN and use the L2TP VPN to remote on and reconfigure it!