SoftEther VPN User Forum

Posted: **Wed Aug 04, 2021 4:41 pm**

Hello. I'm using Vultr VPS. I installed CentOS 7 and SoftEther, and I enabled SecureNAT.
But.. the speed of SoftEther is too slow. I tried SoftEther Client and SoftEther bridge.

But, other VPN program speed is very fast although OpenVPN of SoftEther.

In case, My home network maximum bandwidth is 500Mbps and tested by famous network benchmark service in this region.

Normal(Not connecting VPN)
-> Down 500Mbps / Up 495Mbps

Using SoftEther Client with SecureNAT
-> Down 0.5Mbps / Up 180Mbps

Using Outline VPN
-> Down 480Mbps / Up 450Mbps

Using OpenVPN included in SoftEther with SecureNAT
-> Down 480Mbps / Up 480Mbps

Almost of VPN are very fast but only SoftEther is very slow.

Because the speed of OpenVPN included in SoftEther is very fast, I think SecureNAT is not reason of this problem.

I tried "No Encryption", TCP connection to 32 and cascade with my home server, but no effect existed.

Could someone give me some feedback or hint? I should use SoftEther for some reasons. Thanks!

Posted: **Sat Aug 07, 2021 5:20 pm**

It was SecureNAT problem. I try OpenVPN today, It slow too. solved

Posted: **Tue Aug 10, 2021 2:40 am**

Hello juny1209,

Could you please explain how you were able to fix the issue since i'm facing the exact same issue.

Thanks in advance

Posted: **Sat Oct 09, 2021 4:01 am**

guestofhonor wrote: ↑
Tue Aug 10, 2021 2:40 am
Hello juny1209,

Could you please explain how you were able to fix the issue since i'm facing the exact same issue.

Thanks in advance

I used tap(Virtual Network Adaptor), iptables and dnsmasq. I've got the information from this link (https://damoa-nawa.tistory.com/89) The link is korean but you can use google translator. I apologize for late answer.

Posted: **Mon Aug 01, 2022 9:37 pm**

In my case this didn't help, but maybe someone will use my solution instead:
I have 2 SE VPN servers installed on RedHat VM's working on Proxmox virtualization.
SE VPN server configuration and VM's parameters are the same, the only difference is in virtual network card.
On one server I used Intel E1000 virtual network card - on this one SE speed was OK.
On second server I used virto virtual network card - on this one download speed was around 0,2 Mb/s, upload around 10 Mb/s
After changing virtual card on second server from virtio to Intel E1000, download speed increased to ~30 Mb/s, upload speed remained at 10 Mb/s (but that's ok regarding my network connection). So the problem was in virtual network card I used.

Regards,
Lukasz

Posted: **Thu Mar 16, 2023 12:59 pm**

lukaszos wrote: ↑
Mon Aug 01, 2022 9:37 pm
In my case this didn't help, but maybe someone will use my solution instead:
I have 2 SE VPN servers installed on RedHat VM's working on Proxmox virtualization.
SE VPN server configuration and VM's parameters are the same, the only difference is in virtual network card.
On one server I used Intel E1000 virtual network card - on this one SE speed was OK.
On second server I used virto virtual network card - on this one download speed was around 0,2 Mb/s, upload around 10 Mb/s
After changing virtual card on second server from virtio to Intel E1000, download speed increased to ~30 Mb/s, upload speed remained at 10 Mb/s (but that's ok regarding my network connection). So the problem was in virtual network card I used.

Regards,
Lukasz

Hi

Old post but I m going to give it a shot.
I have a similar issue (slow download performance) but I have the SE vpn server setup in a container unprivileged without nesting on Proxmox. I noticed as well from the remote client maxed out upload speeds and terrible download ones.
I am using SE Server Management from windows to set it up.

info
-SecureNAT isnt enabled (checked from the server management / virtual hub options window)
-Not using extra firewall appliances (both h/w or s/w ones.)

Tried to:
-Changed to a different vmbr on hypervisor (all vmbrs are based on bonds of 2 physical ports in LACP mode)
-Changed DNS servers for the softether VM
-Port forwarded (even though not needed since I m using for the client the Dynamic DNS function of SE server)

Maybe-s:
-CT is unpriviledged and nested is not checked (but these options refer to other functions of the CT)
-How to enable promiscuous mode for the nic? Outside Container? Both outside and inside (server is in cli mode since it is a Container)
-Make sure that vpnserver process is running as root. Otherwise, local bridge fails. Even though it is masking the ids of the root user and group
since it is an unprivileged container, upload speed is maxed out. Shouldn t the remote client have both down/up terrible speeds?
-I liked the idea to re-create the server as a Linux VM and not Container and choose as virtual nic the intel e1000, since there is no way to change that option to a container except maybe passthrough a real card which I have to install to the physical server.

Any other thoughts (you or anyone else) of how would I be able to fix it in my current situation using a Container?

Thank you

Posted: **Thu Mar 16, 2023 5:25 pm**

A VPN by itself has the overhead because of encryption.
WireGuard which is considered as the fastest one, has overhead of 10% to 30% of client speed. (100mbit => 90mb ~ 70mb)
OpenVPN , SSTP and others have more overhead, 30% to 50% (100mb => 60mb ~ 50mb)

+ when we use a VM, we have another layer of overhead.
+ If you put it in a container, simply you will have more overhead
+ Windows does not support containers and extra packets are needed == more overhead :|
+ SecureNAT
----------------- result -----------------
Really slow speed experience

The closer we get to the hardware, the better speed and less overhead
Here are best infrastructure from the best to worst for SoftEther VPN

Physical + Linux server (e.g Debian 11) + Hub with Local Bridge + iptables -j SNAT
VM + Linux server (e.g Debian 11) + Hub with Local Bridge + iptables -j SNAT
Container (alpine or others) + Linux server (e.g Debian 11) + Hub with Local Bridge + iptables -j SNAT

(not tested)
Physical + Windows server (e.g ???) + Hub with Local Bridge (loopback adopter)
VM + Windows server (e.g ???) + Hub with Local Bridge (loopback adopter)
Container + Windows server (e.g ???) + Hub with Local Bridge (loopback adopter)

### Some factors impact the speed and experience ###

SecureNAT > vNAT
NAT ing has lots of overhead , but a kernel can do it much faster than SoftEther itself.
If you have users you should NOT use SecureNAT > vNAT function (vHDCP is okay)
if you run a SE server for test or site-to-site while you could not create Local Bridge connection since you were not admin then SecureNAT is the only choice

SecureNAT > vDHCP
SE vDCHP is faster then dnsmasq or any other DHCP, and has no overhead (as I tested) but it is less flexible than a full DHCP server

DataCenter
This option is usually overload but some datecenters are much faster than others, test your server is at least two different datacenter (ISPs)
Hetzner is faster than OVH if your client are not located in Europe

Speed Test
vpncmd > tools > TrafficClient and TrafficServer
Test the speed from a client location to the server location
You can do it with a client GUI as well.

Client Network
Client network has a major impact, test it with cloudfalure before connecting to the VPN and afterward
https://speed.cloudflare.com/
Your speed should not declare more then 50% (50% is the worst overhead)

Posted: **Fri Mar 17, 2023 12:02 pm**

shakibamoshiri wrote: ↑
Thu Mar 16, 2023 5:25 pm
A VPN by itself has the overhead because of encryption.
WireGuard which is considered as the fastest one, has overhead of 10% to 30% of client speed. (100mbit => 90mb ~ 70mb)
OpenVPN , SSTP and others have more overhead, 30% to 50% (100mb => 60mb ~ 50mb)

+ when we use a VM, we have another layer of overhead.
COLOR=#FF0000 -> true
+ If you put it in a container, simply you will have more overhead
+ Windows does not support containers and extra packets are needed == more overhead :|
COLOR=#FF0000 ->also true but I used a container on a Hypervisor (LXC), not windows -> docker ->container

+ SecureNAT
COLOR=#FF0000 -> I thought I mentioned it above that I didn t enable it (from the softether server configuration app)

----------------- result -----------------
Really slow speed experience

The closer we get to the hardware, the better speed and less overhead
Here are best infrastructure from the best to worst for SoftEther VPN

Physical + Linux server (e.g Debian 11) + Hub with Local Bridge + iptables -j SNAT
COLOR=#FF0000 -> this is what I am trying to avoid since I have it setup in a physical machine running windows
VM + Linux server (e.g Debian 11) + Hub with Local Bridge + iptables -j SNAT
COLOR=#FF0000 ->This is what I am trying to achieve. On top of that I could pass through the nic card for even better results.
But why Debian? Is it because Ubuntu has locked the root user ?
Container (alpine or others) + Linux server (e.g Debian 11) + Hub with Local Bridge + iptables -j SNAT

(not tested)
Physical + Windows server (e.g ???) + Hub with Local Bridge (loopback adopter)
COLOR=#FF0000 ->what I am running now and it is ok (just want to move to a VM. Tried Container-LXC for less resources)
VM + Windows server (e.g ???) + Hub with Local Bridge (loopback adopter)
COLOR=#FF0000 ->what I am about to do (still I would prefer Linux to avoid Licensing)
Container + Windows server (e.g ???) + Hub with Local Bridge (loopback adopter)

### Some factors impact the speed and experience ###

SecureNAT > vNAT
NAT ing has lots of overhead , but a kernel can do it much faster than SoftEther itself.
If you have users you should NOT use SecureNAT > vNAT function (vHDCP is okay)
COLOR=#FF0000 -> Once again I am not using it.
vNAT is the deafault one used if SNAT is disabled?
is vHDCP or vDHCP. I am not familiar with this term
if you run a SE server for test or site-to-site while you could not create Local Bridge connection since you were not admin then SecureNAT is the only choice

SecureNAT > vDHCP
SE vDCHP is faster then dnsmasq or any other DHCP, and has no overhead (as I tested) but it is less flexible than a full DHCP server
COLOR=#FF0000 ->Can you elaborate more on that? Do I enable it somewhere? Less flexible meaning?

DataCenter
This option is usually overload but some datecenters are much faster than others, test your server is at least two different datacenter (ISPs)
Hetzner is faster than OVH if your client are not located in Europe
COLOR=#FF0000 ->Entirely not the case here since I have for reference the physical machine on the same ISP which goes way better.

Speed Test
vpncmd > tools > TrafficClient and TrafficServer
Test the speed from a client location to the server location
You can do it with a client GUI as well.
COLOR=#FF0000 ->It is what I am doing and found out about the lame speeds. Else I thought that I managed to install and configure it.

Client Network
Client network has a major impact, test it with cloudfalure before connecting to the VPN and afterward
https://speed.cloudflare.com/
Your speed should not declare more then 50% (50% is the worst overhead)

COLOR=#FF0000 -> From inside the client I have setup 2 se connections. One which is the default and is currently running connecting to the h/w se server
and a second one connecting to the s/w se server.
Our speed from 4G router, is most times 70-80Mbit down and 20-30Mbit up (If I can recall down of the serve is the for the client and vis versa)
and the tunnel is full (not partial). The client from his side gets 15 -20Mbit down (from the up the server could give)
and 12-20Mbit up (from the down the server could accept).
When client connects to VM se vpn it gets 0.8-2.5Mbit down at best (from the up the server could give)
and 12-20Mbit up (from the down the server could accept).
So one speed is the problem. The other is the same as the one the physical server can provide.

New edit: Tried on a VM running Windows both virtio as a network card and the intel E1000 one and I had the expected results as with the physical machine. Something is preventing SE server from running on Linux and needs further configuration which I don t know what that might be.

Posted: **Fri Mar 17, 2023 6:44 pm**

ieronymous wrote: ↑
Fri Mar 17, 2023 12:02 pm
But why Debian? Is it because Ubuntu has locked the root user ?

I did not mention anyone in the reply which means I was not specifically talking about your case.
It was just a general "rule of thumb" using SE servers.

Why Debian?
1. Debian needs less resources than Ubuntu
- Debian can run with 512 M RAM while Ubuntu needs 1024 M RAM.
- Ubuntu has extra services installed (e.g snap) which we do not need it

What is vDHCP?
SE server has SecureNAT. SecureNAT has two functionalities
1. a Virtual NAT (vNAT)
2. a Virtual DHCP (vDHCP)
When you enable a SecureNAT you actually enable both vNAT and vDHCP. the SecureNAT overhead is because of vNAT not vDHCP. So you can enable SecureNAT while in SecureNAT disabling vNAT and keep the vDHCP.

For speed test, the easiest one could be connecting to a SE server with a phone or PC clients and test the speed. To me this is not the best choice.
The better one is testing with "vpncmd" or GUI without connecting to a SE server using a client.
The test result is more accurate. After the test was done, you client speed should not be less than 50% of the result with "vpncmd". it could be upper.

Posted: **Sat Mar 18, 2023 6:25 pm**

shakibamoshiri wrote: ↑
Fri Mar 17, 2023 6:44 pm

I did not mention anyone in the reply which means I was not specifically talking about your case.
It was just a general "rule of thumb" using SE servers.
COLOR=#FF0000 ->You are absolutely right. Even though I had in my mind to start the post with <<in case you are referring to me>> I got lost inside the post and what I was trying to write and forgot it.

What is vDHCP?
SE server has SecureNAT. SecureNAT has two functionalities
1. a Virtual NAT (vNAT)
2. a Virtual DHCP (vDHCP)
When you enable a SecureNAT you actually enable both vNAT and vDHCP. the SecureNAT overhead is because of vNAT not vDHCP. So you can enable SecureNAT while in SecureNAT disabling vNAT and keep the vDHCP.
COLOR=#FF0000 ->Thank you for the explanation. I already knew about vDHCP but I though I was reading vHDCP and couldn t rememebr or find anywhere the term.

Do you have a guide for this occasion? VM + Linux server (e.g Debian 11) + Hub with Local Bridge + iptables -j SNAT
I d like the afterwards part (iptables and -J SNAT). Shoudln t SNAT be a major speed problem here like when enabling it from the SE server management?
The only close uide I ve found on net (which is as well based on the Korean one - someone mentioned in a post in this forum) was
https://theitguycj.com/installing-softe ... ntu-22-04/ ..... but at the part (after installation of dnsmasq) where you have to apply the command
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [YOUR VPS IP ADDRESS], I don t know what to enter here as my VPS iIP SERVER
.The private static one ? Already tried the dynamic DNS of SE but errors out since it needs an IP address.
Also this guide uses an extra virtual adapter tap_soft and not the default one.

So when the client connects to the SE sever and the SNAT is disabled who passes out IPs and does the translation? Router of client and router placed on the server site? Because installing SE server at least in Windows, seems to work without SNAT enabled, just VM /or physical + Windows server + Hub with Local Bridge. Nothing else.

Thank again for replying.

Posted: **Sun Mar 19, 2023 9:28 am**

ieronymous wrote: ↑
Sat Mar 18, 2023 6:25 pm
Do you have a guide for this occasion? VM + Linux server (e.g Debian 11) + Hub with Local Bridge + iptables -j SNAT

One con of SE ecosystem is lack of automation tools for server provisioning. You see posts like that telling how to install SE server on Linux but neither SE dev team nor SE fans/advocates provide a tool for a full setup. You need the following to setup a SE server on a Linux box
- download stable or clone developer version
- built stable for developer version
- enable systemd (can be ignored for test cases)
- add a least one HUB
- add a least one user
- enable ScureNAT

You are ready to use at this point, and this configuration is mostly used for testing and production. For production
- download stable or clone developer version
- built stable for developer version
- enable systemd
- add a least one HUB
- create a Local Bridge for that HUB
- add IP to the tab device created for being used with local bridge for that HUB
- add ip-table rules (SNAT,or MASQUERADE)
- add N users

About SNAT or a kind of micro optimization and does have huge overhead if other options be used.
But SecureNAT has huge overhead if N users connect simultaneously. NATing means alerting every single packet which Linux kernel can handle it much faster with litter effort while SE is not capable of.

ieronymous wrote: ↑
Sat Mar 18, 2023 6:25 pm
So when the client connects to the SE sever and the SNAT is disabled who passes out IPs and does the translation?

If you enable SecureNAT, SE server does that (vTAN). If neither host NAT enabled nor SecureNAT of SE, clients connect, but have no access to the outside of that machine (e.g the Internet)

ieronymous wrote: ↑
Sat Mar 18, 2023 6:25 pm
Router of client and router placed on the server site? Because installing SE server at least in Windows, seems to work without SNAT enabled, just VM /or physical + Windows server + Hub with Local Bridge. Nothing else.

Mostly people on Windows enable SecureNAT (= vNAT + vDCHP) so NATing is done by the SE server not the host. IT WILL BE SLOW and high CPU usage for N users simultaneous connections. For a few users it is not felt

BtW
I am working on a new CLI for full SE server provisioning on Linux. It is almost ready. If you can wait a few days (maybe weeks) it helps you.
If you have to set it up now, it is better to ask your issue in a new question/topic and discontinue on this thread.

SoftEther VPN User Forum

[Solved] SoftEther speed is too slow

[Solved] SoftEther speed is too slow

Re: SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow

Re: [Solved] SoftEther speed is too slow