SoftEther VPN User Forum

Hi guys, so I love Softether! But having a very weird issue, I run a VPN server off a dedicated server and have about 10-20 users connected at any given time

When I first install everything, with about 100 ips and 100 virtual hubs & 100 local bridges everything works perfect

get about 20mbps on L2TP and 50mbps when user connected via Softether

but then when i add up to 400 ips and 400 virtual hubs & 400 local bridges then stuff starts getting weirdd

getting only about 1mbps on L2TP EXTREMELY SLOW but still getting 40-50mbps when user connected via Softether

WHAT IS CAUSING THIS?! Why is there such a huge drop off with L2TP but Softether stay releatively the same speed, what can i do to get L2TP back up to 20mbps??

Any ideas or suggestions would be much appreciated, this is driving me crazy, thanks!

Two questions:

- How much CPU of the server is being used?
- Why do you need 400 Hubs and local bridges? I hope you are not creating a Hub and a brige for each user

moatazelmasry wrote:
> Two questions:
>
> - How much CPU of the server is being used?
> - Why do you need 400 Hubs and local bridges? I hope you are not creating a
> Hub and a brige for each user

CPU usage does seem to be high, it goes from 50-105% constantly, but then if this is impacting L2TP why does it have no negative consequences on Softether?

Unfortunately I am creating a hub & bridge per user because these are dedicated ips that cannot be shared between users, so each user is assigned a specific dedicated ip

Or is there a better way to do it so that I dont have to create that many hubs or bridges? But you have to keep in mind these users have to be able to be the only ones to access that specific dedicated ip, other users shouldn't be able to access other peoples dedicated ip. So that's why I'm thinking this is the only way to do it or am I wrong?

Thanks for your help!

Ok. Obviously, the more users you have, the less throughput per user, especially that there's alot of encryption decryption going around. But you mentioned that SoftEther PVN protocol is working fine, so we will have to discard that fact for now.

A solution I can think of is to delegate the IP allocation process to freeradius. Obviously you need to use freeradius as well for user authentication
https://wiki.freeradius.org/guide/dhcp- ... allocation

Hope this helps

moatazelmasry wrote:
> Ok. Obviously, the more users you have, the less throughput per user,
> especially that there's alot of encryption decryption going around. But you
> mentioned that SoftEther PVN protocol is working fine, so we will have to
> discard that fact for now.
>
> A solution I can think of is to delegate the IP allocation process to
> freeradius. Obviously you need to use freeradius as well for user
> authentication
> https://wiki.freeradius.org/guide/dhcp- ... allocation
>
> Hope this helps

Yeah one thing to remember is there is never a moment where more than 20 users are connected at once even though there are 400 hubs / bridges etc

Thanks for the suggestion! Can you elaborate on how freeradius would help? Cause we already assign one static ip per hub, so once the user connects I dont think that uses up much resources cause that's already specified as the only ip available per that hub and again not that many users are connecting at once. So I dont think this is the part that's using up a lot of resources

And it still doesn't make sense to me how L2TP can be at 1mbps but users using Softether still get 50mbps maybe there's a setting I can change or something to make L2TP get more speed / cause clearly Softether is having no issues getting good speed

Freeradius would help, if you disable DHCP in SE and use the static IP allocation of freeradius. This way you need only 1 hub and one local bridge where all users are defined and their authentication is delegated to to freeradius. I'm not sure though that SE supports this kind of radius attributes (please test)
400 Hubs and bridges is a really bad idea.

If security is no concern, or just for the sake of fun, you could try to tweek the L2TP client to use lower encryption, for example 768-bit MODP Diffie Hellmann, Encryption: AES-CBC or none, etc..
Maybe you can even disable the encryption altogether just to test whether this affects speed

moatazelmasry wrote:
> Freeradius would help, if you disable DHCP in SE and use the static IP
> allocation of freeradius. This way you need only 1 hub and one local bridge
> where all users are defined and their authentication is delegated to to
> freeradius. I'm not sure though that SE supports this kind of radius
> attributes (please test)
> 400 Hubs and bridges is a really bad idea.
>
> If security is no concern, or just for the sake of fun, you could try to
> tweek the L2TP client to use lower encryption, for example 768-bit MODP
> Diffie Hellmann, Encryption: AES-CBC or none, etc..
> Maybe you can even disable the encryption altogether just to test whether
> this affects speed

Yeah converting everything to freeradius sounds like quite the headache but your 2nd suggestion sounds interesting, I'd be curious to test that if anything just out of curiosity

Do you happen to know what commands I would need to use to lower encryption and then to remove encryption all together for L2TP

If you are on linux, you can setup up an L2tp using xl2tpd and strongswan. Here's a tutorial using openswan(the predecessor of openswan)
http://www.jacco2.dds.nl/networking/linux-l2tp.html
https://wiki.archlinux.org/index.php/Op ... ient_setup

To disable the encryption altogether in strongswan, specifiy the ciphersuite equal null in ipsec. In /etc/ipsec.conf in the "conn %default" directive add the following:

conn %default
ike = null
esp = null
ah = null

But before doing that, try to get an L2TP connection with strongswan up and running, then try this bit

Cheers

moatazelmasry wrote:
> If you are on linux, you can setup up an L2tp using xl2tpd and strongswan.
> Here's a tutorial using openswan(the predecessor of openswan)
> http://www.jacco2.dds.nl/networking/linux-l2tp.html
> https://wiki.archlinux.org/index.php/Op ... ient_setup
>
> To disable the encryption altogether in strongswan, specifiy the
> ciphersuite equal null in ipsec. In /etc/ipsec.conf in the "conn
> %default" directive add the following:
>
> conn %default
> ike = null
> esp = null
> ah = null
>
> But before doing that, try to get an L2TP connection with strongswan up and
> running, then try this bit
>
> Cheers

Yes I'm using CentOS but the only problem is that I need it to work in connection with Softether so it has to be through the Softether L2TP, for several reasons regarding management

So is there anyway to change the encryption for the L2TP that Softether makes without needing to setup a separate L2TP?

Yes I'm using CentOS but the only problem is that I need it to work in connection with Softether so it has to be through the Softether L2TP, for several reasons regarding management

So is there anyway to change the encryption for the L2TP that Softether makes without needing to setup a separate L2TP?

No, you don't need to create a separate L2TP server. I'm talking about confiugrations for the L2TP client

The server will mostly honer what the client suggests, even disabling encryption

If you use tagged VLAN, I recommend using VLAN ID of security policy.
or
If you create many localbridges to one device, I recommend creating new virtual hub and create a localbridge with the new virtual hub then create cascade connection with each hubs. Because, many localbridges on a device cause many duplication packets and lower performance.