AWS Client VPN. Incredibly slow speeds?

I just implemented the new AWS client VPN(been waiting on this feature for a while now).

I’m finding the speed to be unacceptable for any real workload. All of my instances & databases are within private subnets and occasionally I need to be able to get shell access, and also for everyone at the company to have a way to securely browse the internet while traveling.

For reference I get around `39Kbps` when testing via fast.com

My setup is basically this blog post which worked perfect, other than the speeds.

My opvn config file is basically this…

client
dev tun
proto udp
remote 1.REDACTED.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3
rcvbuf 0
sndbuf 0
txqueuelen 4000

Hey all! Good news…

I opened a ticket with AWS Support for this and the following recommendation worked perfectly for me:

please try disabling the TCP timestamps[1] sysctl parameter in OS, and test if you are seeing any difference in terms of performance.

# sudo sysctl net.ipv4.tcp_timestamps=0
net.ipv4.tcp_timestamps = 0

Restarted my workstation and VPN speeds went wayyyy up.

Granted, i’m not entirely sure what the impact is of disabling TCP timestamps system-wide on my workstation, but it seems to be working alright so far.

Here’s my system for comparison:

NAME=“Linux Mint”
VERSION=“19.1 (Tessa)”
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME=“Linux Mint 19.1”
VERSION_ID=“19.1”
VERSION_CODENAME=tessa
UBUNTU_CODENAME=bionic

@stackymao, did you ever figure this out? We’re using AWS client VPN as well. I’m the only guy on my team running Linux Mint and i’m getting practically useless speeds. No idea why.

Nothing stands out as ‘wrong’ with your config, to me. Dumb question, have you tried more than one device? Different network?

When I have VPN related headaches, I double check by connecting via my cellphone, over the cell network (ssh and openvpn work just fine on android and iOS) and it helps me rule out something wonky with my primary setup.

Dittos, clocked 27Kpbs on fast.com with my beefy System76 ServalWS. Plenty of CPU/Ram but the speed is just too slow to use over AWS VPN.

LOL, finally found something that worked.

https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

Hey great info here. I am also experiencing this so the information here really helped. I see you wrote that your resources are all private, but have you had any DNS related issues such as I described in my post:
https://www.reddit.com/r/aws/comments/cjw5lb/dns_requests_over_vpn_not_resolving/

Sorry for necrobumping, but ran into this issue on Manjaro (Arch’ish linux) and none of the below solutions worked (nor anything else from my google results). I managed to solve it by enabling the systemd-resolved service:

sudo systemctl enable systemd-resolved.service && sudo systemctl start systemd-resolved.service

This took my speed from 600 Kbps up to 140 Mbps (from 1.1 Gbps without VPN).

I’m using the openvpn package and set up VPN using regular network settings, but I found the solution on this aur page https://aur.archlinux.org/packages/awsvpnclient/ … note that I’m not using the awsvpnclient package.

Wow, you saved my day!

Thank you so much!

I just tested this (on Arch Linux) and works like charm, thanks!!

I did not. I ended up just provisioning an aws micro instance and running openvpn on it.

I just hit the same issue. What is interesting is that on a Mac it works perfect, on Linux (tried ubuntu 18.04, ubuntu 19.04) it does not. Tried all the options i could find on the net to tune it, but was stuck at slow speeds (400kbit/s max). Also tried openvpn 2.4.7 and 2.4.4 and each with openssl 1.1.1 and 1.0.2. No difference what-so-ever. Tried on 3 different linux machines and 2 different internet connections(home-work).

Best that i could come up with is that mac uses “ntun” (tun implementation for mac) but linux has different driver for tun. I am willing to be that if AWS would allow tap devices it would work like a charm.

Glad to know I am not alone.

Thats a great point. My laptop just broke so I’m waiting on a replacement. Only machine I’ve tried it on is my linux desktop. Good call on the phone I’ll test that out.

This seems to allow me to access other stuff (google, reddit, etc) at normal speeds, but won’t allow me to connect to the actual resources I need in my VPC at all. Any suggestions on how you made it work for you @nullsteph?

did that improve your speeds on linux?

So I tried also with centos 7 (openvpn 2.4.7 , openssl 1.0.2k). Same problem.

I then launched an openvpn ec2 server, configured it to use the same ciphers as AWS (AES-256-GCM). Works like a charm. Also tried the client settings that the openvpn server gave on AWS - no difference.

Sure thing. I considered trying AWS’s VPN solution, but seemed like an expensive way to, essentially, run openvpn on an ec2 instance, which is what I set up at my current gig almost two years ago, with very little hassle.

Benefit of running it on ec2 is I can choose to require an MFA token, implement split or full tunnel, configure those routes via ansible, and push split tunnel routes from server side. Example:

### Ansible managed - Updated on xxxxx ###
port 1194
proto udp
dev tun
ca ca.crt
cert xxxxx.crt
key xxxxxx.key
dh dh2048.pem
crl-verify crl.pem
server 10.8.0.0 255.255.0.0
route 10.8.0.0 255.255.0.0
keepalive 10 180
tls-auth ta.key 0
comp-lzo yes
tun-mtu 1500
mssfix
tcp-queue-limit 256
bcast-buffers 1024
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
tls-version-min 1.2
cipher AES-256-CBC
duplicate-cn
key-direction 0
verb 4

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn # depends on google authenticator MFA
# reneg-sec 604800 # time in seconds before requiring a new MFA authorization token.  7-days: 604800, 1-day: 86400
reneg-sec 0

# ### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "keepalive 10 60"

### Routes go here.  Examples:
##### foo.example.co
# push "route someelbroute.elb.amazonaws.com 255.255.255.255 vpn_gateway"
# push "route someotherelbrout.elb.amazonaws.com 255.255.255.255 vpn_gateway"

#### us-east-1 elbs:
push "route blahblah.amazonaws.com 255.255.255.255 vpn_gateway"
push "route foofoo.elb.amazonaws.com 255.255.255.255 vpn_gateway"

Same here. I gave up and went with the Open Access Server image on AWS market. It couldn’t have been easier to configure and the speeds are great for all clients; linux, mac, windows.

Our speeds are fine with it. Haven’t done a test but multi gb file downloads have been quick.

We do split tunnel on the client side config. Would be nice to have server push.

Logging really stinks though. And no mfa as you say (not sure about directory service, we didn’t want AD).

I think the main benefit like some other services is not having to maintain the server, harden it, and you get built in HA.

Lack of logging is a no go for us. We’ve terminated an engineer over their behavior, directly related to their vpn activity, as evidenced by the logs.

Server push split vpn saves us more than just dollas. I really, really don’t want to be the vpn/internet police.