SMB over VPN performance boost

rswwalker · March 9, 2025, 7:28pm

I am actually posting here with a positive finding for once!

If you use SMB over a VPN with the Windows VPN client and you set the rule governing the SMB traffic to proxy-based inspection mode with a security profile that utilizes it like AV, then you can see a dramatic improvement on SMB throughput to the client. For example, using flow-based I get SMB throughput 1-3MB/s, but when I switched to proxy-based I get throughput of 30MB/s on a 300Mbps connection which is pretty close to line speed! Uploads seem to not be effected, I get 5MB/s, which sucks, but it’s not as important as download speed.

This is with the built-in IPSec VPN client on Windows 10. I suspect that the client is badly programmed and can’t pace the traffic properly (both in packet ordering and flow control), but having a device pace the traffic for it makes it fly.

If Microsoft would only fix their busted VPN client then people might get some work done!

Edit: I believe this is because the FGT is on-LAN with the file servers and with the rules in proxy-mode the FGT will act as an in-between for congestion control. MS does LAN congestion control well, but not WAN, FGT does both LAN and WAN well, so the traffic is paced properly. Unfortunately the Windows IKE client just can’t send data on WAN properly and there is no on-LAN device on the client side to help.

Edit2: For an alternate reference I setup a WG server behind the FGT and installed WG client on same remote windows client that I ran earlier tests with. The WG setup was able to get 15MB/s down, 10MB/s up which is a lot better than the AgileVPN client’s (without FGT’s proxy-mode) 1MB/s down 5MB/s up, probably the best you can get with Windows congestion control at 300Mbps and 20ms. The main problem seems to be the AgileVPN client, with Windows congestion control a close second. If Microsoft would just fix these two things there is no reason you couldn’t reach close to wirespeed over VPN with 20ms or below. Until then you can use something like FGT proxy mode to stuff the pipe and get close to wirespeed with VPN downloads.

DennisV_EXNL · March 9, 2025, 7:28pm

No you need to do your homework better

https://directaccess.richardhicks.com/2019/02/11/always-on-vpn-and-ikev2-fragmentation/

rswwalker · March 9, 2025, 7:28pm

What are you talking about?

I have wiresharked the connection as a first step and there was no ikev2 fragmentation going on. The connection is up and stable and UDP traffic flows without drops.

Edit: It is most likely this, In Detail: Slow performance of IKEv2 built-in client VPN under Windows

RemindMeBot · March 9, 2025, 7:28pm

Your default time zone is set to Europe/Vienna. I will be messaging you in 8 days on 2023-11-20 13:35:42 CET to remind you of this link

CLICK THIS LINK to send a PM to also be reminded and to reduce spam.

^(Parent commenter can ) ^(delete this message to hide from others.)

^(Info)	^(Custom)	^(Your Reminders)	^(Feedback)