Softether setup from scratch for uninitiated

[Andriy]

For some time I got issues with the inconsistency of SoftEther throughput and slow speed when using mixed type of setup including remote clients and site-to-site connections.
By slow speeds I mean having 80-170mbit/s at most while having 1gbit/s network and internet.
Eventually I debugged the issue and it took me quite a while to build a guide that covers setting up SoftEther while focusing on routing on a linux kernel level and making active use of routes.

This allowed to increase VPN throughput from 80-170 to at least 500mbit/s, and in certain cases reach 750mbit/s in site-to-site connections (while in practice 1gbit/s was around 850-900 mbit/s between sites). Which again proves that SoftEther has very small overhead and most of our problems are either due to network misconfiguration or due to the fact that we would like to overload VPN itself with impure VPN tasks (like NAT, routing, etc.)

Posting this guide here in case it might be useful to someone else:
https://docs.google.com/document/d/1qFz ... drive_link

(it is around 60 pages long, but the reason I built it was due to the fact that info on internet did not fully cover every needed step from the very beginning)

[solo]

Tests showed that pushing routes to clients can increase VPN throughput 2-3 times.
In reality - it highly depends on how fast your router is, but by substance pushing routes is always better because when a client starts searching for an IP on a remote network - it asks the VPN server directly instead of waiting for a response from the router (which might be busy).

Did you really mean "increase VPN throughput", not decrease VPN start-up?

[Andriy]

Yes, throughput, not startup.
Routes on client side has nothing to do with startup of VPN.
From what I observed - if routes are not located on client side - router has been reached out every time client needs to send a packet to a remote destination.
Thus I do recommend either pushing these through dhcp function or setting on client side manually.

Or do you mean by "startup of VPN" actual connection initiation for remote clients?

[solo]

So let's re-word it as follows: "Tests showed that pushing routes to clients is absolutely necessary to make this VPN work, otherwise there is no throughput whatsoever".

[Andriy]

It seems we have terminology subject in place, not the essence.

Let's narrow it down then - to best of my knowledge - throughput is the rate at which network messages are being delivered. Simply put - it's speed.

My point here is that - pushing routes does affect speed (aka throughput) rather than functionality in general.

Would it be more clear if I change throughout to speed?

[solo]

The terminology is fine. Without a route, there is no throughput. Please excuse me for not reading your entire impressive guide and clarify this part of your setup where without a route packets still reach their destination, albeit "2-3 times" slower. Are they taking a round trip?

[Andriy]

Ah, I see where I screwed up.
I'll think how to rebuild describing the routing steps to be more transparent about the fact that we need both - 1) routes set on the router for resilience and 2) routes pushed to clients via dhcp or set statically

I kind of mentioned that , but it was not too obvious when I read it second time.

Still, to increase resilience, it is advised to have both - routes set on the router itself and routes pushed to (or statically set at) clients.

But basically yes - if we set routing rule on router only - then packet will go to router, and then back and then to vpn server, which increases number of trips and depending how powerful router is - it might take ages.

[solo]

Great, we'll refer to your guide in future Linux topics. As it's off-site, please post a few keywords to make it discoverable for people searching this forum. Actually you could post as code the entire plain text.

[Andriy]

I'll add some keywords to original post.

Not sure is its usable to post ~30 pages of plain text though.
Since the point of the guide was also to show on-screen how the setting look like - it's just way easier for those who come across SoftEther for 1st time (or 2nd), but I do not find a way how to include screenshots here other than adding links and rely on 3rd party services.

Maybe I'll simplify the guide in future so it's more digestible in text only form.

[Andriy]

search keywords (could not edit original post anymore)

SoftEther Site-to-Site VPN Setup, Fix Low Throughput, Bridging, Linux Routing, NAT