# PPTP VPN (mpd5) is very slow



## Selin (Mar 12, 2018)

Hi
Could you help me, please, with VPN speed issue.
I need to connect two offices.
On both sides I have FreeBSD 10.4 with mpd5 configured for LAN-to-LAN connection.
Problem is:
 - native network speed between offices (i.e. without VPN) 800-900Mbps
 - VPN network speed - 30-40Mbps

What shall I do to increase VPN speed?



```
# Office 1
startup:
    log +auth* +ecp* +iface* +phys* +link*

default:
    load vpn_Office2
    load pptp_links

vpn_Office2:
    create bundle static b_Office2
    set ipcp ranges 10.0.1.1/32 10.0.2.1/32
    set iface route 192.168.2.0/24
    load vpn_common

vpn_common:
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e128
    set bundle enable crypt-reqd
    set mppc yes stateless

pptp_links:
    set ippool add pool_pptp 192.168.1.101 192.168.1.250
    create bundle template b_pptp
    set bundle enable compression
    set bundle enable crypt-reqd
    set iface enable proxy-arp
    set iface idle 3600
    set iface enable tcpmssfix
    set ipcp enable vjcomp
    set ipcp ranges 10.0.1.1/32 ippool pool_pptp
    load vpn_common
    create link template l_pptp pptp
    set link action bundle b_Office2 Office2
    set link action bundle b_pptp
    load links_common

links_common:
    set link enable multilink
    set link enable acfcomp protocomp
    set link disable pap chap eap
    set link enable chap
    set link keep-alive 10 60
    set link mtu 1396
    set link mru 1396
    set link enable incoming
```


```
# Office 2
startup:
    log +auth* +ecp* +iface* +phys* +link*

default:
    load vpn_Office1
    load pptp_links

vpn_Office1:
    create bundle static b_Office1
    set iface route 192.168.1.0/24
    set bundle enable compression
    set bundle enable crypt-reqd
    set ccp yes mppc
    set mppc accept compress
    set mppc yes e40 e56 e128
    set mppc yes stateless
    create link static l_Office1 pptp
    set link action bundle b_Office1
    set link accept chap
    set auth authname "Office2"
    set auth password "password"
    set link keep-alive 10 60
    set link max-redial 0
    set link disable incoming
    set pptp peer office1.ip
    open

vpn_common:
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e128
    set bundle enable crypt-reqd
    set mppc yes stateless

pptp_links:
    set ippool add pool_pptp 192.168.2.101 192.168.2.250
    create bundle template b_pptp
    set iface enable proxy-arp
    set iface idle 3600
    set iface enable tcpmssfix
    set ipcp enable vjcomp
    set ipcp ranges 10.0.2.1/32 ippool pool_pptp
    load vpn_common
    create link template l_pptp pptp
    set link action bundle b_pptp
    load links_common

links_common:
    set link enable multilink
    set link enable acfcomp protocomp
    set link disable pap chap eap
    set link enable chap
    set link keep-alive 10 60
    set link mtu 1396
    set link mru 1396
    set link enable incoming
```


----------



## roberc (Mar 14, 2018)

I have the same issue.
Have read lots of manuals.
Nothing.
In the end I came up with the conclusion - there's nothing I can do with PPTP. It's old and deprecated. Yes, very easy to configure. But old. Obsolete.
I guess you should try to switch to something else. Try L2TP/IPSec.


----------



## roberc (Mar 14, 2018)

Just take a look here:
https://forums.freebsd.org/threads/ipsec-aes256-performance.64488/#post-379053


----------



## Selin (Mar 14, 2018)

aesni is on loader.conf already...
so it looks like I have to move to L2TP, PSec or OpenVPN.
The problem is: I need to have both - VPN client and server on the same machine.


----------



## xtaz (Mar 18, 2018)

PPTP is so old and insecure that you may as well not bother with it and just use the connection natively across the internet. It could be cracked in a couple of hours several years ago. Those hours are probably down to minutes now.

The easiest option is probably openvpn, which if you run it with the nobind option for the clients can run both server and several clients on the same machine. That option stops it binding to the same source port on all instances and makes it use a random port so that they can co-exist.

L2TP/IPSEC is another option but I personally found it hugely more difficult to set up and maintain.


----------



## Selin (Mar 18, 2018)

xtaz said:


> The easiest option is probably openvpn, which if you run it with the nobind option for the clients can run both server and several clients on the same machine.


Could you help me, please, with config sample to setup OpenVPN server and client on the same machine?


----------



## xtaz (Mar 20, 2018)

There are example config files here: https://openvpn.net/index.php/open-source/documentation/howto.html#examples

It depends on your exact set up but take a read through the how to.

For server and client on the same machine you would run it twice. Once with a server configuration and once with a client configuration. So two different binaries running from two different configs. And that's why you need the nobind config option on the client config, to prevent it trying to use the same port as the server is running on.

The most difficult part of openvpn config is setting up the CA/client/server certificates. But there is a tool called easyrsa which makes it easier, it's all mentioned in the how to. The actual config of the server/clients is pretty simple.


----------

