Hi,

I now have 20 users setup with SSL VPN connections into the office from Windows 10

I have told people only to login when they need files from the office server and to minimise connection time.

However I have noticed that when there are more than 3-4 people logged in via VPN the subsequent login attempts slow to a crawl or fail completely.

Any tips?

Model: 2760

I suspect you may have reached its limit

I can't find a spec. sheet that says how many inbound SSL VPN connections the 2760 supports - or even that it supports such connections. This https://www.voipon.co.uk/pdf_datasheet.php?products_id=4936 document seem to have more information than still exists on the Draytek web site and says it only supports TWO outbound VPN connection. Maybe it doesn't have a hardware VPN section that the other models seem to have?

(Note - while searching for the 2830's limits, I note that it supports 32 IPsec tunnels, but only 5 SSL. That model does have hardware support for VPN ... but I'm guessing it doesn't handle SSL. That would explain why the performance is so dire).

You could try a different approach. Use L2TP passthrough, and establish a VPN server on an internal machine. (RRAS, or one of the unix offerings etc).
You could set up a Web Server and point its home directory at some shared location. Obviously, authenticated access would be required.

Or even just a simple FTP server?

Thanks for replying.

Is the 2 tunnels specified for permanent router to router connections rather than 'software dial-in' ?

The section for remote SSL VPN users has capacity for 30 entries...

If there are limitations we aren't averse to throwing more cash at this if you can recommend a model that's more up to the task!

Thanks!

cpcnw wrote:
Is the 2 tunnels specified for permanent router to router connections rather than 'software dial-in' ?

I don't really know - and it doesn't say.

and he wrote:
The section for remote SSL VPN users has capacity for 30 entries...
If there are limitations we aren't averse to throwing more cash at this if you can recommend a model that's more up to the task!

Unfortunately, it doesn't necessarily follow, that all 30 users can be active at the same time. I don't have enough recent, relevant experience to recommend a particular model, but FWIW, these are my thoughts :-

Assuming you're sticking with Draytek, this is the Router Comparison chart . You have to go right up to the Vigor 2952, before you get support for >25 concurrent SSL VPN tunnels. The VPN throughput for that model is quoted as 200Mb/s, which (IMO), is really not that special when shared between the 50 tunnels it claims to support. (It also doesn't specifically say that it applies to SSL). The Draytek.com web site approaches things differently - and that site does, sort of, claim that a 2952 would be suitable for that volume.

I'm guessing a lot of people are in uncharted territory. There's a world of difference between occasional ad hoc usage by a few users - and suddenly the majority of the company wanting the 'office experience', from home. In many ways, now is the time to invoke the "Disaster Plan" (if such a concept is still "a thing"!)

It's really going to be question for Draytek - or one of its resellers to answer. You can come up with some requirements, based on numbers of concurrent users, line speeds, application types etc and ask what they've got that's suitable. There may be more than a little guesswork involved and you may need to get creative with some of the bandwidth controls. (A restricted system being better than a non-functional one).

(Personally, I would go back to Plan-A (IPsec-based VPN) and steer clear of SSL, if possible. There are other reports on here of poor performance.)

Thanks for your advice. Since we have upgraded to a 2926AC

Whilst it allows more SSl VPN logins we only have 18Mb/s upload at the office so this is shared between everyone who logs in plus secure email.

When it gets busy it slows down to unusable.

There is another weird problem with Windows 10 'Dial_in' clients. Some that where working on Friday have now stopped working with the following;

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider '

Nothing changed and even if I recreate the profile I get the same.

The Draytek SmartVPN Client software however works ok...

Bloody Windows!!!

ps Does any Draytek Techs actually read / answer questions in these forum or is it more for users to help each other?

cpcnw wrote:
When it gets busy it slows down to unusable.

You've got some options under "Bandwidth Management". I've never tried the 'per-user' stuff, but Q.O.S. (and App QOS) can be used to good effect. You can set Email and such like to a pretty low value - the limits only start to get applied, when the line utilisation is high. One thing I don't know, is if the Router knows about its 'own' traffic - since it is the end-point of the VPN (just wondering, since I know Firewall rules can't be applied to that sort of traffic, it might apply to QOS too...)

and he wrote:
There is another weird problem with Windows 10 'Dial_in' clients. Some that where working on Friday have now stopped working with the following;
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider '

Which VPN client are you talking about here? I didn't think Windows 10 had a native SSL client, other than SSTP. That's not compatible, is it? :?

It's not too hard to find out what's wrong with certificates, if you can figure out which certificates it is talking about...
...most common problem would be that something in the chain had expired, I suppose, for the 'chain' to break on multiple clients at the same time. (Are the Windows 10 machines all cloned from the same image?)

ps Does any Draytek Techs actually read / answer questions in these forum or is it more for users to help each other?

The latter.

There are two mysterious users, Admin and Admin3 ... but they've never identified themselves. :?: