Tech Note 0038

VPN Recommendations

How to avoid performance problems with Virtual Private Networks

A Virtual Private Network (VPN) captures local network packets and encapsulates each in a Wide Area Network (WAN) packet for customized security and routing.  VPN software and devices add extra overhead to network transport, which can cause performance problems.  Carefully choosing and configuring your VPN can avoid most problems and provide performance nearly as good as direct networking.  But choosing the wrong VPN setup can result in slow speeds or a complete loss of connectivity.

Use IPsec

Packet based VPNs encapsulate each local datagram into a single WAN datagram, usually using IPsec for encryption and security.  Stream VPNs tunnel local datagrams through a TCP stream, usually using SSL.

Because MTP/IP uses UDP datagrams to implement its optimized flow control and error recovery, tunneling it through TCP/IP will completely defeat its performance advantages.  SSL VPNs are not compatible with MTP/IP.

Direct Routing

The VPN server should be located on the same local network as the MTP/IP server, and the VPN client should route packets along the most direct network path to that server.

Cloud hosted VPNs, anonymizing VPNs, and some Software Defined Networks (SDNs) route data through third-party systems, adding many hops and bottlenecks to the path.  For the best performance, the VPN packets should travel the same path as they would without a VPN.

Minimize Layers

Minimize the number of tunneling layers.  Do not reduce NIC MTU settings without a thorough understanding and testing of the consequences.

Encapsulating one datagram inside another involves adding extra header bytes to the datagram.  Nearly all internet hardware limits packets to 1500 total bytes, including media (ethernet) headers.  Even a few extra bytes can push a datagram beyond that limit, resulting in packet fragmentation, poor performance, or loss of connectivity.  In addition to VPNs, routing and tunneling technologies such as MPLS and PPPoE can pile on more bytes.  IPv6 adds even more overhead.  Always keep the number of tunneling layers to a minimum.

MTP/IP on modern operating systems will quickly discover a workable MTU for the path, but if you have excessive layers of tunneling this may require a significant speed reduction.

Hardware or Software

Hardware based VPN servers, whether stand-alone or part of a router, generally offer superior performance to software based VPN servers.


Whenever possible, test MTP/IP software both inside and outside of a VPN to determine whether adjustments need to be made.  If performance inside a VPN is poor, then carefully follow the instructions in Tech Note 0033 on both paths and submit a Technical Support Request for assistance.

Tech Note History

Nov032022First post.