ISP v.s. VPN line speeds

Posted on 2014-12-15
Last Modified: 2014-12-22
I have a user who is telling me that on the VPN download = 8.71 mbps, upload speed = 7.94 mbps

Without VPN his home ISP offers, download = 92.47 mbps, upload speed = 9.65 mbps

Is this possible?
Question by:operationsIT
  • 2
  • 2
  • 2
  • +1
LVL 11

Expert Comment

ID: 40500929
Unless you use split-tunneling, when your user is connected via VPN, he is limited by the speeds available to YOUR network - that is, the network where the VPN terminates. How big is the Internet pipe at your office?
Do you have any throttling or bandwidth usage limitations in effect for your VPN solution?
LVL 27

Expert Comment

by:Predrag Jovic
ID: 40500940
Of course it is possible.
The simplest case is:
The same user can have on other side of VPN tunnel also 100/10Mbps link, so effective transfer between two VPN locations would be 10/10Mbps. Download speed on one side - is limited by upload speed of other side of VPN tunnel. There's protocol overhead, decryption and encryption of traffic, it all takes time, so speed is always slower then unencrypted line (9.65Mbps - 7,94Mbps), etc...
LVL 25

Expert Comment

by:Fred Marshall
ID: 40501082
As Predrag Iovic says... the VPN is limited by the *lower* of the upload speed at one end and corresponding download speed at the other end.  Then you apply this rule in both directions.

Perhaps less well known is that latency can have a major effect on apparent speed if the latency is large - such as half-way around the world.  In that case, latency affects hand-shaking speed which, in turn, affects actual throughput.  There are products being offered to help in those cases.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 40508994
@rharland2009 - the office pipe is 100M
We do not have split tunnel so the VPN users are using our network pipe.

@Predrac jovic/fmarshall - Can you give me an example of this "the VPN is limited by the *lower* of the upload speed at one end and corresponding download speed at the other end.  Then you apply this rule in both directions."
LVL 11

Accepted Solution

rharland2009 earned 250 total points
ID: 40509008
What they mean is this - your home user has a 100 down/10 up connection, for example.
Your office location at the other end of the VPN ALSO has a 100 down/10 up connection.
Home user connects via VPN. Without split-tunneling, this means that all traffic - both to the office resources AND the internet - traverses the VPN tunnel created between the two connections.
Home user, while connected to the VPN, does a download speed test.
Even though the office has a 100M pipe, the traffic to and from the home client while testing is constrained to 10M best case - because the internet traffic to the home client still has to traverse the 10M upstream link FROM the office to the home client.
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 250 total points
ID: 40510292
Let's assume that you have one site "A" that has 100 up / 100 down just to make it unrealistic but simple.
Let's also assume that you have another site "B" that has 10 up / 10 down.  More realistic maybe and also simple.

Now set up a VPN between the two.

Traffic from A to B can go up from A at 100 if theres some buffering "in the pipe".  
But that same traffic coming into B is limited at 10.
So, overall, the effective data rate from A to B is 10.
But you may have expected this because you know that B's down speed is 10.

Traffic from B to A can go up from B at 10.
Traffic from B to A might go down at A at 100 but only in bursts if that because B's up rate limits what can arrive.
So, overall, the effective data rate from B to A is 10.

Now let's make it a little more interesting and avoid any confusion because of the equal numbers I used above.  The numbers below are more typical of commodity / consumer connections with ADSL or even with cable connections:

Let's assume that you have one site "C" that has 5 up / 10 down.
Let's also assume that you have another site "D" that has 3 up / 10 down.

Traffic from C to D can go up from C at 5 if there's some buffering "in the pipe".  
And, that same traffic coming into D is limited to 10.
So, overall, the effective data rate from C to D is 5 because that's all C can provide.
This is a case where the upload speed at C limits.

Traffic from D to C can go up from D at 3.
Traffic from D to C might go down at C at 10 but only in bursts if that because D's up rate of 3 limits what can arrive at C.
So, overall, the effective data rate from D to C is 3 because that's all that D can provide.

Then, of course, there has to be handshaking and even perhaps some data sharing that's bigger "coming back".  (A file backup verification process might do that).  
- If most of the data is going UP from the site with slowest up speed then that will dominate.
- if some of the data is going up from the site with the highest up speed, then that will affect the speed and you won't achieve the higher up speed over all.

Author Closing Comment

ID: 40512992
Great thank you for the details!

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

806 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question