Score:4

Why do some VPN clients slow down the network connection even when they are not it use?

ng flag

I work as an I.T. consultant, and I often have to install various VPN clients on my computer in order to connect to customer's networks; beginning in March 2020, I started always working from home for well known reasons.

Until a couple months ago I had a 100 Mb/s ADSL Internet connection, thus I never noticed what I'm describing next; then I upgraded my connection to a FTTH 1Gb/s connection, which normally achieves 800-900 MB/s download speed and 100 Mb/s upload speed.

However, when I install some VPN clients, namely FortiClient and ForcePoint, something strange happens: my download speed gets capped at about 400 MB/s, even if no VPN connection is established and even if I kill all VPN-related processes and stop all related services; even if the VPN client software is not in use, and even is no process is running for it, my network connection still gets awfully slowed down; the only way to solve this is to completely uninstall the VPN client software.

At first I encountered this issue only with ForcePoint, but then I witnessed it again with FortiClient; no trouble occurred with other VPN clients, such as Cisco AnyConnect or CheckPoint.

Why is this happening? How can this happen, if the software is installed but not actually in use?

OS is Windows 10 21H1 x64, with latest updates.


Addendum.

This is not an isolated case on my PC, I have observed it on several different computers and it has been reported by other people using the software I mentioned; this seems to be an issue related to installing those specific VPN client packages, it's noticeable only when you actually have a fast Internet connection (the slowdown seems to cap it at about 400 Mb/s, you won't even notice it at all if your connection is slower to begin with) and it happens as soon as the software is installed, regardless of its actual usage; the only resolution is to uninstall the offending software.

Update

It looks like the issue is caused by network filter drivers which during the setup are installed and bound to all network adapters in the system, including the physical NICs and other virtual adapters which don't have any relationship at all with the VPN client you are installing.

Specifically:

  • ForcePoint installs a ForcePoint VPN Client Driver and binds it to all network adapters in the system.
  • FortiClient installs a FortiClient NDIS 6.3 Packet Filter Driver and binds it to all network adapters in the system.

If those drivers are unbound from the NICs, the problem disappears and the full connection speed comes back.

Other VPN clients (Cisco, CheckPoint) don't do such a thing, and they don't create this kind of slowdown.

Now the question becomes: can those drivers be safely unbound from real NICs without affecting the VPN client operation, or are they required instead?
Is this documented somewhere?

joeqwerty avatar
cv flag
I've observed the same strange behavior with the Sonicwall GlobalVPN client. As soon as it's installed it seems to cause internet connectivity to slow down, even if the VPN isn't active/connected.
Massimo avatar
ng flag
@anx You might be onto something here. Just tested now with ForcePoint: disabling the associated virtual network adapter does nothing, but the installer also binds a "ForcePoint VPN Client Driver" to *all* adapters in the system. Disabling *that* fisex the issue.
Massimo avatar
ng flag
Same goes for FortiClient, which binds a "FortiClient NDIS 6.3 Packet Filter Driver" to all adapters in the system; disabling *that* fixes the issue, too.
Massimo avatar
ng flag
I don't think they are actually buggy; this looks more like "we'll take complete control of all your networking with some kind of filter driver, of course it's for your security". Which nobody really asked them for.
anx avatar
fr flag
anx
Are those 400 MB/s steady, is that a single CPU core maxed out, or half your pipe minus overhead? The type of bottleneck could be a clue..
Massimo avatar
ng flag
Good guess @anx. When running a speed test with one of those VPN clients installed, there is a lot of CPU usage and the first CPU core (of eight) gest maxed out.
Score:2
ng flag

I can confirm by empirical testing that those VPN clients install a network driver which gets automatically enabled on each and every network interface.

Disabling this driver in the NIC properties (on NICs which are not related to that specific VPN) fixes the issue, and the VPN client still works.

I'm not going to reverse-engineer that, but at least this got rid of that awful speed cap without uninstalling the VPN software every time.

Score:0
as flag

The problem is Citrix's DNE Lightweight Filter. You can disable it, but then your vpn connection won't work. I don't know what citrix did, but their driver either hogs or somehow reduces your internet bandwidth.

There's some sort of fix for wifi connections, but nothing for ethernet.

Score:0
fr flag
anx

Sorry, these are only speculation:

  1. The drivers attached the the network adapters may be buggy or configured to cause traffic amplification or excessive fragmentation, even in disabled state:

    Bring up the full list with PowerShell Get-NetAdapterBinding, and check in the individual adapter settings which devices have which bindings enabled. Disable network Adapters generally not used, and individually disable bindings not needed on specific adapters (there is a high probability the VPN software A can and does correctly handle the case where it is not attached to the virtual network adapter of VPN Software B).

  2. There is something awfully wrong around RSC or MTU configuration:

    Bring up the list of adapter options via PowerShell get-netadapter | Format-list -property "*" and compare whether any option is changed with a specific softwares drivers enabled. Lowering MTU settings would a far from elegant but easily tested & reverted method of working around a wide range of bugs and incompatible configurations.

  3. Your physical NIC driver is bad. They all are, so at least upgrade it to remove older bugs.

Massimo avatar
ng flag
I tried your suggestion, using only one problematic VPN client at a time (so no conflict between different clients); disabling its driver's binding to physical NICs effectively solves the problem. Apart from those bindings, nothing at all is changed in the NICs configuration when installing the VPN client software.
Massimo avatar
ng flag
Also, all NIC drivers are up-to-date.
anx avatar
fr flag
anx
It does not *solve your problem* if you have to edit adapter options every time you want to use a different software though, right?
Massimo avatar
ng flag
Not really, but it's a definite step forward from having to install and uninstall them continuously (which usually requires a reboot).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.