Why Are SMB File Transfers Slow Over A VPN?

Thats why ya use WebDAV !

Any traffic that has to traverse the firewall is going to have a bad day with latency, especially SMB and VPN connections.

Keep it on the switch as much as you can.

VPNs are for security, really, not speed. If you want speed setup a virtual desktop you can remote into.

Great video!

To clarify this, it’s not related directly to SMB, but rather the TCP transport layer. Because of the error/congestion correction in TCP, there is something called a window. This means that the client and server agree that X number of bytes will be sent before an the sender waits for the acknowledgment that all packets were received. There is also a feature that’s called window scaling which changes the size of that window based on the connection and can drastically affect your transfer speeds.

What’s happening here is that the higher latency is forcing the TCP window scaling to decrease, making the window smaller and therefore throttling the transfer speeds. So even if you have a tunnel with a full gig connection on both ends, this additional latency could mean your throughput is actually limited to something similar to a 100Mbps connection.

A couple work arounds are to play with your operating system to find if there are methods that could affect the window scaling to allow for high speed but high latency connections, but I’ve found this to be pretty tricky, especially on Windows machines. The other option is to run multiple streams whenever possible, because each stream will have its own window. But this obviously relies on the application implemented supporting that, which is another issue entirely.

If you want to optimize SMB over a VPN, make sure all your node types are "p-nodes", so they don't waste efforts on broadcast traffic, like b-, h-, and m- type node use.

I’ve been trying to explain this to people who insist on using SMB to send data to the other side of the world over a VPN. Thank you for the video. When they ask why we shouldn’t use SMB, I’m just going to send them a link to this video.

Perfect timing

Come back kermit, all is forgiven ;-)

One answer: LATENCY.

One of the places I've worked at used global protect for VPN. When I would go to pull up Active Directory Users and Computers over the VPN, it would take 20 minutes. No, I'm not making it up. They transfer that data over SMB1. Painful AF. I ended up just writing some powershell to pull what I needed from AD.

Hello, which tool was used to add additional latency? Would be interested to see how it's done or know via which tool it was done

Great explanation, but you left us wanting to know more…..like what we should be doing to address this. Is WebDAV or something else the way to go?

Great video. Many ty

Nice demo. Its physics, if you double the latency you essentially halve the realized bandwidth.

what about NFS ?

What’s an alternative that is just as or almost as easy for your average joe to use to move his files around?

Where was this when I was having to repeatedly explain this at work starting 3 years ago.

IIRC, SMB was also noisy, at least on the local LAN. Several years ago, during the first time I worked at IBM, I was reading some internal documentation about adapting it to work over IP. It had a lot of issues that made it a generally bad protocol. Originally, it was strictly a local LAN protocol, before IP made routing possible.

I hate to be that guy, but the title is a bit off-

Why are* smb file transfers slow over a vpn

I had to google it - is is for singular, are is for plural. "transfers" is plural so you are supposed to use "are" instead of "is"

my biggest question here is what are good alternatives that the simple windows end user can use to use another protocol or solution, my clients typically end up with unraid+tailscale and mounted shares on the machines 98% of the time there local so latency is low however the 2% they use the SMB share over the VPN however where talking about 1-5mb word files so it doesnt matter as much as the backup that runs only during the day so as to have them local I would like to switch that to at night

I had SMB Multiplexing running over l2tp in a LAB. It scaled not that bad.

Great video!! I definitely had the same question.

The other thing that people forget is that the upload speed of your own connection limits to how fast you can copy files to the main office . The default reaction to support is "But I have a 600mbit connection", yes, download to you, and a 60mbit upload that realistically limits it to 6MB/s.

It's a matter of perspective.

Always wondered, why smb over OpenVPN sucks balls, but over wireguard it's basically fine.

I had no idea. Thanks for the useful video!

Newer isn’t always better for SMB speed. A lot of the security “enhancements” actually hurt performance especially in versions from a year or two ago. Efforts have been made in the latest versions to improve the performance at least back to where it was. It would have been interesting to run the same test with NFS.

Fragmentation and packet size issues are the main cause. MTU, payload size your VPN protocol, SMB blocksize, Window sizes/scaling etc all need to be "fine tuned" for your specific needs. Sadly though most SMB servers can not change those parameters "on the fly" based on destination, so you either have good VPN performance OR LAN performance (which most users/admins prefer) - but not both. FYI I had spent 5 days on an OpenVPN connection with Wireshark mostly and got about 75% of the WAN speed through the VPN with SMB. Your router and ISP do not care what traffic they carry!

And what protocol do you recommend for this type of transfer? I'm asking this because I use sshfs, but I'm looking for more performant ways to solve the problem.

That explains why

Hi Tom, love your stuff. Would you have any detailed tutorial on how to access shares over the internet? I already have vpn , tunnel for services etc.

That thumbnail is hilarious 🤣

What should I use instead of SMB over VPN for Windows machines?

I think DFSR was designed with this in mine. It is the back end replication for Active Directory Domain Services SYSVOL. The problem is people misusing it for what it wasn't designed for (it is a lockless fileshare) . For example it can be set up for one way syncing Read-Write share to a Read share or two way which is where things go wrong when badly designed setups cause issues.

nice video but now you got me interested in seeing how other file sharing protocols perform in these conditions

especially for OpenVPN there's some buffer parameters you really, really want test adjusting. send / receive buffers are disputed but worked very well where I tried them.
but - if the link speeds are just too low or for badly optimized applications, it's often better to give access to a terminal server where people then work.

SMB is even worst in WIFI, only 2 mbps (megabit per sec) on 2GHZ, and a little faster on 5GHZ, but no much...

How were you able to add latency in your test?

Very interesting.
What do you use to mount SMB file shares? I tried to do that some time ago, and the result was awful, like if the file transfer was never going to finish.
On the office i use rsync with the SSH-FTP protocol in windows with cygwin to update quite a lot of files over VPN. It seems to work very well.

awsome had I known this earlier.
would NFS perform any better?

Follow up Question then: do other protocols have similar penalties? What protocol would you recommend for large point-to-point file transfers over WAN?

Hi Tom, have you tested SMB over QUIC at all? This is what Microsoft introduced in Server 2022 for accessing SMB shares via services such Azure Files.

As far as I know there hasn’t been any other improvements in SMB over WAN other than this.

Can you do a video on how to prevent ARP poisoning on Pfsense

Is there an alternative protocol for Windows to use? I know NFS exists for windows, but it doesn't have a UI and isn't really suited for normal people who don't want to mount via command line

How did you add the latency to the connection?

Awesome video thanks

Seriously thank you.

The problem is clear, and the solution? Witch protocol YOU raccomand? WebDAV, FTP, NFS. Every of these protocol can easily implement in Windows. If security is demanded throw VPN how can you obtain usability on typical file server office situation?

Thanks, as a Windows guy tried getting around the SMB limitation by creating an iscsi lun over the vpn (gigabit internet on both ends). No problem creating the iscsi lun, but when transferring a file to the new lun I'm getting the same speed as smb. Topping out at 4MB/s, latency between sites is in the 16ms range. Thoughts?

Thank you so much for this video..

So is there a protocol that works better than SMB but can also work on Windows?

Well Done!