Speed of Rsync through VPN

[Jens2]

Hi everybody,

here's a drawing of my setup.

Untitled Diagram.png

The VPN tunnel is established between the left firewall and the TS-453A. Data is mirrored from left to right using RSYNC through a VPN tunnel.

Unfortunately the NAS on the right does not have a publicly available IPv4 address and I failed to successfully setup an IPv6 port forward on the router there. Since QNAP seems to require the rsync job is always started from the source side it needs to start on the left NAS. But because I want the transfers to be encrypted they need to go through a VPN anyway. So the NAS on the right client connects to the firewall on the left and through the tunnel it's available from the left side.

The result is a very stable connection at around 2 Mbyte/sec.. Unfortunately that is not enough to mirror the daily delta of backups. I wouldn't complain if 2Mbyte/sec was really close to the limit of the internet connections. But when logging in to the NAS on the right and downloading something from the left side circumventing the VPN (so directly over the internet), I can get up to more than 3 Mbyte/sec.

The VPN is established with OpenVPN. The firewall is a Sophos UTM on a regular PC. I've already tweaked a bit with the encryption and compression settings to see if that is just overcharging any of the CPUs.
I've played between AES128-CBC and AES256 for the actual encryption and SHA256 to SHA512 for the packet authentication. I did not see much a change in transfer speed. Maybe an improvement of 100kbyte/sec, but nothing close to 3MByte/sec.
The MTU is identical on both sides of the VPN tunnel (1500). CPUs on both VPN endpoints are at less than 50%.

Does anybody have experience with what is possible when going through a VPN over a WAN connection?