TL;DR The article covers VPN troubleshooting for issues such as slow connections, authentication errors, and configuration problems, offering practical solutions for each.
Introduction to VPN Troubleshooting
Over a billion people use everyday Virtual Private Networks (VPN) to browse the Internet, communicate, and work remotely. A VPN application provides three main benefits to its users: privacy, encryption, and anonymity. As a result, many organizations require its employees to use VPN connections when accessing internal applications and enforce corporate remote access policies.
The goal of this article is to educate IT practitioners on the most common problems encountered when dealing with VPN connectivity issues. This analysis doesn’t focus on any specific VPN provider as we aim to provide general recommendations for troubleshooting VPN connections. In the last section, we present a method for continuous testing and monitoring of VPN connections with NetBeez. The benefit of this method is to reduce the time and resources that it takes to detect and troubleshoot an end-user error or a VPN outage.
Common VPN Problems
The most common VPN problems can be grouped into three categories: connection issues, authentication problems, and configuration issues. For each category, there’s a specific set of troubleshooting steps that must be taken to perform a comprehensive investigation. Let’s review what these are.
Troubleshooting VPN Connection Issues
VPN connection issues fall into two main categories: slow connections, and dropped connections.
Slow Connection
A slow VPN connection increases the time required to load files, access online resources, complete tasks, and cause choppy or distorted audio video calls. Generally, a low internet speed, or a weak wireless signal, can slow VPN connections down.
There are several internet speed test services available that can be used to diagnose slow connections. A simple web search with speedtest as keyword will return different options, such as speedtest.net by Ookla or fast.com by Netflix. Either option can be used to discover the download and upload speed that is available to the VPN user.
When possible, speedtest data should be paired with throughput measurements across the VPN connection. This can be done with a tool like iperf, which is an open source traffic generator. By comparing download and upload speeds from the speedtest with the throughput results from iperf, it’s possible to pinpoint if the slowness is caused by the internet connection, or the VPN tunnel.
Dropped Connections
This is the case where the VPN client struggles to establish a stable connection, and reconnects quite frequently. There are different reasons why a VPN connection drops or is bursty. For example, an unstable internet connection with an excessively high packet loss rate. One method to verify this is to first run a ping test to the IP address or fully qualified domain name (FQDN) of the VPN server and observe the drop rate. If ping reports high packet loss, it’s important to see if it’s within the vendor’s recommendations.
Traceroute is another troubleshooting command that is used at this stage of troubleshooting dropped VPN connections. A traceroute test to the IP address or FQDN of the VPN server could report one or more routers along the network path with high latency. This is another possible cause of dropped VPN connections.
VPN Authentication Problems
Authentication problems are relatively easy to identify due to the VPN not connecting at all. When this happens, as a first step you should inspect the log file of the VPN client. In the log file the VPN software writes down each step taken by the client to establish a VPN connection. If a step fails due to an error, or triggers warnings, the VPN client annotates it in the log file. Generally VPN authentication errors are logged due to invalid credentials or certificate errors.
Invalid Credentials
Invalid credentials errors happen for instance when the username, password, or shared key are incorrect. To fix this problem it’s necessary to review the VPN configuration file and update the VPN settings where needed. This assumes of course that the user has the required credentials, or paid subscription, to use the VPN service.
Certificate Errors
A VPN protocol may use digital certificates to encrypt the traffic between the client and the server. Certificate errors are reported by the VPN software. When this happens, the user may have to contact the customer support team to request the correct certificate to address the error.
Configuration Issues
There are two main configuration issues that can affect VPN connections. The first one is when the user has incorrect VPN settings, such as wrong TCP/IP port, or server reference. The second issue is when the network configuration doesn’t allow VPN connections to be established due to firewall rules.
Incorrect VPN Settings
VPN configuration issues can happen both server side and client side. Client side configuration errors are easily solvable by contacting the customer support team and requesting the correct configuration file or VPN settings. On the other end, server side configuration issues are more difficult to fix as they require expertise with the VPN solution adopted. In this case, it’s a problem that must be resolved by the VPN administrator or VPN provider.
Firewall Interference
Firewall are network devices that allow network administrators to restrict access to or from specific websites, applications, and hosts in general. Many enterprise organizations have firewalls in place at the edge of their network perimeter to prevent unauthorized access to its internal systems and sensitive data. Firewalls can prevent VPN connections from getting established. This typically happens because the firewall blocks certain ports or protocols that the VPN uses to establish the connection. To troubleshoot, check if the firewall rules are set to allow VPN traffic, specifically the tunneling protocols (like OpenVPN, IKEv2, or PPTP) used. If not configured properly, it can be resolved by adding a VPN exception in the firewall settings. Bottom line, ensure the firewall is set to allow both inbound and outbound traffic for the VPN.
Troubleshooting VPN Tips and Solutions
Diagnosing the Problem
When diagnosing a problem with a VPN connection, it is important to consider how a VPN works. The client attempts to connect to a VPN server. To have a successful connection a VPN client needs to have a reliable network connection, including firewall rules in place, and the correct VPN configuration, along with valid credentials. If a client cannot establish a VPN tunnel, it could be caused by incorrect network settings on the client, an unstable network connection, or a VPN configuration issue. Sometimes it could be even more than one problem. For this reason, it’s recommended to follow a basic set of troubleshooting steps that will deliver the information necessary to devise a resolution.
Basic Troubleshooting Steps
In this section we list some basic troubleshooting steps that should be followed when troubleshooting VPN connectivity issues. For simplicity, we divided these steps into two categories.
If the connection can’t be established
- Verify with ping and traceroute that the server is reachable and there’s no packet loss
- Inspect the logs or log file of the VPN client and ensure that no authentication or other errors are present
- Validate the network settings of the client’s system, ensuring that it can connect to other internet websites (e.g. google.com)
- Verify that the VPN configuration is correct and that a different protocol or a different server should be used
If the connection can be established but it’s slow or choppy
- Run a speedtest to evaluate the download and upload speed of the internet connection
- Run a throughput test across the VPN tunnel to measure the available bandwidth
- Inspect the logs or log file of the VPN client
Advanced Troubleshooting Techniques
We present an advanced method for troubleshooting VPN connectivity issues, called NetBeez. NetBeez enables automated testing and monitoring of end-users’ VPN connections by running simple tests on the end-users’ systems. Lightweight software clients for Windows and Mac are installed on desktop and laptops. Controlled by the NetBeez dashboard, clients are configured to run continuous testing against VPN servers, run speedtests as well as throughput tests across the VPN tunnel. This method enables IT administrators to constantly verify that the underlying network connection is reliable, and get alerts when it is not. NetBeez helps with proactive detection of VPN problems, and a quick identification of their root cause.
Conclusion
VPN connectivity issues can be categorized into connection, authentication, and configuration problems. Tools like speed tests, ping, and traceroute help diagnose slow or dropped VPN connections. Reviewing the VPN logs is another important step to identify authentication errors related to invalid credentials or certificates. Lastly, it’s important to consider possible network configuration problems, such as incorrect network settings on the client, or missing firewall rules to allow VPN traffic. A solution like NetBeez offers a simple way for continuous testing and monitoring of VPN connections with the goal of quickly detecting and resolving issues. Request a demo today or start a 14-day free trial.
