Troubleshooting VPN Issues for WFH Employees

troubleshooting vpn issues for wfh

COVID-19 forced an overnight shift upon us which facilitated a world-wide “work from home” for as many employees as deemed necessary and feasible. The initial hurdle for each IT department was to set up the basics to enable employees to get their work done –  VPN tunneling was among them. 

The initial hurdle was more about making sure all employees had VPN setup on their devices, but also about scaling VPN concentrators to switch from handling a small percentage of employees to all of them. 

Three months later, the attention has shifted to supporting WFH employees around issues related to their new work environment. When a WFH user is having “network problems”, IT has to troubleshoot many components that may impact the WFH experience, including the WiFi network, the VPN connection, and the performance of the local ISP. The main problem is that System Administrators and Network Engineers have been called in to solve problems in a foreign infrastructure that provides zero visibility and control. 

Open Source Tools

There are many open source tools to help you troubleshoot network connectivity and performance issues. They become handy when you need to jump on a call to quickly test the performance and connectivity from the end-user’s device towards your DC, VPN concentrator, and the Internet.

Below is a list of utilities we hear being used a lot by Network Engineers and System Administrators:

Ping

Perhaps the most basic of tools to test reachability to a remote host. It’s widely available for all operating systems, and it’s easy to guide even an unskilled user to run a ping test and email you back the results. Typically you would ask the user to ping google.com, their gateway IP, and a VPN tunnel target. These give yout basic connectivity information of the device, but also a rough idea of the latency and packet loss of their link towards the Internet, their WiFi router, and the VPN concentrator.

Here is a screenshot of what that looks like on Windows. The MacOS console has a similar ping test.

Troubleshooting VPN connectivity with ping

To avoid asking your users to open a terminal and type a command, there are a few browser-based ping tests you can use, such as https://browserping.com/.

Speedtest

This is a test that your users are most likely already familiar with, since it is the go-to test when someone experiences “slowness” issues. The most popular speedtest is the one supported by Ookla servers at speedtest.net. In addition, there is fast.com that runs against Netflix’s CDN servers that has the added benefit of being ad free.

Testing Internet bandwidth with fast.com

Traceroute/MTR

If you need to get even more information, traceroute is another widely available utility that gives the hop-by-hop information from the end-users device to the VPN concentrator, or any other host obviously.

Troubleshooting VPN hop-by-hop information with traceroute

A tool that is similar to traceroute, which can also give you hop-by-hop packet-loss statistics is MTR. This requires downloading an executable on the end-users device, but it might be worth the effort if you are looking to find out if a specific node is exhibiting high packet loss.

Troubleshooting VPN hop-by-hop packet loss with MTR

iPerf

We’ve talked about iPerf’s capabilities, quirks, and bugs in other posts but,in the context of VPN monitoring, it can help you isolate bandwidth performance. It can also shed light on the jitter and packet loss from the end-user’s device to your VPN concentrator or any other host in your DC. This is another test that requires downloading an executable on the user’s device, but it has both a GUI and a command line interface, which makes it easier for an unskilled user to interact with it.

Troubleshooting VPN network performance with iPerf

Limitations 

All these utilities are great, put using them on an ad-hoc basis has a few limitations:

  1. You can only use them in a reactive way, once a user complains
  2. You don’t have any historical information to compare against
  3. It is a hassle to get on the phone or on shared screen with a user to run then

With the NetBeez remote worker agent all these limitations are lifted. After going through a standard software installation wizard, all these types of tests and many more are centralized and can be managed and run not only on a specific user’s device, but on the whole fleet in a scalable and productive way.

The user experience is captured and monitored continuously, all data is logged and analyzed statistically offering information that can be used to detect issues proactively, but also provide data for troubleshooting when needed.

If you would like to learn more about monitoring VPN connections I have added a link to  a great write up on how this can be done through NetBeez.