I work as an I.T. consultant, and I often have to install various VPN clients on my computer in order to connect to customer's networks; beginning in March 2020, I started always working from home for well known reasons.
Until a couple months ago I had a 100 Mb/s ADSL Internet connection, thus I never noticed what I'm describing next; then I upgraded my connection to a FTTH 1Gb/s connection, which normally achieves 800-900 MB/s download speed and 100 Mb/s upload speed.
However, when I install some VPN clients, namely FortiClient and ForcePoint, something strange happens: my download speed gets capped at about 400 MB/s, even if no VPN connection is established and even if I kill all VPN-related processes and stop all related services; even if the VPN client software is not in use, and even is no process is running for it, my network connection still gets awfully slowed down; the only way to solve this is to completely uninstall the VPN client software.
At first I encountered this issue only with ForcePoint, but then I witnessed it again with FortiClient; no trouble occurred with other VPN clients, such as Cisco AnyConnect or CheckPoint.
Why is this happening? How can this happen, if the software is installed but not actually in use?
OS is Windows 10 21H1 x64, with latest updates.
Addendum.
This is not an isolated case on my PC, I have observed it on several different computers and it has been reported by other people using the software I mentioned; this seems to be an issue related to installing those specific VPN client packages, it's noticeable only when you actually have a fast Internet connection (the slowdown seems to cap it at about 400 Mb/s, you won't even notice it at all if your connection is slower to begin with) and it happens as soon as the software is installed, regardless of its actual usage; the only resolution is to uninstall the offending software.
Update
It looks like the issue is caused by network filter drivers which during the setup are installed and bound to all network adapters in the system, including the physical NICs and other virtual adapters which don't have any relationship at all with the VPN client you are installing.
Specifically:
- ForcePoint installs a
ForcePoint VPN Client Driver
and binds it to all network adapters in the system. - FortiClient installs a
FortiClient NDIS 6.3 Packet Filter Driver
and binds it to all network adapters in the system.
If those drivers are unbound from the NICs, the problem disappears and the full connection speed comes back.
Other VPN clients (Cisco, CheckPoint) don't do such a thing, and they don't create this kind of slowdown.
Now the question becomes: can those drivers be safely unbound from real NICs without affecting the VPN client operation, or are they required instead?
Is this documented somewhere?
I can confirm by empirical testing that those VPN clients install a network driver which gets automatically enabled on each and every network interface.
Disabling this driver in the NIC properties (on NICs which are not related to that specific VPN) fixes the issue, and the VPN client still works.
I'm not going to reverse-engineer that, but at least this got rid of that awful speed cap without uninstalling the VPN software every time.
Had the same problem... For the ease of use to enable/disable FortiClient NDIS Packet Filter Driver I've made two Powershell commands:
Enable:
Disable:
You have to change the Name parameter to the name of your Ethernet Adapter or rename it to "Ethernet".
Save each command in a .bat file and open it as admin.
Sorry, these are only speculation:
The drivers attached the the network adapters may be buggy or configured to cause traffic amplification or excessive fragmentation, even in disabled state:
Bring up the full list with PowerShell
Get-NetAdapterBinding
, and check in the individual adapter settings which devices have which bindings enabled. Disable network Adapters generally not used, and individually disable bindings not needed on specific adapters (there is a high probability the VPN software A can and does correctly handle the case where it is not attached to the virtual network adapter of VPN Software B).There is something awfully wrong around RSC or MTU configuration:
Bring up the list of adapter options via PowerShell
get-netadapter | Format-list -property "*"
and compare whether any option is changed with a specific softwares drivers enabled. Lowering MTU settings would a far from elegant but easily tested & reverted method of working around a wide range of bugs and incompatible configurations.Your physical NIC driver is bad. They all are, so at least upgrade it to remove older bugs.
The problem is Citrix's DNE Lightweight Filter. You can disable it, but then your vpn connection won't work. I don't know what citrix did, but their driver either hogs or somehow reduces your internet bandwidth.
There's some sort of fix for wifi connections, but nothing for ethernet.