VPN Throughput issues...

Earlier today I was asked by a WISP customer to look into poor throughput when a susbcriber connected behind a PMP450 SM when they used a VPN.  The scenario in this case was that with the VPN no activated, the Link Capacity test showed throughput beyond the subscriber's data package limits, and tests to Speedtest.net were also witin the range of the promises made by the Service Provider. 

When the customer acitvated the VPN, throughput came to a crawl.  Normal testing of a VPN connection tends to center around the MTU settings in the VPN software or Hardware - generally an MTU setting of 1492 is big enough to allow for the packets with all the headers that get added to pass through the network unmolested.  Anything bigger risks packets being fragmented and a significant reduction in throughput.   Most often with this complaint...this is the source of the problem - although newer VPN software does a pretty good job of automating these settings where a few years ago that was not the case. 

In this particular case we picked up a secondary issue - when the user attempted to place orders on a service like Amazon.com, the website correctly identified thier home town.  With the VPN this could change, but should change to wherever the VPN is being terminated - in this case it should have been another US city but that is not what we observed.  In this case, all the traffic was headed to China.  Amazon locations were resolving to China.  Hmm, that's a problem, potentially a big one.  Possibly something has been very mis-configured, or at worst, the traffic is being hijacked.  In any case, it wasn't the fault of the Service Provider, and probably was either some misconfigured or malicious code on the VPN software, the PC being used, or the back end network that was being VPN connected.  No matter what the case, a scenario like that requires immediate diagnosis.


Alan - What is the diagnosis in this case? What should the provider do?