Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    slow pfsense IPSec performance

    Scheduled Pinned Locked Moved General pfSense Questions
    52 Posts 6 Posters 9.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      OpenVPN is easy.
      Wireguard requires more manual setup but will be faster.

      Steve

      M 1 Reply Last reply Reply Quote 1
      • M
        mauro.tridici @stephenw10
        last edited by

        @stephenw10 Thank you for your reply.
        I just configured OpenVPN, it works, but it is slower than IPSEC...
        So, I have a last attempt to do using wireguard, but I read that "WireGuard is available as an experimental add-on package" in pfsense 2.6.0.

        What do you think about that? Should I give up and buy two new hypervisors with AES-NI enabled in order to use IPSEC and reach the expected performance?

        Thanks for your patience,
        Mauro

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Hmm, well the first thing I would do it test running an IPSec tunnel between the sites using any other method. So preferably pfSense bare metal at each end. Make sure there isn't something in the route throttling VPN traffic.
          This feels more like a virtualization issue though.

          How slow is the OpenVPN tunnel? How are you testing it? How is it configured?

          Steve

          M 1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            [ 5] 0.00-10.09 sec 1.01 GBytes 864 Mbits/sec receiver

            Plus the TCP/IP overheat on top you get nearly 1 GBit/s.
            Getting from the pure "in real life" situation something like
            30 % throughput out of this with IPSec is really nice in my eyes. Together with AES-NI you may get some numbers plus
            and if QAT is on both ends in game you may get out once more again better numbers for your VPN.

            What do you think about that? Should I give up and buy two new hypervisors with AES-NI enabled in order to use IPSEC and reach the expected performance?

            A small 2nd hand hardware, with Xeon E3-12xxv2/3
            will do the job with ease for you. I would not buy fully
            new VM host hardware. If money is rarely from eBay it
            might be the best point to get hands on.

            refurbished server for ~165 €
            All in one
            refurbished server for ~180 €
            Plus adding a case, psu and Intel i350 NIC

            M 1 Reply Last reply Reply Quote 1
            • M
              mauro.tridici @stephenw10
              last edited by

              @stephenw10 the OpenVPN tunnel bitrate is 120Mbps and I'm using the default configuration mentioned in the link you provided. I also tried to reduced the impact of encryption and authentication mode, but nothing changed.

              During the next days I will try to use bare metal pfsense instances. No limitation or something similar is throttling the VPN traffic in the route.

              Thank you very much.

              1 Reply Last reply Reply Quote 0
              • M
                mauro.tridici @A Former User
                last edited by

                @dobby_ thank you for sharing your suggestions. During the next days I will try to use two bare metal pfsense instances with AES-NI enabled. Thanks again for your help

                ? 1 Reply Last reply Reply Quote 0
                • ?
                  A Former User @mauro.tridici
                  last edited by

                  @mauro-tridici said in slow pfsense IPSec performance:

                  @dobby_ thank you for sharing your suggestions. During the next days I will try to use two bare metal pfsense instances with AES-NI enabled. Thanks again for your help

                  If so, and AES-NI is in the game, I would try out IPSec
                  together with AES-NI using AES-GCM instead of OpenVPN.

                  M 1 Reply Last reply Reply Quote 1
                  • M
                    mauro.tridici @A Former User
                    last edited by

                    @dobby_ Sure, I will try to apply your suggestions. Should I activate some other option like "Cryptographic Hardware" in addition to your suggested settings?

                    ? 1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      120Mbps should be easily achievable without any crypto hardware. There's definitely something else going on here.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User @mauro.tridici
                        last edited by

                        @mauro-tridici said in slow pfsense IPSec performance:

                        Sure, I will try to apply your suggestions. Should I activate some other option like "Cryptographic Hardware" in addition to your suggested settings?

                        It all depends on the hardware. If AES_NI is in the game I
                        pfSense since 2.6 CE or Plus version will benefit from that
                        but if there is also QAT in the game I would personally upgrade to the pfSense Plus version and try out using
                        the QAT instead. But both together with IPSec AES-GCM.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.