Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible move from IPsec to OpenVPN

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 941 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      I’m seeking more performance from my vpns. i moved from Wireguard to IPsec site2site and I doubled my downloads. I’m now looking at OpenVPN with DCO enabled. Is there any data out there to show that speed improvements over IPsec? Even 10% is welcomed.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        What speeds are you seeing now?

        6100/7100 at each end?

        I have seen OpenVPN with DCO show better thoughput than IPSec but there are a lot of variables. It's probably worth testing if you need every Mbps you can get but it won't be dramatically faster.

        Steve

        1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance
          last edited by

          @stephenw10
          Between each test site ~30ms
          Remote site with openspeedtest docker container - 200/10 ISP service.

          Wireguard speedtest - i can get 50/10
          Switched over to IPsec - I can now get 120/10

          I dont know why wireguard was so poor performing but i have seen this come up on a few test. Lowering the MTU had no impact on speeds. Once i switch some sites to IPsec, performance jumped considerably. No tuning needed.

          Now i am looking at OpenVPN. w/ DCO.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Hmm, well at those speeds it's not a limitation in IPSec itself. A 6100 is capable of far higher than that. So I wouldn't expect OpenVPN/DCO to be much different unless something in the route is specifically throttling IPSec.

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @stephenw10
              last edited by michmoor

              @stephenw10 fair enough. any idea why wireguard was such a poor performer? I brought the MTU down to 1300 and no change.
              I dont think its a path issue only because IPsec NAT-T and Wireguard are both using UDP protocol for encapsulation. ISPs shouldnt care at that level.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              stephenw10S 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator @michmoor
                last edited by

                @michmoor said in Possible move from IPsec to OpenVPN:

                ISPs shouldnt care at that level.

                Indeed they shouldn't. But that doesn't mean they aren't!

                As you say with NAT-T it's all just UDP traffic, far more common to see issues with ESP packets being mishandled.

                Steve

                J 1 Reply Last reply Reply Quote 1
                • J
                  jwt Netgate @stephenw10
                  last edited by

                  @stephenw10 @michmoor we actually do see better speeds internally with DCO > IPSec > Wireguard. These improve more with an improved crypto implementation in OCF (that isn't public yet).

                  There will be results announced at ASIABSDCon (if the paper is accepted)

                  Also, DCO using AES-GCM-256 can be accelerated on QAT (and both the 5100 and 6100 support same) in 23.01

                  M 1 Reply Last reply Reply Quote 2
                  • M
                    michmoor LAYER 8 Rebel Alliance @jwt
                    last edited by

                    @jwt @stephenw10 appreciate your feedback here. Truly do.

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.