Ovpn with Qat - poor performance
-
I have a Netgate 6100 so QAT is enabled out the box. I’m using a privacy VPN. My provider offers wireguard or OpenVPN. Because I have Qat and using the supported ciphers I figured I would use ovpn. Speedtest results were pretty poor around 100Mbps down. My internet line is 500/500.
Switching to Wireguard has shown it to be extremely performant having achieved 400-500Mbps down with very minimal cpu. The opposite of what I expected. I’m running latest firmware.Question is why is ovpn with QAT enabled not showing the same performance?
Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@michmoor said in Ovpn with Qat - poor performance:
Question is why is ovpn with QAT enabled not showing the same performance?
For that to work, according to what I've been reading lately, you need to enable DCO.
https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#cryptographic-thermal-hardware -
@mcury Alright i'll give it a shot and report back.
-
@michmoor said in Ovpn with Qat - poor performance:
@mcury Alright i'll give it a shot and report back.
I tried to use it but the OpenVPN server I'm connecting to requires some settings that are not compatible with DCO, so I had to disable it..
-
Yes you need DCO to use QAT with OpenVPN.
But note: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html#limitations
Steve
-
Update
Switched over to DCO. The gains are there now. I see im approaching my bandwidth limit.
The slight edge does go to wireguard tho but can confirm that enabling DCO improves speeds considerably.
A few speed tests and im getting the following
Keep in mind prior to DCO i was pulling maybe 200Mbps so its roughly a 2x increase.
-
Have you enabled DOC in OpenVPN and turned on ipim and hardware cryptography in system ——> advanced —-> miscellaneous.
check to see if it’s working after a connection with command
vmstat see if interrupts increment.
-
https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html
The best help guide is in this
-
What’s weird is my safexcel cipher chip shows id errors in 23.09.01 and no info. Like it’s having issues.
