Looking for the right hardware for a pfsense openvpn client

pleasewhat · Mar 1, 2015, 10:57 AM

Hi guys,

i want build my own pfsense machine for 50 up/10 down connection (at a later point i want upgrade to 100/40 maybe) and i'm looking for suitable hardware. My main requirements are:

1. I want use a vpn client on the pfsense with the following specs: TLS+Cipher: TLSv1.2 + AES-256-CBC, HMAC-Auth: SHA-512, RSA-Keys: 4096 bit
2. A low energy level (no 100 watt CPU e.g.)

I search a potent cpu for the vpn encryption with low power usage. Should not be too expensive ;)

Currently i look at the AMD Athlon 5150, AMD A4-5000 or Intel Celeron J1900 but I have no experience to estimate which CPU is sufficiently strong. Has anyone here personal experiences? :)

That would be a great help!

kejianshi · Mar 1, 2015, 11:26 AM

almost anything will do in the last decade.

heper · Mar 1, 2015, 11:30 AM

@kejianshi:

almost anything will do in the last decade.

if you want to push +100mbit over openvpn you are going to need some cpu power …

pleasewhat · Mar 1, 2015, 11:39 AM

@heper:

@kejianshi:

almost anything will do in the last decade.

if you want to push +100mbit over openvpn you are going to need some cpu power …

In the meantime, I've found this: https://forum.pfsense.org/index.php?topic=65171.0

The result is: I can forget all three CPUs, because they are too weak :( Maybe they can handle 50mbit but for 100mbit they are so weak?

kejianshi · Mar 1, 2015, 1:23 PM

Seriously, even my 10 year old junk personal box can handle it. Look at the specs on the pfsense store. They say what they can handle.

stephenw10 · Mar 1, 2015, 5:18 PM

Yep, like I said in the thread you linked to you won't do it with an old Atom but almost anything else will. I would expect (though I've not tested personally) the J1900 to do it easily for example.

Steve

maturola · Mar 2, 2015, 2:34 AM

@please:

1. I want use a vpn client on the pfsense with the following specs: TLS+Cipher: TLSv1.2 + AES-256-CBC, HMAC-Auth: SHA-512, RSA-Keys: 4096 bit
2. A low energy level (no 100 watt CPU e.g.)

As far as covering your connection any modern CPU would do it, since you want low power focus on Latest Atom, Celeron or pentium

My favorites are:
* Jetway NC9MGL-525

Supermicro A1SRi-2758F-O
Supermicro A1SRI-2558F-O (If you want to save some $$)

Derelict · Mar 2, 2015, 3:36 AM

I am running the stack in the diagram linked in my sig on XenServer 6.5 on a Core i5-3470T 2.90GHz (35W). pfSense A & B and Host A1 and B1 are each given 1 vCPU.

I just ran some iperfs between Host B1 and Host A1

kejianshi · Mar 2, 2015, 3:57 AM

@stephenw10:

Yep, like I said in the thread you linked to you won't do it with an old Atom but almost anything else will. I would expect (though I've not tested personally) the J1900 to do it easily for example.

Steve

I have a j1900. It will do it fairly easy. I'd be careful with the j1900 though. Depending on bios, it might be a pain to install and boot. Mine is fine but it does have the bad habit of discarding its proper boot sequence anytime someone plugs in / unplugs any usb storage and then I have to set the boot order again otherwise it will just sit there on next reboot.

I suppose this might not be an issue if its set up with pfsense, plugged in and left alone.

stephenw10 · Mar 2, 2015, 9:51 AM

Ouch, that's a nasty bug. At least it does boot though as you say. ;)

Steve

kejianshi · Mar 2, 2015, 10:08 AM

Yeah - If you install pfsense of linux in a box no one touches, you are fine. But if you are plugging/unplugging drives or have people in the house who can't leave boxes alone, it can be a pain. I've taught people to leave it alone and it is a good box. Runs on pretty much any DC voltage you might have access to and its very cool. Generally speaking, I like it especially for the price, but depending on the personality of the person using it and their level of techyness, it could be a bad choice.

pleasewhat · Mar 2, 2015, 8:50 PM

I thank you for your answers.

I prefer currently a 1037U. The Supermicro A1SRI-2558F-O looks nice but it costs over 290 USD in germany, the 1037U only 104 USD with an additional Intel PRO/1000 PT Dual Port PCI-E 39Y6128.

And i think the 1037U has enough power for 100/40.

domo · Mar 3, 2015, 12:45 AM

As a few have already suggested, look into the Intel Atom Rangeley.
http://en.wikipedia.org/wiki/List_of_Intel_Atom_microprocessors#.22Rangeley.22_.2822_nm.29_3

There is also support for AES-NI.
https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported
Look at the difference in speed 3sec to 0.1sec.

I know pfsense offers an appliance with this chip or I've had great experience with the Supermicro C2758 (8-core) or C2558 (4-core).

I don't have experience with the J1900 but I've seen several threads where people have listed various issues.