Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Performance mystery with PIA on pfsense

    Scheduled Pinned Locked Moved OpenVPN
    56 Posts 9 Posters 17.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whosmatt
      last edited by

      The performance test with AES-NI enabled gives me a theoretical max of 92Mbps.

      1 Reply Last reply Reply Quote 0
      • M
        mauroman33
        last edited by

        With a benchmark like that I would have expected about 100 Mbps in download.
        I regret not being able to help you more.
        The only thing I can add to the info about my settings is that I'm running the 2.3.2 stable version.
        If you will solve the issue, I'd like to read the adopted solution.
        Cheers

        1 Reply Last reply Reply Quote 0
        • T
          techy82
          last edited by

          i've got 200mbps but can only seem to get 20mbps via pia

          I have a

          Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
          2 CPUs: 2 package(s) x 1 core(s)

          and the following custom options

          auth-user-pass /etc/openvpn-password.txt;
          fast-io;
          sndbuf 524288;
          rcvbuf 524288

          AES cryptographic is enabled,

          if you find a way to improve it it would be great to know

          thanks!

          1 Reply Last reply Reply Quote 0
          • M
            mauroman33
            last edited by

            @techy82
            just out of curiosity, what PIA server are you connecting?

            1 Reply Last reply Reply Quote 0
            • T
              techy82
              last edited by

              new york city

              1 Reply Last reply Reply Quote 0
              • M
                mauroman33
                last edited by

                @techy82:

                new york city

                Never tried. I usually go through denmark or sweden and with the configuration above I easily get the limit of the line (100Mbps)

                1 Reply Last reply Reply Quote 0
                • W
                  whosmatt
                  last edited by

                  @mauroman33:

                  I regret not being able to help you more.

                  You've helped plenty. Thanks.  Once I get home from my travels and am not testing remotely I'll be able to try tweaking a few more settings.  Worst case I buy an Athlon 5350 or 5370 for a 50% + single thread improvement.

                  1 Reply Last reply Reply Quote 0
                  • T
                    techy82
                    last edited by

                    @mauroman33:

                    @techy82:

                    new york city

                    Never tried. I usually go through denmark or sweden and with the configuration above I easily get the limit of the line (100Mbps)

                    I'll try some different servers later and see how that goes, Thanks

                    1 Reply Last reply Reply Quote 0
                    • M
                      M_Devil
                      last edited by

                      pfSense 2.3.2. using PIA with 2 OpenVPN clients combined in one Gateway Group (PIA could not deliver coding/decoding speed with one connection).

                      Get full ISP speed (500/500 Mbit) with CPU load of ~30%

                      Hardware: intel i5-3450
                      VPN

                      • AES-256-CBC
                      • SHA256
                      • fast-io;
                      • sndbuf 524288;
                      • rcvbuf 524288
                      • Hardware acceleration enabled.
                      • 2 fixed (same country as client) IP adresses for PIA.

                      So it should not be PIA restricted, seems CPU restricted.

                      1 Reply Last reply Reply Quote 0
                      • M
                        mauroman33
                        last edited by

                        @M_Devil:

                        pfSense 2.3.2. using PIA with 2 OpenVPN clients combined in one Gateway Group (PIA could not deliver coding/decoding speed with one connection).

                        Get full ISP speed (500/500 Mbit) with CPU load of ~30%

                        Hardware: intel i5-3450
                        VPN

                        • AES-256-CBC
                        • SHA256
                        • fast-io;
                        • sndbuf 524288;
                        • rcvbuf 524288
                        • Hardware acceleration enabled.
                        • 2 fixed (same country as client) IP adresses for PIA.

                        So it should not be PIA restricted, seems CPU restricted.

                        This is interesting.
                        How do you set the priority in the group? Both Tier 1 I guess.
                        And what speed did you get using only one OpenVPN client?

                        1 Reply Last reply Reply Quote 0
                        • M
                          M_Devil
                          last edited by

                          Indeed, both tier 1.
                          When using Blowfish (only option in the past), I could not push it above 200Mbit and unstable. By then I came up with the 2 client setup and that worked like a charm.
                          Recently I switched to AES and with a quick test it seems that it could handle ISP speed also with one connection. I stick with 2 connection for stability and extra security reasons.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mauroman33
                            last edited by

                            Thanks for your reply.

                            I'm curious about the OpenVPN performance of various CPUs because of a future upgrade of my line and your CPU seems really interesting from my point of view.

                            If you are willing, could you performed the simple OpenVPN benchmark referenced here?
                            https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743 (Reply # 9 message)

                            From the GUI run

                            openvpn –genkey --secret / tmp / secret

                            --test time openvpn-crypto --secret / tmp / secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc

                            Then to give the execution time in seconds in real-world meaning:
                            (3200 / execution_time_seconds) = Projected Maximum Performance OpenVPN in Mbps

                            My Celeron N3150 gets a value of 116 Mbps that's the same value that normally reaches during download trough a PIA client.

                            1 Reply Last reply Reply Quote 0
                            • M
                              M_Devil
                              last edited by

                              Execution time = 9.433 seconds, so Projected Maximum Performance = 339 Mbit.

                              Does this represent single core performance?

                              Edit: In this case it does not represent maximum performance. It could easly push 500Mbit with ~30% load.

                              1 Reply Last reply Reply Quote 0
                              • M
                                mauroman33
                                last edited by

                                As far as I know OpenVPN works in single thread, but I could be wrong… anyway your CPU is a beast!  ;)
                                Thanks for letting me know.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  AR15USR
                                  last edited by

                                  Not sure if this will help, but try turning off the Hardware Crypto setting in pfSense:

                                  https://forum.pfsense.org/index.php?topic=115627.0


                                  2.6.0-RELEASE

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    M_Devil
                                    last edited by

                                    If OpenVPN is indeed single threaded you can try multiple clients like me.
                                    Looks like your Celeron has multiple cores.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mauroman33
                                      last edited by

                                      As I remembered, OpenVPN it is not scalable:
                                      https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_openvpn_performance

                                      I wanna say thanks to M_Devil for his tip: using multiple PIA clients I will not have the need to change my router after the line's upgrade.

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        M_Devil
                                        last edited by

                                        Glad to help you. Please let us know if it worked out.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mauroman33
                                          last edited by

                                          Of course! Thank you again.  :)

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            pigbait
                                            last edited by

                                            @M_Devil:

                                            pfSense 2.3.2. using PIA with 2 OpenVPN clients combined in one Gateway Group (PIA could not deliver coding/decoding speed with one connection).

                                            Get full ISP speed (500/500 Mbit) with CPU load of ~30%

                                            Hardware: intel i5-3450
                                            VPN

                                            • AES-256-CBC
                                            • SHA256
                                            • fast-io;
                                            • sndbuf 524288;
                                            • rcvbuf 524288
                                            • Hardware acceleration enabled.
                                            • 2 fixed (same country as client) IP adresses for PIA.

                                            So it should not be PIA restricted, seems CPU restricted.

                                            Could you please explain the steps you took to set this up? I'm lost on how you grouped the 2 vpn connections?

                                            Still learning pfsense stuff. And this would probably help others also.

                                            Thanks

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.