Performance mystery with PIA on pfsense
-
new york city
Never tried. I usually go through denmark or sweden and with the configuration above I easily get the limit of the line (100Mbps)
I'll try some different servers later and see how that goes, Thanks
-
pfSense 2.3.2. using PIA with 2 OpenVPN clients combined in one Gateway Group (PIA could not deliver coding/decoding speed with one connection).
Get full ISP speed (500/500 Mbit) with CPU load of ~30%
Hardware: intel i5-3450
VPN- AES-256-CBC
- SHA256
- fast-io;
- sndbuf 524288;
- rcvbuf 524288
- Hardware acceleration enabled.
- 2 fixed (same country as client) IP adresses for PIA.
So it should not be PIA restricted, seems CPU restricted.
-
pfSense 2.3.2. using PIA with 2 OpenVPN clients combined in one Gateway Group (PIA could not deliver coding/decoding speed with one connection).
Get full ISP speed (500/500 Mbit) with CPU load of ~30%
Hardware: intel i5-3450
VPN- AES-256-CBC
- SHA256
- fast-io;
- sndbuf 524288;
- rcvbuf 524288
- Hardware acceleration enabled.
- 2 fixed (same country as client) IP adresses for PIA.
So it should not be PIA restricted, seems CPU restricted.
This is interesting.
How do you set the priority in the group? Both Tier 1 I guess.
And what speed did you get using only one OpenVPN client? -
Indeed, both tier 1.
When using Blowfish (only option in the past), I could not push it above 200Mbit and unstable. By then I came up with the 2 client setup and that worked like a charm.
Recently I switched to AES and with a quick test it seems that it could handle ISP speed also with one connection. I stick with 2 connection for stability and extra security reasons. -
Thanks for your reply.
I'm curious about the OpenVPN performance of various CPUs because of a future upgrade of my line and your CPU seems really interesting from my point of view.
If you are willing, could you performed the simple OpenVPN benchmark referenced here?
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743 (Reply # 9 message)From the GUI run
openvpn –genkey --secret / tmp / secret
--test time openvpn-crypto --secret / tmp / secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
Then to give the execution time in seconds in real-world meaning:
(3200 / execution_time_seconds) = Projected Maximum Performance OpenVPN in MbpsMy Celeron N3150 gets a value of 116 Mbps that's the same value that normally reaches during download trough a PIA client.
-
Execution time = 9.433 seconds, so Projected Maximum Performance = 339 Mbit.
Does this represent single core performance?
Edit: In this case it does not represent maximum performance. It could easly push 500Mbit with ~30% load.
-
As far as I know OpenVPN works in single thread, but I could be wrong… anyway your CPU is a beast! ;)
Thanks for letting me know. -
Not sure if this will help, but try turning off the Hardware Crypto setting in pfSense:
https://forum.pfsense.org/index.php?topic=115627.0
-
If OpenVPN is indeed single threaded you can try multiple clients like me.
Looks like your Celeron has multiple cores. -
As I remembered, OpenVPN it is not scalable:
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_openvpn_performanceI wanna say thanks to M_Devil for his tip: using multiple PIA clients I will not have the need to change my router after the line's upgrade.
-
Glad to help you. Please let us know if it worked out.
-
Of course! Thank you again. :)
-
pfSense 2.3.2. using PIA with 2 OpenVPN clients combined in one Gateway Group (PIA could not deliver coding/decoding speed with one connection).
Get full ISP speed (500/500 Mbit) with CPU load of ~30%
Hardware: intel i5-3450
VPN- AES-256-CBC
- SHA256
- fast-io;
- sndbuf 524288;
- rcvbuf 524288
- Hardware acceleration enabled.
- 2 fixed (same country as client) IP adresses for PIA.
So it should not be PIA restricted, seems CPU restricted.
Could you please explain the steps you took to set this up? I'm lost on how you grouped the 2 vpn connections?
Still learning pfsense stuff. And this would probably help others also.
Thanks
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
I think I can manage :o if not I'll keep you posted. Thanks for you time with this I appreciate it.
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
Im lost in the firewall rules. I dont see the gateway group?
thanks
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
Im lost in the firewall rules. I dont see the gateway group?
thanks
If you can see the group you've created in Status>Gateways>Gateway Groups, you also should see it in the Advanced Options of the firewall rule you're going to modify.
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
Im lost in the firewall rules. I dont see the gateway group?
thanks
If you can see the group you've created in Status>Gateways>Gateway Groups, you also should see it in the Advanced Options of the firewall rule you're going to modify.
What is the location under the firewall I want to modify that's what I don't understand. I can follow system>routing>gateway groups. I made the group then I don't understand what I need to do or where to go in the firewall rules.. sorry I'm a complete noob…
Also my group under status shows offline? Not sure if that's normal till the firewall rules are set.
-
@pigbait
Have you enabled the VPN connections, one per gateway? If yes, your gateway group should be online.
So you should go to Firewall>Rules>LAN and in the field "Gateway" of the "Advanced Options" of the pass rule that your devices are using to go out (eg "Default allow LAN IPv4 to any rule"), you should select the gateway group. -
With a benchmark like that I would have expected about 100 Mbps in download.
I regret not being able to help you more.
The only thing I can add to the info about my settings is that I'm running the 2.3.2 stable version.
If you will solve the issue, I'd like to read the adopted solution.
CheersBack at it. With two clients I can reach about 120Mbps in a speed test. At that point, my CPU shows 0% idle in top. So, I just took possession of an Athlon 5350 to replace the Sempron 2650. That will give me four cores at 2GHz instead of two at 1.45GHz. Additionally, I'm replacing the laptop drive with an SSD. (not that that has any bearing on OpenVPN, just doing it while I'm taking the box down for an upgrade). Will report back.