CPU to Saturate 150mbit up and down simultaneously via VPN?
-
To add to this, AES-256-GCM = AES-256-CTR and SHA256 combined.
-
To add to this, AES-256-GCM = AES-256-CTR and SHA256 combined.
N.b., there is zero reason to use AES-256 on your home VPN rather than AES-128.
-
I ordered parts for a 7700K pfsense router. Probably a little overkill, but I wanted to future proof and honestly, that CPU isn't very expensive considering. Spent about 700 total, but should be decent. Got an intel quad NIC also.
-
I ordered parts for a 7700K pfsense router. Probably a little overkill, but I wanted to future proof and honestly, that CPU isn't very expensive considering. Spent about 700 total, but should be decent. Got an intel quad NIC also.
Make sure you get a pair of GTX-1080Ti's in SLI to go with that, they can really be leveraged for outstanding IDS/IPS throughput.
And I'd suggest a pair of 1TB Samsung 960 PRO's in a ZFS mirror so it doesn't bottleneck your logs.
-
I mean I could do that, but my gaming machine already has that :p
-
To add to this, AES-256-GCM = AES-256-CTR and SHA256 combined.
N.b., there is zero reason to use AES-256 on your home VPN rather than AES-128.
There is not a lot done with "good reason" in this world…
Depends on needs and "craziness"... also in the home ;)B.t.w., the default OpenVPN 2.4 or higher selects is AES-256-GCM, when both sides are on OpenVPN 2.4.
See --ncp in OpenVPN manual 2.4 -
B.t.w., the default OpenVPN 2.4 or higher selects is AES-256-GCM, when both sides are on OpenVPN 2.4.
See –ncp in OpenVPN manual 2.4Defaults are made to be changed
-
Just stay away from the USB3 ports. pfSense doesn't seem to like those at all, and the installers will fail unless booted from one of the USB2 ports.
From the mobo quick installation guide pdf page 3, "CAUTION: For operating system installation, be sure to plug your USB flash drive into the USB 2.0 Ports (USB12)."
-
I also have to admit I am VERY impressed with this little chip.
I haven't installed pfSense yet, but I am doing some testing in Ubuntu 16.10.
Using the PicoPSU-80 and 60W power brick kit from Mini-Box.com I'm idling on the desktop pulling only 7.1W from the wall (as measured on my Kill-A-Watt).
That's about the same power as my PcEngines low power Quad Core Jaguar at idle.
When I load up the chip with mprime (linux version of Prime95) it peaks at about 46W at the wall.
And that's at 3.9Ghz 2C/4T.
Even the stock Intel cooler (which just BARELY fit inside the M350 case once the drive brackets were removed) doesn't spin up much during load testing.
Very impressed.
The ASRock H270M-ITX/ac is also a great little Mini-ITX board with dual Intel NIC's to pair with it.
Wow. That's really good to know. Yeah, those M350 cases are tiny, but they kind of stand alone in the market, and are perfect for a mini ITX pfSense system provided your NICs are onboard. I have one but it's for a MythTV frontend. Thanks for the info.
Any time!
And it gets better. I killed Xorg and the idle wattage measured at the wall went down to 6.2W!
Full specs if anyone else is interested (links to where I bought them, you may find better prices elsewhere):
-
Intel Core i3-7100 ($119.96 w. Prime)
-
ASRock H270M-ITX/ac Mini-ITX motherboard with dual Intel NIC's ($96.98)
-
Crucial 8GB (2x4GB) DDR4-2133 kit ($55.49 w. Prime)
-
BiWin 60GB M.2 Sata SSD ($40.98)
-
M350 Universal Mini-ITX enclosure ($39.95)
-
Molex to P4 power adapter ($4.95)
And that's it. Total: 393.31 (less for me, since I already had a few of the parts left over from other projects.
The CPU comes with a cooler. Before you assemble everything, it looks like it won't fit in the M350 enclosure, but it does (just barely), as long as you don't use the 2.5" drive brackets. (use an M2, USB drive or SATA DOM)
I also pulled out the mini-Wlan card (you loosen two screws on the bottom of the board and it comes right out). I wasn't using it, and I figured I'd rather not have it wasting power. Also disabled everything in BIOS I wasnt planning on using, and enabled all power saving states, except suspend to RAM, as the router needs to be operating 24/7.
I used a fan profile on the board. The CPU puts out so little power that it seems to stay at the coolers minimum fan speed most of the time. Granted it is pretty cold in my basement right now.
(Warmer temps will result in higher fan speeds which will drive up power consumption noticeably. At this low power use the fans use a surprisingly large percentage of the power)
I'm very happy thus far.
Just stay away from the USB3 ports. pfSense doesn't seem to like those at all, and the installers will fail unless booted from one of the USB2 ports.
So I finally had time to get this working (a month and a half later), as I had trouble getting PIA VPN working the first time around.
Now that it is up and running I can definitely say that the i3-7100 is overkill by more than I expected.
To add to this, AES-256-GCM = AES-256-CTR and SHA256 combined.
N.b., there is zero reason to use AES-256 on your home VPN rather than AES-128.
I did wind up going with AES-256-CBC and SHA256 just because I could as my router is overkill, but honestly, I didn't notice much (any?) CPU load difference between the two, so might as well use the stronger one, even if it might not be necessary.
Anyway, with AES-256-CBC and SHA256, loading up the connection in one direction (it peaks at about 135Mbit, due to my traffic shaping rules) I only get about 9-10% load on the CPU. So, under a theoretical full load in both directions I ought to hit 18-20% somewhere.
I'm glad to have some room to grow should anything change, but this little i3-7100 has definitely outperformed my expectations.
-
-
I did wind up going with AES-256-CBC and SHA256 just because I could as my router is overkill, but honestly, I didn't notice much (any?) CPU load difference between the two, so might as well use the stronger one, even if it might not be necessary.
I also use AES-256 and SHA256 on my PIA tunnels and have never noticed a tangible performance difference between the two. I'm still on AES-128 and SHA1 on my personal OpenVPN server, mostly because I set it up that way years ago and haven't felt the need to change. SHA1 is approaching deprecation anyhow as far as I'm aware. Anyway, thanks for the update.
-
I did wind up going with AES-256-CBC and SHA256 just because I could as my router is overkill, but honestly, I didn't notice much (any?) CPU load difference between the two, so might as well use the stronger one, even if it might not be necessary.
Anyway, with AES-256-CBC and SHA256, loading up the connection in one direction (it peaks at about 135Mbit, due to my traffic shaping rules) I only get about 9-10% load on the CPU. So, under a theoretical full load in both directions I ought to hit 18-20% somewhere.
I'm glad to have some room to grow should anything change, but this little i3-7100 has definitely outperformed my expectations.
I also use AES-256 and SHA256 on my PIA tunnels and have never noticed a tangible performance difference between the two. I'm still on AES-128 and SHA1 on my personal OpenVPN server, mostly because I set it up that way years ago and haven't felt the need to change. SHA1 is approaching deprecation anyhow as far as I'm aware. Anyway, thanks for the update.
I should follow up with the fact that since my initial tests (just speedtest.net) I have succeeded in getting the CPU load up much higher.
I was under the impression that OpenVPN CPU load was really just dependent on raw throughput, but that doesn't seem to be the case, More connections at the same bandwidth use more CPU it would seem.
Downloaded a new Ubuntu ISO today using rtorrent, which resulted in downstream maxed, and a little upstream. This was about 38% CPU on the router. Still very respectable, but I wanted to update you guys in case someone takes my earlier results too seriously.
