OpenVPN benchmark in pfSense 2.2
-
Hey
Im running some benchmark-test using pfSense 2.2, but can't get the performance as I expected.Setup: PC1 (192.168.100.23) <–-> (WAN: 192.168.100.200) pfSense (LAN: 192.168.1.1) <---> PC2 (192.168.1.100)
Tunnel without any encryption:
iperf.exe -c 192.168.1.100 -w 130k -P 5
–----------------------------------------------------------
Client connecting to 192.168.1.100, TCP port 5001
TCP window size: 130 KByte[ 7] local 192.168.3.6 port 49533 connected with 192.168.1.100 port 5001
[ 6] local 192.168.3.6 port 49532 connected with 192.168.1.100 port 5001
[ 4] local 192.168.3.6 port 49530 connected with 192.168.1.100 port 5001
[ 3] local 192.168.3.6 port 49529 connected with 192.168.1.100 port 5001
[ 5] local 192.168.3.6 port 49531 connected with 192.168.1.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 7] 0.0-10.0 sec 65.9 MBytes 55.2 Mbits/sec
[ 6] 0.0-10.0 sec 65.9 MBytes 55.2 Mbits/sec
[ 4] 0.0-10.0 sec 66.0 MBytes 55.2 Mbits/sec
[ 3] 0.0-10.0 sec 66.0 MBytes 55.1 Mbits/sec
[ 5] 0.0-10.0 sec 66.0 MBytes 55.2 Mbits/sec
[SUM] 0.0-10.0 sec 330 MBytes 276 Mbits/secTunnel with aes-128-cbc:
iperf.exe -c 192.168.1.100 -P 5 -w 130k
–----------------------------------------------------------
Client connecting to 192.168.1.100, TCP port 5001
TCP window size: 130 KByte[ 7] local 192.168.3.6 port 50283 connected with 192.168.1.100 port 5001
[ 5] local 192.168.3.6 port 50281 connected with 192.168.1.100 port 5001
[ 6] local 192.168.3.6 port 50282 connected with 192.168.1.100 port 5001
[ 3] local 192.168.3.6 port 50279 connected with 192.168.1.100 port 5001
[ 4] local 192.168.3.6 port 50280 connected with 192.168.1.100 port 5001
[ ID] Interval Transfer Bandwidth
[ 7] 0.0-10.0 sec 38.2 MBytes 32.0 Mbits/sec
[ 6] 0.0-10.0 sec 38.4 MBytes 32.0 Mbits/sec
[ 3] 0.0-10.0 sec 38.4 MBytes 32.0 Mbits/sec
[ 4] 0.0-10.1 sec 38.2 MBytes 31.9 Mbits/sec
[ 5] 0.0-10.1 sec 38.4 MBytes 32.0 Mbits/sec
[SUM] 0.0-10.1 sec 192 MBytes 160 Mbits/secPort forwarded port 5001 from WAN to LAN as :
iperf.exe -c 192.168.100.37 -P 5 -w 130k
–----------------------------------------------------------
Client connecting to 192.168.100.37, TCP port 5001
TCP window size: 130 KByte[ 3] local 192.168.100.23 port 50310 connected with 192.168.100.200 port 5001
[ 6] local 192.168.100.23 port 50313 connected with 192.168.100.200 port 5001
[ 4] local 192.168.100.23 port 50311 connected with 192.168.100.200 port 5001
[ 5] local 192.168.100.23 port 50312 connected with 192.168.100.200 port 5001
[ 7] local 192.168.100.23 port 50314 connected with 192.168.100.200 port 5001
[ ID] Interval Transfer Bandwidth
[ 6] 0.0-10.0 sec 222 MBytes 187 Mbits/sec
[ 4] 0.0-10.0 sec 227 MBytes 191 Mbits/sec
[ 5] 0.0-10.0 sec 222 MBytes 186 Mbits/sec
[ 7] 0.0-10.0 sec 222 MBytes 186 Mbits/sec
[ 3] 0.0-10.0 sec 228 MBytes 191 Mbits/sec
[SUM] 0.0-10.0 sec 1.09 GBytes 939 Mbits/secWhy can i only get 276 Mbits/sec via the tunnel running without encryption? I was expecting more?
All network running 1 Gbit
Hardware: Super Micro A1SRi-2758F, 16 GB ECC, 120 GB SSD. -
i think thats about as good as it gets until the people at openvpn enable aes-ni or quickassist on freebsd. why did you expect more?
did you enable aes-ni in System: Advanced: Miscellaneous: Cryptographic Hardware ?@cmb:
AES-NI has little to no affect on AES-CBC. Its benefit comes with AES-GCM, which is supported by IPsec (and tested to increase its maximum throughput around 4-5 times over, up to near 2 Gbps with the packet filter enabled). OpenVPN doesn't yet offer AES-GCM support, though it's coming in a future release.
From my experience, AESNI does improve AES-CBC encryption a lot.
With AESNI enable, my NUC is reaching 350MB/s in openssl aes128CBC benchmark.
It works fine for me in 2.2, in previous versions you had to make sure that aesni.ko does not get loaded otherwise you got very poor performance and high CPU load.
You can try an openssl benchmark to test if it is working properly (openssl speed -evp aes-128-cbc )
In my openvpn config I did not select any hardware acceleration, it seems openssl is just using aesni fine on its own.
-
You can select the "BSD cryptodev engine" for OpenVPN in pfSense, which should support AES-128-CBC with AES-NI, or not?
Edit: OpenVPN is probably only using a single core/thread per process, though.