PFSense & OpenVPN performance Issues
-
Hello Everyone!
I'm trying to tune my OpenVPN Setup ... unfortunately without success...
ATM I've following configuration:
PFSense 2.4.4-RELEASE-p2 (amd64)
System: PC Engines APU2
BIOS: v4.9.0.2
CPU Type: AMD GX-412TC SOC
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
HW crypto AES-CBC,AES-XTS,AES-GCM,AES-ICMInternet Speed is : 1Gbps/1Gbps
OpenVPN Configuration:
-UDP port 1199
TLS Configuration: Use a TLS Key
DH Parameter: 2048 bit
Encryption Algorithm: AES-128-GCM
Auth Digest Algorithm: SHA256
ADVANCED:
sndbuf 393216;
rcvbuf 393216;
push "sndbuf 393216";
push "rcvbuf 393216";Under System/Advanced/Miscellanous I've enabled AES-NI CPU-Based Acceleration
Under Advanced Settings for the Client I've configured none.
My Problem is that when I try to transfer a file on/from a share I only can reach:
~10MB/s in Upload and Download.
Is there something I'm doing wrong or that I can improve to get better transfer rate?
Thank you all in advice!
-
@tda Don't feel bad. I couldn't get it figured out either. Before 2.4.4 I use to get 400 plus, now I can only get 150 tops and processor isn't even working hard. While I know it these speeds are way more than 10, I just think there is something going on with Openvpn and Pfsense. The other crazy thing is that the speeds were better with AES-256-GCM vs AES-128-GCM. I have AES-NI active as well and Fast-io. I do have my buffer set to sndbuf 524288 rcvbuf 524288. If you find out anything please let me know.
-
what are you sharing the file with... You understand SMB over high latency is going to freaking blow chunks right ;)
How does a iperf test perform?
If you want a valid test of what openvpn connection can do..
On your local network try this test.
client -openvpntunnel- wan pfsense lan -- file server.
Now pull a file down from the server...
-
@johnpoz
Hello John,1 - ou understand SMB over high latency is going to freaking blow chunks right ;)
What do you mean by "high latency" exactly?2- how does a iperf test perform?
Can you please give me instruction on how I'll have to do it?3- I've tried to connect to my wifi (front of the fw), and I've the exact same 8mb/s.
-
1... SMB over anything higher than a few ms is going to SUCK!! Why do you think enterprises run wan optimization/acceleration products - think riverbed, cisco waas, or silverpeak, etc.
SMB is a chatty as F protocol designed fro LAN use..
Grab iperf client for whatever OSes you might be running.. Run one in server mode -2, run another copy on the client side and use -c serverIP..
You could make sure your client and server both support smb3 for file transfer - this could help alot because they can do multiple streams, etc. Or use a better protocol for copy/put the files - shoot http would be better than smb ;)
What is the latency your talking about? I have to bounce off a proxy in TX, while I am in chicago area to get to my home network from work... So latency is horrible.. 100 to 200 ms easy on a good day.. And I can still get 8mbps on iperf via iperf.. And its shared pipe the whole way, etc. etc. And my home only has 50mbps up..
Don't forget about BDP and your windows rcv window size when moving data over a wan connection..
While not saying putting your traffic inside a tunnel and then software client and server running for the tunnel is not going to put a hit on your overall pipe throughput... But lets not think your going to take what amounts to a lan protocol for moving files - and then do it over a wan, inside a tunnel and think your going to saturate your pipe bandwidth ;)
-
@johnpoz 1 - When I've tried in my LAN the latency is 1ms.
In my land (switzerland) you have never ever more that 20ms. (if you have a fiber connection it's about 1 - 8ms).
Now the thing is ... even if SMB is designed for LAN, I've a throughput of 8Mb... even when I'm streaming films from my server. So when I and a couple of friends are looking a stream at the very same moment.. that's fullfilled.
I don't expect to have 1Gbps over VPN... but from 1Gbps to 8mb/s... it's a lot.
