pfSense and OpenVPN speeds

May 7, 2020, 3:57 PM

My current problem is that my R7000 router can only achieve speeds of 28mps when I'm connected to the VPN. Outside the VPN I'm achieving 230mps .

I'm told that I need to upgrade to a PC running pfSense with OpenVPN to achieve higher speeds.

It looks like OpenVPN is a resource hog.

I'm looking at different Netgate devices and what might I need in order to maximize bandwidth through pfSense/OpenVPN?

Am I going to be hitting a wall before I reach 200mps using one of these devices, or any device while going through OpenVPN?

I'm also looking at the below to replace my R7000 router. Is this overkill?

Qotom Q575G6-S05 Mini PC
Intel i7 7500U Kabylake 3.5GHZ Processor 8GB RAM 256GB SSD
6 x Intel I211-AT Gigabit LAN 1 x HDMI 2 x USB 3.0 2 x USB 3.0

Thanks...

stephenw10 · May 7, 2020, 4:41 PM

@Morpheus101 said in pfSense and OpenVPN speeds:

Is this overkill?

Yes.
It will pass 230Mbps OpenVPN though.

Steve

Rico · May 7, 2020, 5:01 PM

Some OpenVPN numbers I had in my testings.

Intel Xeon Gold 6136
AES-256-CBC 441,4 Mbps
AES-256-GCM 463,8 Mbps
AES-128-CBC 441,4 Mbps
AES-128-GCM 481,9 Mbps

Intel Xeon Silver 4215
AES-256-CBC 394,1 Mbps
AES-256-GCM 434,8 Mbps
AES-128-CBC 401,0 Mbps
AES-128-GCM 432,4 Mbps

Intel Core i7-7700
AES-256-CBC 477 Mbps
AES-256-GCM 519 Mbps
AES-128-CBC 479 Mbps
AES-128-GCM 522 Mbps

Netgate XG-7100
AES-256-CBC 266 Mbps
AES-256-GCM 288 Mbps
AES-128-CBC 278 Mbps
AES-128-GCM 290 Mbps

Netgate SG-5100
AES-256-CBC 276,3 Mbps
AES-256-GCM 290,9 Mbps
AES-128-CBC 280,5 Mbps
AES-128-GCM 292,8 Mbps

Netgate SG-3100
AES-256-CBC 91,4 Mbps
AES-256-GCM 83,1 Mbps
AES-128-CBC 98,5 Mbps
AES-128-GCM 89,2 Mbps

Netgate SG-1100
AES-256-CBC 118,5 Mbps
AES-256-GCM 119,6 Mbps
AES-128-CBC 118,5 Mbps
AES-128-GCM 120,7 Mbps

The problem with OpenVPN is it can only use one CPU core per instance/thread. So clock frequency is your friend with OpenVPN or switch to IPsec. ;-)

-Rico

May 7, 2020, 7:07 PM

@Rico said in pfSense and OpenVPN speeds:

Some OpenVPN numbers I had in my testings.

Intel Xeon Gold 6136
AES-256-CBC 441,4 Mbps
AES-256-GCM 463,8 Mbps
AES-128-CBC 441,4 Mbps
AES-128-GCM 481,9 Mbps

Intel Xeon Silver 4215
AES-256-CBC 394,1 Mbps
AES-256-GCM 434,8 Mbps
AES-128-CBC 401,0 Mbps
AES-128-GCM 432,4 Mbps

Intel Core i7-7700
AES-256-CBC 477 Mbps
AES-256-GCM 519 Mbps
AES-128-CBC 479 Mbps
AES-128-GCM 522 Mbps

Netgate XG-7100
AES-256-CBC 266 Mbps
AES-256-GCM 288 Mbps
AES-128-CBC 278 Mbps
AES-128-GCM 290 Mbps

Netgate SG-5100
AES-256-CBC 276,3 Mbps
AES-256-GCM 290,9 Mbps
AES-128-CBC 280,5 Mbps
AES-128-GCM 292,8 Mbps

Netgate SG-3100
AES-256-CBC 91,4 Mbps
AES-256-GCM 83,1 Mbps
AES-128-CBC 98,5 Mbps
AES-128-GCM 89,2 Mbps

Netgate SG-1100
AES-256-CBC 118,5 Mbps
AES-256-GCM 119,6 Mbps
AES-128-CBC 118,5 Mbps
AES-128-GCM 120,7 Mbps

The problem with OpenVPN is it can only use one CPU core per instance/thread. So clock frequency is your friend with OpenVPN or switch to IPsec. ;-)

-Rico

Can you explain (AES-128-GCM 292,8 Mbps) what the ,8 mean?

If I'm looking at your numbers it appears if I want any chance of archiving the maximum bps from my ISP that I will need at least the SG-51 or at least the equivalent hardware specs from another PC?

I am all new to this and finally got pfSense setup on a VM lab in order to get familure with the software.

You are talking about IPsec in place of pfSense?

I don't have the first clue about IPSec. I don't believe I can use IPSec on a private commercial VPN provider like TorGuard?

Thanks...

SteveITS · May 7, 2020, 7:37 PM

@Morpheus101 said in pfSense and OpenVPN speeds:

what the ,8 mean?

Many countries use a comma to indicate a decimal, whereas others use a period.

I'm curious why the SG-3100 tested slower than the SG-1100?

If you're connecting out to a service you are limited to what they allow. Most requests here are for connecting from somewhere to the office VPN.

May 7, 2020, 8:06 PM

@teamits said in pfSense and OpenVPN speeds:

@Morpheus101 said in pfSense and OpenVPN speeds:

what the ,8 mean?

Many countries use a comma to indicate a decimal, whereas others use a period.

I'm curious why the SG-3100 tested slower than the SG-1100?

If you're connecting out to a service you are limited to what they allow. Most requests here are for connecting from somewhere to the office VPN.

Thanks for the , explanation.

I'm connecting to a Torguard VPN fairly close to me. They told be the low BPS speed was due to the limitation of the router I was using. They didn't tell what I could expect if I moved up to more powerful hardware. I'm only using about 12% of my bandwidth as it is with heavy usage.

SteveITS · May 7, 2020, 8:18 PM

re: hardware, "it depends"...on CPU, hardware acceleration, encryption options used, etc. This may help somewhat: https://docs.netgate.com/pfsense/en/latest/book/hardware/hardware-sizing-guidance.html#vpn-all-types

inf3rno · May 8, 2020, 7:48 AM

Wouldn't it be possible to use WireGuard instead? https://www.freshports.org/net/wireguard/ Afaik. it is a lot faster than OpenVPN and it reached 1.0 half year ago, so it should be stable and secure enough.

May 8, 2020, 1:03 PM

@teamits I asked my VPN provider about speed with the i7 processor and they are telling me that I should have no problem hitting 100mps with that hardware. I also asked them if they are throttling, and they said no.

Am am hitting 230mps on a constant basis, outside the VPN. Still trying to understand why I'm unable to get at least 200mbs using what it appears to be adequate hardware. This is a commercial VPN provider, and if they are not throttling, then why?

@inf3rno Is WireGuard able to be installed on top of pfSense, like OpenVPN?

inf3rno · May 8, 2020, 1:21 PM

@Morpheus101 I have no idea. I know that it can be installed on FreeBSD, and pfSense is FreeBSD based. So maybe. I guess trying it does not hurt. VPN speed depends on the number of the users too. If you don't have many parallel connections and your hardware is capable, then something else causes the low speed.

stephenw10 · May 8, 2020, 1:53 PM

@teamits said in pfSense and OpenVPN speeds:

I'm curious why the SG-3100 tested slower than the SG-1100?

It does look like an anomaly but it's almost certainly because OpenSSL compiled for aarch64 can take advantage of the additional instructions available there. Both those numbers seem low though.

Wireguard cannot, yet, easily be added to pfSense. I believe there is a thread detailing it here but it is all manual at this point. No gui config. Nothing backed up etc.

Steve

Rico · May 8, 2020, 2:14 PM

@stephenw10 said in pfSense and OpenVPN speeds:

Both those numbers seem low though.

Are there any Netgate lab numbers around? No matter official or unofficial.
Like OpenVPN SSL/TLS between two SG-5100, settings used for TLS key, Encryption Algo, Auth digest and so on and the speed to expect?

-Rico

SteveITS · May 8, 2020, 2:19 PM

@Rico
This has IPSec numbers: https://www.netgate.com/products/appliances/

This has a chart at the bottom for TNSR but shows pfSense on a SG-5100: https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html

Rico · May 8, 2020, 2:28 PM

Yes...but this thread is about OpenVPN @pfSense.
Impossible to relate anything for OpenVPN with IPsec numbers...

-Rico

stephenw10 · May 8, 2020, 2:45 PM

I expect to see over 100Mbps on the 3100 if you are using a CESA supported cipher, which AES-CBC should be.

I would also expect to see over 125Mbps on the 1100 using AES-GCM.

There are many variables etc!

Steve

Rico · May 8, 2020, 4:20 PM

Well I don‘t care about 5-10Mbps VPN traffic more or less.
Only would see a problem if you say like in your testings the speed is double or 1/3 more. :-)

-Rico

sgw · Apr 1, 2025, 10:14 AM

@stephenw10 coming here because I look for a quick solution to free CPU on a 2100.

We seem to outmax the hardware by running ~20 ovpn clients (1 Gbit/s WAN) plus a wireguard site to site tunnel and pfblockerng ...

A stronger hardware is in preparation but I look for a config tweak to decrease the load.

I wanted to switch from AES-256-GCM to AES-128-GCM in the ovpn-server to decrease the overall load, but the numbers mentioned above seem to tell me that that won't do much.

I am not looking for more throughput, I need to decrease the CPU load. (I already disabled telegraf, that was quite heavy as well)

hints welcome

stephenw10 · Apr 1, 2025, 10:40 AM

What's using the CPU currently? Check the output of top -HaSP at the command line.

There may not be much you can do though. With a 1G WAN it will be possible to hit the limits of the CPU. You could potentially set limiters for connecting clients to prevent that.

sgw · Apr 1, 2025, 10:54 AM

@stephenw10 currently very low load.

Right now it doesn't look overloaded at all.

Now and then there is sftp-traffic between the two sites which are connected by the wireguard site to site tunnel. This, in combination with the other services maxes out the hw.

It's a multi-layered issue: the delivering server vm is restricted etc etc

Maybe I could tune the wg-tunnel somehow.

Right now I can't see any limits (of the 2100) hit ... in the morning we hit the CPU-limits all the time.

thanks

stephenw10 · Apr 1, 2025, 1:04 PM

So what issues do you see when this happens?

If it's maxed out by traffic over the Wireguard tunnel you might apply a limit to that.