PfSense hardware for home router - OpenVPN performance



  • Yeah I know, but those are not really that useful for me. I'll just buy some stickers or something ;)

    OpenVPN speed has been steady between 700-800 Mbps.



  • @Fuego:

    Still haven't got a chance read on wiki for tweaks, but added:

    Which wiki is that? Looking to optimize my j3355 as well.



  • @denova,

    Do you mind sharing your hardware build/partlist?
    I'm looking into purchasing something similar and i like your idle power usage of 13watts.

    Thanks.



  • @digitalgimpus:

    @Fuego:

    Still haven't got a chance read on wiki for tweaks, but added:

    Which wiki is that? Looking to optimize my j3355 as well.

    Don't know about any wiki, but optimize OpenVPN with fast-io and buffers. Read here:

    https://forum.pfsense.org/index.php?topic=130350.0



  • @pbosgraaf:

    @denova,

    Do you mind sharing your hardware build/partlist?
    I'm looking into purchasing something similar and i like your idle power usage of 13watts.

    Thanks.

    Sure, I'm using a prebuild Lenovo M700 SFF that I got really cheap with a platinum rated PSU (to quote Lenovo's website: "ENERGY STAR 6.1, ULE Gold, EPEAT Gold, and 85% efficiency with 80+ Platinum power supply unit", I'm not sure that's saying all that much though). Specs are: Intel G4400 dual core, 4 GB DDR4 memory, it came with a HDD but switched it for a cheap Kingston SSD and I added an Ebay Chinese I350 T4 NIC. I unplugged the CD drive and USB connectors and some other stuff not used. Speedstep is enabled and the CPU is often running around 1.5-2.0 Ghz when idle. Now I've monitored it over a longer time, the average idle power consumption usage has been around 15 watts. The case is really cool as well, usually around 25 degrees.

    When building yourself, it's probably best to get a Pico PSU and search for a power efficient motherboard.



  • @denova

    Speedstep is enabled and the CPU is often running around 1.5-2.0 Ghz when idle. Now I've monitored it over a longer time, the average idle power consumption usage has been around 15 watts. The case is really cool as well, usually around 25 degrees.

    You could trying out to enable PowerD (high adaptive) of not done yet, to get perhaps less then 15 watts back.
    or did you enable the PowerD (high adaptive) option?



  • @BlueKobold:

    @denova

    Speedstep is enabled and the CPU is often running around 1.5-2.0 Ghz when idle. Now I've monitored it over a longer time, the average idle power consumption usage has been around 15 watts. The case is really cool as well, usually around 25 degrees.

    You could trying out to enable PowerD (high adaptive) of not done yet, to get perhaps less then 15 watts back.
    or did you enable the PowerD (high adaptive) option?

    It's enabled (high adaptive), forgot to mention that. But if I recall correctly it made no difference at all for me..



  • I have a question regarding your hardware recommendation. I'm just about to complete a DSL contract either 50MBit / s or 100MBit /. I would like to use OpenVPN with 256bit encryption. I would like to have full download speed with VPN because all traffic is used. Do you have a recommendation which hardware can do that? I use it only at home and 95% only with Wi-Fi. anyone a low-cost recommendation? :)



  • I use Astrill, and when i sometimes use utorrent it can download at 22-23MB/ s but avarage is more 17-18 with snort enabled

    This is my CPU for the moment as i will wait to upgrade to an xeon and intel mainboard.




  • Intel Pentium Silver J5005 4x1.5 (Turbo to 2.8) TDP 10W -CPU Mark 2987 -Single Thread 1182
    3200/9.21 = 347 Mbps (aes-256-cbc)
    3200/8.67 = 369 Mbps (aes-256-gcm)

    Real World VPN running 5 Ubuntu Torrents at once
    0_1531276388637_vpn.PNG
    Nearly half of my Spectrum Gigabit is being used.


  • Netgate Administrator

    Is that with FastIO enabled and send/rec buffers increased?

    Steve



  • @stephenw10 Just FastIO. I have not done any buffer adjustments yet.


  • Netgate Administrator

    FastIO made the biggest difference in my testing. Setting the send and receive buffers to 512k did make some improvement. There was little to be gained setting them higher than that. In my test at least. More testing is always good. ☺

    Those numbers are pretty good already though.

    Steve



  • @stephenw10 said in PfSense hardware for home router - OpenVPN performance:

    FastIO made the biggest difference in my testing. Setting the send and receive buffers to 512k did make some improvement. There was little to be gained setting them higher than that. In my test at least. More testing is always good. ☺

    Those numbers are pretty good already though.

    Steve

    I am very impressed with the cpu. Motherboard not so much. Plenty of available PCIe lanes for dual Intel gigabit lan. And a pcie x1 slot instead of x16. The realtek gigabit lan couldn't muster over 600mbs. Gigabyte announced a J5005 board earlier this year, but they never released it.



  • i5-8250u

    Tue Jul 17 17:06:17 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    7.68 real 7.67 user 0.00 sys

    3200 / 7.68 = 416.67 mbit/s (aes-256-cbc)



  • Intel Atom E3950
    AES-128-CBC, AES-NI enabled, OpenVPN compression disabled
    319 Mbit/s



  • Hi,

    Here is my new results:

    time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
    

    Intel i5-7400 4 x 3.0GHz - TDP 65W -CPU Mark 7382 - Single Thread 1957
    3200/8,05 = 397 Mbps OpenVPN performance (estimate)



  • AMD Ryzen 5 2600X (6 x 3.6GHz/4.2GHz)
    3200/2.7=1185


  • Netgate Administrator

    3200/2.7=1185

    Nice. Are you able to test a reality figure on there at all?



  • @stephenw10 said in PfSense hardware for home router - OpenVPN performance:

    3200/2.7=1185

    Nice. Are you able to test a reality figure on there at all?

    In linux with a client running on the same machine in kvm, it hit 1100Mbps. (So, zero latency internal network, but with the load of being both client and server.) I'd not expect to see that on a real link, as I don't think OpenVPN will keep enough packets in flight to fill the pipe, but the hardware can do it. That said, I'd pick a newer i3 if I just wanted a firewall with openvpn; the ryzen is overkill for that, and an i3 should hit the same numbers for less money.