PfSense hardware for home router - OpenVPN performance
-
My line is nominally 150Mbps, tests at about 160Mbps. I can try multiple connections for sure. Will post the results. I'm thinking of upgrading my setup anyway; didn't buy it originally for pfSense; just kind of worked out that way. I can either drop in an Athlon 5350 (4 cores 2.05 GHz) or 5370 (4 cores 2.2GHz) or bring the AMD setup back to my HTPC (where it started) and buy something entirely different for pfSense. Oh, the possibilities (and the $$)
Yes please, let us know the results.
About these two Athlon I would expect results not far from what I got with my A10-7300, that was 256Mbs.
I believe this can be an excellent value for money choice. -
In this group only the Celeron J1900 does not support the AES-NI instructions to improve the speed of applications performing encryption and decryption.
Here are the results:
Intel Celeron J1900 4x2GHz -TDP 10W -CPU Mark 1881 -Single Thread 528
3200/36,5 = 88 Mbps OpenVPN performance (estimate)I'd love to get close to these results. With my J1900 based 2.3.2 box I only pull 5Mbps in real world tests. Surely it must be a setup issue. I'm using 256 aes cbc with ip vanish. I could be an issue with ip vanish, too.
I was going to start a new thread about this, but since this is a benchmark thread, I figured I would ask if there are any generic settings to optimize the openvnc client? I don't want to hijack this thread but was curious if I'm missing something you pfsense veterans are doing since I'm quite new to it.
-
I don't have any problems to get close to the full speed of my 100Mbps line with IPVanish. Later I'll post my configuration
-
I'd love to get close to these results. With my J1900 based 2.3.2 box I only pull 5Mbps in real world tests. Surely it must be a setup issue. I'm using 256 aes cbc with ip vanish. I could be an issue with ip vanish, too.
I was going to start a new thread about this, but since this is a benchmark thread, I figured I would ask if there are any generic settings to optimize the openvnc client? I don't want to hijack this thread but was curious if I'm missing something you pfsense veterans are doing since I'm quite new to it.
Here are the print screens of the settings and the custom options:
explicit-exit-notify 2;
ifconfig-nowarn;
tls-client;
persist-key;
persist-tun;
remote-cert-tls server;
reneg-sec 0;
auth-nocache;
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384;
fast-io;
sndbuf 524288;
rcvbuf 524288
-
Thank you so much! I had a few different settings. LZO Compression on and:
fast-io;
tun-mtu 1500;
persist-key;
persist-tun;
persist-remote-ip;
auth SHA256;
keysize 256;
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:
AES256-SHAWith your advanced settings, I'm getting line speed (100Mbps)! Cheers!
-
Thank you so much! I had a few different settings. LZO Compression on and:
fast-io;
tun-mtu 1500;
persist-key;
persist-tun;
persist-remote-ip;
auth SHA256;
keysize 256;
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:
AES256-SHAWith your advanced settings, I'm getting line speed (100Mbps)! Cheers!
Can you report on exactly what you changed? Is the config you just posted your current config? Thanks!
-
Thank you so much! I had a few different settings. LZO Compression on and:
fast-io;
tun-mtu 1500;
persist-key;
persist-tun;
persist-remote-ip;
auth SHA256;
keysize 256;
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:
AES256-SHAWith your advanced settings, I'm getting line speed (100Mbps)! Cheers!
Glad to help you.
I do not see big differences in the custom options, except for the tls-cipher line … I have some doubts if its syntax is correct because I always used it with "WITH" like here
https://community.openvpn.net/openvpn/ticket/304
I also used compression, but I had not noticed any change in the connection speed. -
If it helps someone…
Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
(timings averaged over 3 runs, but they never varied more than .1 sec)
(with aesni.ko loaded): 3200/24.03 = 133.17
(with aesni.ko unloaded): 3200 / 23.58 = 135.71Dear garyd9,
thanks for your tests!
Just to get it right: This means C2558 gets a OpenVPN throughput of around 130 Mbit/s?
Right now I'm trying to make a decision between C2358, C2558, C2758, Xeon D-1518…
Basically, all I need is 500 Mbit/s WAN throughput and around 100 Mbit/s OpenVPN throughput. I would like to use snort.
But the most important point to me right now is to have a stable OpenVPN throughput of 100 Mbit/s...I'm wondering if a C2358 will accomplish this performance as well?
Since OpenVPN is single-threaded, afaik, a C2358 may have nearly the same openvpn performance as the c2558?EDIT: Well, I just see, there is a big difference in base clock rate... 1,7 GHz vs. 2,4 GHz... So I think the C2358 won't be able to run 100 Mbit/s OpenVPN throughput? According to other threads the OpenVPN throughput of C2358 is somewhere at 70 Mbit/s. Is that correct?
-
Just to get it right: This means C2558 gets a OpenVPN throughput of around 130 Mbit/s?
Theoretically. Real world performance would vary.
I'm wondering if a C2358 will accomplish this performance as well?
Since OpenVPN is single-threaded, afaik, a C2358 may have nearly the same openvpn performance as the c2558?EDIT: Well, I just see, there is a big difference in base clock rate… 1,7 GHz vs. 2,4 GHz... So I think the C2358 won't be able to run 100 Mbit/s OpenVPN throughput? According to other threads the OpenVPN throughput of C2358 is somewhere at 70 Mbit/s. Is that correct?
I don't run openvpn. I just ran the test proposed by the OP and posted the results. However, based on the differences between the C2358 and C2558, I'd guess that the 2358 would have a difficult time getting to 100 megabit/sec openvpn performance.
-
Can you report on exactly what you changed? Is the config you just posted your current config? Thanks!
The changes I made were to disable lzo compression and use mauroman33's custom options. Like he mentioned the main difference in that is the "tls-cipher" line it would seem.
I also made sure to turn off any crypto hardware "assistance" options I may have fiddled with. Most were already disabled, but I did play around with using "RDRAND", so I had to disable that again.
My overall config isn't exactly like his screen shots, though. I tick the boxes to disable addition of routes to the route table and handle those with AON.
-
Can you report on exactly what you changed? Is the config you just posted your current config? Thanks!
The changes I made were to disable lzo compression and use mauroman33's custom options. Like he mentioned the main difference in that is the "tls-cipher" line it would seem.
I also made sure to turn off any crypto hardware "assistance" options I may have fiddled with. Most were already disabled, but I did play around with using "RDRAND", so I had to disable that again.
My overall config isn't exactly like his screen shots, though. I tick the boxes to disable addition of routes to the route table and handle those with AON.
The suggestion to disable the Cryptographic Hardware comes by Pippin's messages in this thread:
https://forum.pfsense.org/index.php?topic=115627.30 -
here are my advanced server settings:
fast-io;sndbuf 0;rcvbuf 0;push "sndbuf 524288";push "rcvbuf 524288";keepalive 10 120;push "redirect-gateway def1";push "redirect-gateway-ipv6 def1";push "route-ipv6 2000::/3";
Here are my advanced client settings:
fast-io fragment 0 mssfix 0 sndbuf 524288 rcvbuf 524288 lport 0 remote-random remote-cert-tls server resolv-retry 4 key-method 2 mute 10 mute-replay-warnings keepalive 10 120 auth-retry nointeract setenv FORWARD_COMPATIBLE 1 verb 3 reneg-sec 0 script-security 2
Ultimately, i think we should push to change to Softether as the VPN client. It supports backwards compatibility to OpenVPN and is much faster than OpenVPN for the same hardware.
Here is a feature list: https://www.softether.org/1-features
-
What some people consider here to be VPN is quite different from what's VPN is in a corporate world. Hiding one's identity to be able to download stolen content is not the reson VPN was invented. When one lists VPN throughput to such a service, it's not what VPN's purpose is in pfSense.
-
What some people consider here to be VPN is quite different from what's VPN is in a corporate world. Hiding one's identity to be able to download stolen content is not the reson VPN was invented. When one lists VPN throughput to such a service, it's not what VPN's purpose is in pfSense.
While softether can be used for obsfcation, softether actually supports more corporate features than OpenVPN. It supports IPSec, VLANs, OpenVPN, etc. In addition, the code is more modern and supports multithreaded VPN. I get comparable speeds from my Raspberry Pi running Softether VPN versus my i7 pfsense box running pfSense.
Anyway, not trying to hijack the thread. Just adding my .02
-
Ultimately, i think we should push to change to Softether as the VPN client.
Well, it's already in freeBSD ports…
-
What some people consider here to be VPN is quite different from what's VPN is in a corporate world. Hiding one's identity to be able to download stolen content is not the reson VPN was invented. When one lists VPN throughput to such a service, it's not what VPN's purpose is in pfSense.
And that doesn't have any bearing on the performance numbers, which is what we're discussing here. We're talking about the technology and performance on given hardware, not the reasons we're using it. This discussion is directly relevant to anyone using OpenVPN, regardless of the use case.
-
What some people consider here to be VPN is quite different from what's VPN is in a corporate world. Hiding one's identity to be able to download stolen content is not the reson VPN was invented. When one lists VPN throughput to such a service, it's not what VPN's purpose is in pfSense.
Sorry mate, I don't understand. How do you know what is the reason why people are using a VPN here?
Are you maybe speaking of your personal experience?
Personally I have some good reasons to use it, starting from the systematic throttling performed by the ISP in my area if you don't use the services directly purchased from it …
But maybe, as rightly said whosmatt, this is not the forum for this kind of discussion. -
Test VPN from the gear you own (and whose specs you know) to your pfSense box across a reliable internet connection. That will give you the performance indication of your hardware. Better yet, test the VPN throughput in the lab to see the maximum throughput your hardware is capable of.
Stating the VPN throughput of 5 Mbps to some third-party VPN service is hardly an indication that something is wrong with your hardware or software.
-
here are my advanced server settings:
fast-io;sndbuf 0;rcvbuf 0;push "sndbuf 524288";push "rcvbuf 524288";keepalive 10 120;push "redirect-gateway def1";push "redirect-gateway-ipv6 def1";push "route-ipv6 2000::/3";
Here are my advanced client settings:
fast-io fragment 0 mssfix 0 sndbuf 524288 rcvbuf 524288 lport 0 remote-random remote-cert-tls server resolv-retry 4 key-method 2 mute 10 mute-replay-warnings keepalive 10 120 auth-retry nointeract setenv FORWARD_COMPATIBLE 1 verb 3 reneg-sec 0 script-security 2
Ultimately, I think we should push to change to Softether as the VPN client. It supports backwards compatibility to OpenVPN and is much faster than OpenVPN for the same hardware.
Here is a feature list: https://www.softether.org/1-features
I started a thread in the package sub-forum regarding my SoftEther FreeBSD package port and performance. My initial tests show I can easily push 150/150 mbps (maximum of my WAN speed) through SoftEther with very low load on my pfSense machine!
https://forum.pfsense.org/index.php?topic=117626
I will post some benchmarks and run some theoretical maximum tests to see how fast SoftEther is compared to OpenVPN on my machine (my theoretical OpenVPN max is 299 mbps).
-
ci323 nano u
Stats for you guys
hw.model: Intel(R) Celeron(R) CPU N3150 @ 1.60GHz
(cryptodev) BSD cryptodev engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading supportopenssl speed aes-128-cbc aes-192-cbc aes-256-cbc
OpenSSL 1.0.1s-freebsd 1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 27446.63k 31065.88k 32203.01k 79808.59k 80497.95k
aes-192 cbc 23419.20k 25885.49k 26810.11k 66946.05k 67553.96k
aes-256 cbc 20250.74k 22164.16k 22912.07k 57832.11k 58552.27kopenssl speed -engine cryptodev -multi 4 aes-128-cbc aes-192-cbc aes-256-cbc
OpenSSL 1.0.1s-freebsd 1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
aes-128 cbc 104805.14k 118668.96k 128936.14k 318822.11k 321327.26k
aes-192 cbc 93729.09k 103600.58k 107154.76k 267119.27k 271302.66k
aes-256 cbc 80937.83k 88656.43k 91726.42k 226115.54k 230708.57kopenssl speed -multi 4 bf-cbc
OpenSSL 1.0.1s-freebsd 1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
blowfish cbc 164957.33k 185746.01k 191440.98k 193272.15k 193628.57kopenssl speed bf-cbc
OpenSSL 1.0.1s-freebsd 1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
blowfish cbc 41251.69k 46459.56k 47838.06k 48378.47k 48452.95k