Is PC/Firewall fast enough for AES-128 VPN?



  • Folks,

    I have a J1900 quad-core Celeron PC running as a pfSense FW. (Details)
    From it I maintain a VPN connection to Private Internet Access using OpenVPN. This CPU does not have the AES extension.

    When I first set it up about a year ago I was getting 200Mb/s throughput (connection saturation  on the VPN. Today I get around 50-60 average, down to 20 on a bad day.

    I'm working with PIA to try work out why but so far we're not getting to the bottom of it. They're amendment they have the bandwidth and appreciate that I can do a speed-test which reads 200 down and 12 up.

    I'm wondering though, what do others get on VPN throughput? Anything better than this? When does AES start becoming a problem?

    The load average on the PC is 0.17, 0.14, 0.09 and does not vary much with or without tests.

    pfSense version is latest and greatest.

    TIA
    F



  • Check this thread.  There are a few commands you can run that will give you a rough idea of how much bandwidth your CPU can handle with OpenVPN.

    https://forum.pfsense.org/index.php?topic=115992.0

    Also, from what I have read, OpenVPN is single threaded.  You say your CPU is quad core so you may want to think about running multiple tunnels to PIA.



  • Thanks for the tip. Very interesting results on the speed test. With my setup, using AES-128-CBC (as per PIA) I get a theoretical throughput of 87Mb/s.

    What I find interesting though is a while back, when I first got PIA, I could get 250Mb/s throughput. I assumed this was due to compression and obviously fake as I only had a 200Mb/s connection.

    I'm still baffled as to how this has changed…

    I'll have to rethink my firewall then if I want to move up ;)


Log in to reply