Hardware Requirements for Gb/s VPN AES-256-CBC



  • A 1 Gb/s (up and down) line is being put in.  I'm looking for a vpn router that can handle this without causing latency.  I was also thinking that it should be future proof since this is a large invest so maybe something able to handle 10 gb/s to 4 gb/s.  Any suggestions on what to buy that can handle this while keeping costing down would be appreciated.  Also information on how to tell if a device is able to handle a connection of a given speed would be appreciated.  It is using AES-256-CBC



  • @Ryu945:

    …a vpn router that can handle this {1 Gb/s line} without causing latency...

    A vpn also means encryption. The more the better.
    How is that supposed to be done without introducing latency? Number crunching in zero time has yet to be invented.

    @Ryu945:

    … future proof ... able to handle 10 gb/s to 4 gb/s ... while keeping costing down

    You forgot "low power", didn't you?

    Sure this can be done with specialized hardware. Not with i386/x64 hardware and software available in 2016.
    We max out at 4Gb/s IIRC. jwt had a lengthy post about that you may want to search this forum for.



  • I didn't see this post you speak of.  Also, I thought it would be obvious I was asking what hardware is needed so that the vpn router does not become a bottleneck.



  • Would this be a cheap way to make a router capable of doing this?

    Using http://www.ibuypower.com/Store/Intel-X99-Core-i7-Configurator at either 6x i7 6800k 3.4 GHz or  6x i7 6850k 3.6 GHz



  • Case :: Chimera 5 - Snow Edition
    LED Fan Lighting
    Case Lighting
    Processor Cooling :: Asetek 510LC Liquid CPU Cooling System [SOCKET-2011]
    Video Card :: NVIDIA GeForce GTX 1060 - 6GB (VR-Ready)
    M.2/PCI-E SSD Card :: None
    Primary Hard Drive :: 1 TB HARD DRIVE – 32MB Cache, 7200RPM, 6.0Gb/s - Single Drive
    Optical Drive :: 24x Dual Layer DVD±R/±RW + CD-R/RW Drive - Black -- Free Upgrade to 14X LG Blu-ray Re-writer

    Network Card :: Onboard LAN Network (Gb or 10/100)

    Subtotal :1399

    You wanna impress someone or need a capable unit?

    If you really want to burn money: https://store.pfsense.org/XG-1541-1U-pfSense-Security-Gateway-Appliance-P88.aspx
    Otherwise: https://store.pfsense.org/SG-8860-1U/  or even  https://store.pfsense.org/SG-4860/

    Edit: They can even paint it nicely if that's what you want: https://pbs.twimg.com/media/Csg0Dc5VUAAX7mh.jpg

    Forget about 4Gb/s or even 10Gb/s routing in 2016. Buy such a system when/if you need it. Future-proofing won't work while hardware performance is still bound to Moore's law.



  • @Ryu945:

    I didn't see this post you speak of.

    https://forum.pfsense.org/index.php?topic=113862.msg634832#msg634832

    @Ryu945:

    Also, I thought it would be obvious I was asking what hardware is needed so that the vpn router does not become a bottleneck.

    Obviously your expectations are a bit over the top, don't you think?
    VPN without latency is impossible
    Shopping for future 10Gb/s routing doesn't make sense when you have a 1Gb/s line currently.
    Ever thought about power consumption?



  • @jahonix:

    Case :: Chimera 5 - Snow Edition
    LED Fan Lighting
    Case Lighting
    Processor Cooling :: Asetek 510LC Liquid CPU Cooling System [SOCKET-2011]
    Video Card :: NVIDIA GeForce GTX 1060 - 6GB (VR-Ready)
    M.2/PCI-E SSD Card :: None
    Primary Hard Drive :: 1 TB HARD DRIVE – 32MB Cache, 7200RPM, 6.0Gb/s - Single Drive
    Optical Drive :: 24x Dual Layer DVD±R/±RW + CD-R/RW Drive - Black -- Free Upgrade to 14X LG Blu-ray Re-writer

    Network Card :: Onboard LAN Network (Gb or 10/100)

    Subtotal :1399

    You wanna impress someone or need a capable unit?

    If you really want to burn money: https://store.pfsense.org/XG-1541-1U-pfSense-Security-Gateway-Appliance-P88.aspx
    Otherwise: https://store.pfsense.org/SG-8860-1U/  or even  https://store.pfsense.org/SG-4860/

    Edit: They can even paint it nicely if that's what you want: https://pbs.twimg.com/media/Csg0Dc5VUAAX7mh.jpg

    Forget about 4Gb/s or even 10Gb/s routing in 2016. Buy such a system when/if you need it. Future-proofing won't work while hardware performance is still bound to Moore's law.

    Wouldn't a continuous load of 1 GB/s AES-256-CBC up and down ( so 2 GB/s ) be to much for a 4 core 2.4 GHz router?  Isn't a single VPN down stream done in only 1 CPU so you can't have the other CPU help with the computation power?  Wouldn't the round trip encryption be done in 2 of the CPUs while the other 2 don't get used much?  I ask because i see people saying they achieved 100 Mb/s (not sure if round trip or one way) with duel core 1.86 GHz routers.

    I'm trying to be sure that this will work.



  • I don't seem to remember correctly that you first mentioned internet for a dorm with a few guys, a hobbyist project.

    Do you really need to push encrypted 1Gb/s up and down simultaneously?



  • @jahonix:

    I don't seem to remember correctly that you first mentioned internet for a dorm with a few guys, a hobbyist project.

    Do you really need to push encrypted 1Gb/s up and down simultaneously?

    Yes, I have to push both simultaneously.



  • Go with the XG-1541 Appliance then.



  • @jahonix:

    Go with the XG-1541 Appliance then.

    OpenVPN can not spread its load over multiple cores.  A 2 GHz core has no chance of pushing that kind of data.



  • Yes, I have to push both simultaneously.

    You will be also able to place VPN Servers inside of the DMZ. We use CentOS and SoftEtherVPN (Server)
    for that together with different cards that are supported well under Linux.

    • CentOS
    • SoftEtherVPN
      OpenVPN VPN Server:
    • Comtech AHA363PCIe (only for OpenVPN)
      IPSec VPN Server:
    • Comtech AHA604 (only for IPSec VPN)


  • @BlueKobold:

    Yes, I have to push both simultaneously.

    You will be also able to place VPN Servers inside of the DMZ. We use CentOS and SoftEtherVPN (Server)
    for that together with different cards that are supported well under Linux.

    • CentOS
    • SoftEtherVPN
      OpenVPN VPN Server:
    • Comtech AHA363PCIe (only for OpenVPN)
      IPSec VPN Server:
    • Comtech AHA604 (only for IPSec VPN)

    What are you trying to say?



  • What are you trying to say?

    That we are running Intel Xeon VPN Servers together with plug in cards to realize a set up such
    you want it and I mean not only on one side! This GB VPN (symetric) stuff is nothing to deal with
    cheap and fancy devices or tiny hardware what home users and/or hobbyists are using! That is
    what I want to say with that above! It is something around ~900 € for each server and each side
    what we was deploying and we get no something around of ~840 MBit/s - 920 MBit/s, plus on top
    counting the TCP/IP overhead and this might be for 24/7 in a commercial network.