OpenVPN: bandwidth problem (site to site)
-
Hello,
I am experiencing bandwidth problems between two sites connected via OpenVPN,
The physical context:
-The pfsense are each connected to a switch in order to pass through an open fiber link (no flow restriction, via 1Gbps fiber module), via a 1 Gbps Ethernet link.
-Behind each pfSense is the LAN of each site.
-The two pfSense are SG-8860 (https://store.pfsense.org/SG-8860-1U/)Software context:
-The two sites are connected via an OpenVPN Tunnel (see below the configuration)The problem :
-I can not exceed 20MB / s (~ 160Mbps) in LAN-to-LAN between the two sites, via the pfSense VPN.
If I connect 2 PCs directly on switches 1 and 2, I reach an average throughput of 80 MB / s in file transfer (~ 640Mbps)I do not understand why I have such a loss by going through the VPN of my pfSense (even by adding the encryption part).
So I wonder if my configuration is not optimal.Regarding the VPN configuration, this is what it contains:
Pfsense1 (server mode):
PfSense2 (client mode):
Server type : Peer to Peer (Shared Key)
Protocol : UDP
Device mode : tun
Port : 9876-I have activated on both pfSense the AES-NI CPU-based Acceleration (which supports AES-CBC, AES-XTS, AES-GCM, System Advanced Miscellaneous)
- Encryption Algorithm used : AES-256-CBC (256-bit)
-Auth digest algorithm used : SHA1 (160-bit)
-Hardware Crypto: BSD cryptodev engine – RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC
-Hardware Compression: Enabled with Adaptive Compression
I made tests by modifying the parameters of cryptography as well as the port used and the result of flow remains the same (18 m / s) (gain of 4 m / s without sha1).
As for the more advanced parameters such as the MTU interface, I left that so, so 1500 MTU on the routers (on the switches we have a MTU of 1512 by default).
At each test the CPU never exceeds 20% usage.
In my configuration there is something that seems badly configured and that could cause this low bit rate. Or is there any other limitation ?
Thank you for your help.
- Encryption Algorithm used : AES-256-CBC (256-bit)