1G setup for OpenVPN and/or IPSec

rkelleyrtp

Greetings,

Upgrading my home internet connection from TWC (200Mb/20Mb) to AT&T GigE Fiber (1Gb/1Gb) in a few days and want to upgrade my pfSense firewall as well.  My current box is running pfSense 2.3.2 on an Atom D510 (dual-cores at 1.66GHz) with 4G RAM.  I have a number of connections to a local data center and want to build a new pfSense box that will give me max OpenVPN performance with the best (least) power draw as possible.

I saw this thread on our forum about a 1G performance build using a Jetway board, but I am concerned that setup won't handle OpenVPN traffic at that speed.  I have been researching motherboards and found the Supermicro X11SSZ-TLN4F that might suite me.  It has the same form factor as my existing system, and the CPU bump should be plenty to handle the OpenVPN/IPSec connections.

Any thoughts?

stephenw10

You need to push the line rate with encrypted traffic? If not how much bandwidth do you need over VPN?

Steve

rkelleyrtp

Would be nice if I could get 600-800Mbps encrypted traffic over VPN.

stephenw10

Then you should get the most powerful CPU you can! It's probably still better to get fewer faster cores than many slower ones for peak throughput.

In light of the recent inclusion of OpenVPN 2.4.0 in the most recent snapshots you should get something that supports AES-GCM acceleration via AES-NI. If you control both ends of the tunnel you can use that already via IPSec instead of OpenVPN.

Steve

Guest

and want to build a new pfSense box that will give me max OpenVPN performance with the best (least) power draw as possible.

Get a used or refurbished 4 core Intel Xeon E3-12xx v3 CPU with >3,0GHz and you will
have all things that will be need available there.

• AES-NI support
• Strong and powerful CPU
• 4 Cores / 8 Threads enough for any packet installation
• More power saving then the Intel Core i3, i5 and i7 cpu´s

I saw this thread on our forum about a 1G performance build using a Jetway board, but I am concerned that setup won't handle OpenVPN traffic at that speed.

He is not using PPPoE, please don´t forget this!!!

Would be nice if I could get 600-800Mbps encrypted traffic over VPN.

Then you shoud have a look on a refurbished Intel Xeon E3-1241v3 that might be strong as the
Intel Core i CPU`s but more power saving.

P3R

@BlueKobold:

He is not using PPPoE, please don´t forget this!!!

And you think the OP will?

rkelleyrtp

Thanks for all the great replies.  It seems I need to get a Xeon E3-12xx system for max performance and minimal power usage.

As an aside, thanks to "stephenw10" for pointing out an issue with my existing IPSec configuration.  After switching from Blowfish to AES128-GCM on the connection ciphers, the connection speed went from 7MB/sec to ~ 11MB/sec with 50% CPU usage (50% usage on a single core on a 4-core system).  This means my existing box might be strong enough to handle much more IPSec traffic than I initially thought.

The only side-affect I see now is high interrupts (120% and higher) on "hpet0".  Not sure if this is an IPSec issue or a hardware issue.