Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1G setup for OpenVPN and/or IPSec

    Hardware
    4
    7
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rkelleyrtp
      last edited by

      Greetings,

      Upgrading my home internet connection from TWC (200Mb/20Mb) to AT&T GigE Fiber (1Gb/1Gb) in a few days and want to upgrade my pfSense firewall as well.  My current box is running pfSense 2.3.2 on an Atom D510 (dual-cores at 1.66GHz) with 4G RAM.  I have a number of connections to a local data center and want to build a new pfSense box that will give me max OpenVPN performance with the best (least) power draw as possible.

      I saw this thread on our forum about a 1G performance build using a Jetway board, but I am concerned that setup won't handle OpenVPN traffic at that speed.  I have been researching motherboards and found the Supermicro X11SSZ-TLN4F that might suite me.  It has the same form factor as my existing system, and the CPU bump should be plenty to handle the OpenVPN/IPSec connections.

      Any thoughts?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You need to push the line rate with encrypted traffic? If not how much bandwidth do you need over VPN?

        Steve

        1 Reply Last reply Reply Quote 0
        • R
          rkelleyrtp
          last edited by

          Would be nice if I could get 600-800Mbps encrypted traffic over VPN.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Then you should get the most powerful CPU you can! It's probably still better to get fewer faster cores than many slower ones for peak throughput.

            In light of the recent inclusion of OpenVPN 2.4.0 in the most recent snapshots you should get something that supports AES-GCM acceleration via AES-NI. If you control both ends of the tunnel you can use that already via IPSec instead of OpenVPN.

            Steve

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              and want to build a new pfSense box that will give me max OpenVPN performance with the best (least) power draw as possible.

              Get a used or refurbished 4 core Intel Xeon E3-12xx v3 CPU with >3,0GHz and you will
              have all things that will be need available there.

              • AES-NI support
              • Strong and powerful CPU
              • 4 Cores / 8 Threads enough for any packet installation
              • More power saving then the Intel Core i3, i5 and i7 cpu´s

              I saw this thread on our forum about a 1G performance build using a Jetway board, but I am concerned that setup won't handle OpenVPN traffic at that speed.

              He is not using PPPoE, please don´t forget this!!!

              Would be nice if I could get 600-800Mbps encrypted traffic over VPN.

              Then you shoud have a look on a refurbished Intel Xeon E3-1241v3 that might be strong as the
              Intel Core i CPU`s but more power saving.

              1 Reply Last reply Reply Quote 0
              • P
                P3R
                last edited by

                @BlueKobold:

                He is not using PPPoE, please don´t forget this!!!

                And you think the OP will?

                1 Reply Last reply Reply Quote 0
                • R
                  rkelleyrtp
                  last edited by

                  Thanks for all the great replies.  It seems I need to get a Xeon E3-12xx system for max performance and minimal power usage.

                  As an aside, thanks to "stephenw10" for pointing out an issue with my existing IPSec configuration.  After switching from Blowfish to AES128-GCM on the connection ciphers, the connection speed went from 7MB/sec to ~ 11MB/sec with 50% CPU usage (50% usage on a single core on a 4-core system).  This means my existing box might be strong enough to handle much more IPSec traffic than I initially thought.

                  The only side-affect I see now is high interrupts (120% and higher) on "hpet0".  Not sure if this is an IPSec issue or a hardware issue.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.