Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PC Engines apu2c4 OpenVPN performance tests

    OpenVPN
    4
    12
    6244
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      haarweg last edited by

      Hi all,

      Recently I posted performance results of tests I did with an laptop, a server and a PC Engines apu2c4. Today I edited the pastebin link, so the format to view is better. Please have a look at the URL http://pastebin.com/8bAgxRaR if OpenVPN performance has interest to you. I found it quite surprising that performance was better with hardware crypto off.

      1 Reply Last reply Reply Quote 0
      • V
        VAMike last edited by

        @haarweg:

        Hi all,

        Recently I posted performance results of tests I did with an laptop, a server and a PC Engines apu2c4. Today I edited the pastebin link, so the format to view is better. Please have a look at the URL http://pastebin.com/8bAgxRaR if OpenVPN performance has interest to you. I found it quite surprising that performance was better with hardware crypto off.

        You can't (easily) turn off AES-NI in openvpn, it's always on. If you enable AES-NI through cryptodev it will usually be slower on any hardware (not specific to the APU2). It would be very nice if pfsense had a better UI to enable AES-NI in the kernel for IPSEC without enabling cryptodev (which slows down openvpn unless you have some rather exotic hardware). The current UI is not particularly intuitive.

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          Try again on a 2.4 snapshot with AES-CGM selected in OpenVPN

          1 Reply Last reply Reply Quote 0
          • V
            VAMike last edited by

            @jimp:

            Try again on a 2.4 snapshot with AES-CGM selected in OpenVPN

            At the moment the fact that cryptodev doesn't do AES-GCM papers over the UI issues. If GCM gets implemented in aesni.ko+cryptodev then that mode that will get slowed down also…

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              cryptodev will be a loadable module on 2.4 like aesni, and the two shouldn't be loaded together. There won't be a problem there.

              Check the 2.4 board and the pfSense subreddit. There are people seeing significant gains. Though with OpenVPN there is only so much that can be done due to its design.

              1 Reply Last reply Reply Quote 0
              • V
                VAMike last edited by

                @jimp:

                Check the 2.4 board and the pfSense subreddit. There are people seeing significant gains.

                That was expected, GCM is much easier to optimize in hardware than CBC+SHA. The thing to watch for now is avoiding the trap of optimizing for the benchmark by introducing large (easily pipelined) blocks and creating a bufferbloat problem. (I've already seen some openvpn tuning suggestions going that way.)

                1 Reply Last reply Reply Quote 0
                • H
                  haarweg last edited by

                  @jimp:

                  Check the 2.4 board

                  what do you mean by "board" ?

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    https://forum.pfsense.org/index.php?board=69.0

                    1 Reply Last reply Reply Quote 0
                    • H
                      haarweg last edited by

                      @jimp:

                      Try again on a 2.4 snapshot with AES-CGM selected in OpenVPN

                      There doesn't seem to be a 2.4 snapshot for NanoBSD (embedded) / apu2c4 . At least not where I looked: https://snapshots.pfsense.org/ .

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        There is no NanoBSD on 2.4. Use a full install (even if you have an SD card). Install from the serial memstick.

                        1 Reply Last reply Reply Quote 0
                        • H
                          haarweg last edited by

                          @jimp:

                          https://forum.pfsense.org/index.php?board=69.0

                          ah, board more in a forum sense than in a hardware sense :). thank you.

                          1 Reply Last reply Reply Quote 0
                          • B
                            bsquared last edited by

                            @haarweg:

                            @jimp:

                            https://forum.pfsense.org/index.php?board=69.0

                            ah, board more in a forum sense than in a hardware sense :). thank you.

                            Were you able to test with a recent build of 2.4?  Looking for updated numbers on the apu2c4 if available.

                            Looks like current OpenVPN throughput is ~ 71mbps from your tests using iperf which gives a more real-world number than just local raw benchmarks.  Has anyone seen higher on this hardware?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy