SPEED RELATED QUESTION: PIA, Maximum Encryption incl. my equipment & setup



  • pfSense 2.3.2-RELEASE-p1 (amd64)

    Maximum Protection via Private Internet Access (PIA)

    Data encryption: AES-256
    Data authentication: SHA256
    Handshake: RSA-4096

    I have a 150mbps service and I am getting around 35-40 on average (generally speaking) with the above setup. Highest was around 50-ish. Processor supports AES-NI and is also enabled. Any thoughts, ideas or assistance on how to increase throughput?? I get 150+ without OpenVPN. Test numbers above with hardwired connection.

    My equipment is a Jetway JBC313U591W-3160-B Intel Braswell Celeron N3160 Dual Intel Gigabit LAN Fanless NUC PC with 8GB RAM and 64GB msata.
    http://www.ebay.com/itm/-/401202075660

    Running home network all through NETGEAR Nighthawk X6 AC3200 Tri-Band Gigabit WiFi Router (R8000) and then thru pfSense box to Internet modem.

    BTW Packages installed are: Snort, Cron, pfBlockerNG and obviously OpenVPN through to PIA.


  • Banned

    There's a few possibilities. You might try switching to a different PIA server, they are not all created equal. Here's their list. https://www.privateinternetaccess.com/pages/network/

    Another potential issue, is your Nighthawk router running as an AP only (all services DHCP, DNS, QoS, NTP, etc. turned off at the Nighthawks WebGUI)? If it's trying to do a bunch of stuff it may be working against pfSense and causing issues. My guess is that you've already done this but I thought I'd ask.

    Last option, if neither of the above two work is that your CPU is probably the limiting factor at 1.6Ghz, if this is the case then you have two options.

    One, obviously buy a new CPU. The ASrock Apollo Lake SoC's are cheap, have the latest AES-NI, have higher clock speeds while remaining low power and fanless. Unless you need 4 cores for something else CPU intensive you are doing, I would recommend the J3355 for its high clock speeds and low cost.

    The other option is keep your existing hardware and create two OpenVPN client processes. All you do is create a new OpenVPN client, just mirror the one you already have, then go to System >  Routing > Gateway Groups and create a new group, select both of your VPN clients and set them both to tier 1. Finally, go to your firewall rules and for everything you want to use the VPN, select your gateway group as their gateway in advanced settings.

    What you are doing here is splitting your VPN into two streams, since OpenVPN is purely singlethread, this lets your CPU use two of its cores to process your traffic. By setting both of the clients to tier 1 your computer will balance the load between the two processes.

    This isn't a magic bullet, your per instance VPN total speed will not double, if your CPU maxes at 50Mbps and you do this then if only one computer is using the VPN, it will still noly get 50Mbps. But, if you have two computers each trying to use 50Mbps at the same time they will now each get the full 50Mbps.

    So even though it isn't a perfect solution, I still recommend you do it for another reason(s).
    PIA servers sometimes (rarely) go down completely and more often suffer from decreased performance during peak hours. If you configure two or more clients in this method and select a different PIA server for each, you can mitigate this shortcoming by spreading your traffic over multiple servers.

    Here's the thread where I learned of this, which links to another thread with more instructions if you're interested.

    https://forum.pfsense.org/index.php?topic=123927.msg690987#msg690987