OpenVPN 2.4 Artificial speed limit @ 6 Mbps



  • Greetings!

    Long-time listener, first-time caller.

    I have been running pfSense in Azure (not the Netgate addition, sorry Netgate on a tight budget right now…) for sometime and and just upgraded to pfSense 2.4 and noticed that speeds from the appliance itself get 250-300 Mbps download tested with iperf (client) against he.net and scottlinux.com (public iperf servers), but my openvpn 2.4 (not to be confused with pfSense 2.4) clients are only getting a symmetric MAX 6 Mbps download and upload "capped".

    I have no limiters in place:

    ipfw show pipe - blank.
    XML - none.

    My /temp/rules.limits:

    set limit table-entries 2000000
    set optimization conservative
    set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
    set limit states 1429000
    set limit src-nodes 1429000

    (which I am assuming is default, as I have no limits pushed to XML via the GUI).

    Note: AES-NI Accel is noted:
    CPU Type Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active) -----------> CHECK!
    Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

    Openvpn Crypto used: AES-256-CBC (CHECK!)

    OpenVPN config (Screen in GUI): Hardware Crypto:  BSD Cryptodev......

    Checked kernel mods loaded:

    kldstat
    Id Refs Address            Size    Name
    1    8 0xffffffff80200000 2c3e9a0  kernel
    2    1 0xffffffff83019000 46c6    cryptodev.ko
    3    1 0xffffffff8301e000 7f92    aesni.ko

    On-board speed test:

    openssl speed -evp aes-256-cbc

    Doing aes-256-cbc for 3s on 16 size blocks: 1240941 aes-256-cbc's in 0.11s
    Doing aes-256-cbc for 3s on 64 size blocks: 1143048 aes-256-cbc's in 0.13s
    Doing aes-256-cbc for 3s on 256 size blocks: 877391 aes-256-cbc's in 0.07s
    Doing aes-256-cbc for 3s on 1024 size blocks: 500204 aes-256-cbc's in 0.07s
    Doing aes-256-cbc for 3s on 8192 size blocks: 95778 aes-256-cbc's in 0.02s
    OpenSSL 1.0.2k-freebsd  26 Jan 2017
    built on: date not available
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
    compiler: clang
    The 'numbers' are in 1000s of bytes per second processed.
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    aes-256-cbc    181531.94k  550814.66k  3194483.14k  7284748.74k 33476837.38k

    Baffled. <shrugs shoulders="">....

    Any insight or corrections appreciated!

    Thanks much!
    C0l. P.</shrugs>



  • In the OpenVPN part of the pfSense GUI, try setting Hardware Crypto to "No Hardware Crypto Acceleration". I have AES-NI as well and that's how I have mine set. I believe that OpenVPN uses it automatically. By specifying "BSD Cryptodev", I think it actually slows things down.

    Edit: There is some explanation for this behavior here.
    https://forum.pfsense.org/index.php?topic=128698.msg709464#msg709464



  • Thanks Room 7609!

    Tried it but alas same result :(

    Good idear though, I did say that mentioned a few times…

    Will keep you posted.

    CP


Log in to reply