OpenVPN 2.4 Artificial speed limit @ 6 Mbps
-
Greetings!
Long-time listener, first-time caller.
I have been running pfSense in Azure (not the Netgate addition, sorry Netgate on a tight budget right now…) for sometime and and just upgraded to pfSense 2.4 and noticed that speeds from the appliance itself get 250-300 Mbps download tested with iperf (client) against he.net and scottlinux.com (public iperf servers), but my openvpn 2.4 (not to be confused with pfSense 2.4) clients are only getting a symmetric MAX 6 Mbps download and upload "capped".
I have no limiters in place:
ipfw show pipe - blank.
XML - none.My /temp/rules.limits:
set limit table-entries 2000000
set optimization conservative
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
set limit states 1429000
set limit src-nodes 1429000(which I am assuming is default, as I have no limits pushed to XML via the GUI).
Note: AES-NI Accel is noted:
CPU Type Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active) -----------> CHECK!
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICMOpenvpn Crypto used: AES-256-CBC (CHECK!)
OpenVPN config (Screen in GUI): Hardware Crypto: BSD Cryptodev......
Checked kernel mods loaded:
kldstat
Id Refs Address Size Name
1 8 0xffffffff80200000 2c3e9a0 kernel
2 1 0xffffffff83019000 46c6 cryptodev.ko
3 1 0xffffffff8301e000 7f92 aesni.koOn-board speed test:
openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 1240941 aes-256-cbc's in 0.11s
Doing aes-256-cbc for 3s on 64 size blocks: 1143048 aes-256-cbc's in 0.13s
Doing aes-256-cbc for 3s on 256 size blocks: 877391 aes-256-cbc's in 0.07s
Doing aes-256-cbc for 3s on 1024 size blocks: 500204 aes-256-cbc's in 0.07s
Doing aes-256-cbc for 3s on 8192 size blocks: 95778 aes-256-cbc's in 0.02s
OpenSSL 1.0.2k-freebsd 26 Jan 2017
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 181531.94k 550814.66k 3194483.14k 7284748.74k 33476837.38kBaffled. <shrugs shoulders="">....
Any insight or corrections appreciated!
Thanks much!
C0l. P.</shrugs> -
In the OpenVPN part of the pfSense GUI, try setting Hardware Crypto to "No Hardware Crypto Acceleration". I have AES-NI as well and that's how I have mine set. I believe that OpenVPN uses it automatically. By specifying "BSD Cryptodev", I think it actually slows things down.
Edit: There is some explanation for this behavior here.
https://forum.pfsense.org/index.php?topic=128698.msg709464#msg709464 -
Thanks Room 7609!
Tried it but alas same result :(
Good idear though, I did say that mentioned a few times…
Will keep you posted.
CP