OpenVPN 2.4 Artificial speed limit @ 6 Mbps

c0lp4nik

Greetings!

Long-time listener, first-time caller.

I have been running pfSense in Azure (not the Netgate addition, sorry Netgate on a tight budget right now…) for sometime and and just upgraded to pfSense 2.4 and noticed that speeds from the appliance itself get 250-300 Mbps download tested with iperf (client) against he.net and scottlinux.com (public iperf servers), but my openvpn 2.4 (not to be confused with pfSense 2.4) clients are only getting a symmetric MAX 6 Mbps download and upload "capped".

I have no limiters in place:

ipfw show pipe - blank.
XML - none.

My /temp/rules.limits:

set limit table-entries 2000000
set optimization conservative
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
set limit states 1429000
set limit src-nodes 1429000

(which I am assuming is default, as I have no limits pushed to XML via the GUI).

Note: AES-NI Accel is noted:
CPU Type Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active) -----------> CHECK!
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

Openvpn Crypto used: AES-256-CBC (CHECK!)

OpenVPN config (Screen in GUI): Hardware Crypto:  BSD Cryptodev......

Checked kernel mods loaded:

kldstat
Id Refs Address            Size    Name
1    8 0xffffffff80200000 2c3e9a0  kernel
2    1 0xffffffff83019000 46c6    cryptodev.ko
3    1 0xffffffff8301e000 7f92    aesni.ko

On-board speed test:

openssl speed -evp aes-256-cbc

Doing aes-256-cbc for 3s on 16 size blocks: 1240941 aes-256-cbc's in 0.11s
Doing aes-256-cbc for 3s on 64 size blocks: 1143048 aes-256-cbc's in 0.13s
Doing aes-256-cbc for 3s on 256 size blocks: 877391 aes-256-cbc's in 0.07s
Doing aes-256-cbc for 3s on 1024 size blocks: 500204 aes-256-cbc's in 0.07s
Doing aes-256-cbc for 3s on 8192 size blocks: 95778 aes-256-cbc's in 0.02s
OpenSSL 1.0.2k-freebsd  26 Jan 2017
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
aes-256-cbc    181531.94k  550814.66k  3194483.14k  7284748.74k 33476837.38k

Baffled. <shrugs shoulders="">....

Any insight or corrections appreciated!

Thanks much!
C0l. P.</shrugs>

Room 7609

In the OpenVPN part of the pfSense GUI, try setting Hardware Crypto to "No Hardware Crypto Acceleration". I have AES-NI as well and that's how I have mine set. I believe that OpenVPN uses it automatically. By specifying "BSD Cryptodev", I think it actually slows things down.

Edit: There is some explanation for this behavior here.
https://forum.pfsense.org/index.php?topic=128698.msg709464#msg709464

c0lp4nik

Thanks Room 7609!

Tried it but alas same result :(

Good idear though, I did say that mentioned a few times…

Will keep you posted.

CP