Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN 2.4 Artificial speed limit @ 6 Mbps

    OpenVPN
    2
    3
    575
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      c0lp4nik last edited by

      Greetings!

      Long-time listener, first-time caller.

      I have been running pfSense in Azure (not the Netgate addition, sorry Netgate on a tight budget right now…) for sometime and and just upgraded to pfSense 2.4 and noticed that speeds from the appliance itself get 250-300 Mbps download tested with iperf (client) against he.net and scottlinux.com (public iperf servers), but my openvpn 2.4 (not to be confused with pfSense 2.4) clients are only getting a symmetric MAX 6 Mbps download and upload "capped".

      I have no limiters in place:

      ipfw show pipe - blank.
      XML - none.

      My /temp/rules.limits:

      set limit table-entries 2000000
      set optimization conservative
      set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
      set limit states 1429000
      set limit src-nodes 1429000

      (which I am assuming is default, as I have no limits pushed to XML via the GUI).

      Note: AES-NI Accel is noted:
      CPU Type Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
      4 CPUs: 1 package(s) x 4 core(s)
      AES-NI CPU Crypto: Yes (active) -----------> CHECK!
      Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

      Openvpn Crypto used: AES-256-CBC (CHECK!)

      OpenVPN config (Screen in GUI): Hardware Crypto:  BSD Cryptodev......

      Checked kernel mods loaded:

      kldstat
      Id Refs Address            Size    Name
      1    8 0xffffffff80200000 2c3e9a0  kernel
      2    1 0xffffffff83019000 46c6    cryptodev.ko
      3    1 0xffffffff8301e000 7f92    aesni.ko

      On-board speed test:

      openssl speed -evp aes-256-cbc

      Doing aes-256-cbc for 3s on 16 size blocks: 1240941 aes-256-cbc's in 0.11s
      Doing aes-256-cbc for 3s on 64 size blocks: 1143048 aes-256-cbc's in 0.13s
      Doing aes-256-cbc for 3s on 256 size blocks: 877391 aes-256-cbc's in 0.07s
      Doing aes-256-cbc for 3s on 1024 size blocks: 500204 aes-256-cbc's in 0.07s
      Doing aes-256-cbc for 3s on 8192 size blocks: 95778 aes-256-cbc's in 0.02s
      OpenSSL 1.0.2k-freebsd  26 Jan 2017
      built on: date not available
      options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
      compiler: clang
      The 'numbers' are in 1000s of bytes per second processed.
      type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
      aes-256-cbc    181531.94k  550814.66k  3194483.14k  7284748.74k 33476837.38k

      Baffled. <shrugs shoulders="">....

      Any insight or corrections appreciated!

      Thanks much!
      C0l. P.</shrugs>

      1 Reply Last reply Reply Quote 0
      • R
        Room 7609 last edited by

        In the OpenVPN part of the pfSense GUI, try setting Hardware Crypto to "No Hardware Crypto Acceleration". I have AES-NI as well and that's how I have mine set. I believe that OpenVPN uses it automatically. By specifying "BSD Cryptodev", I think it actually slows things down.

        Edit: There is some explanation for this behavior here.
        https://forum.pfsense.org/index.php?topic=128698.msg709464#msg709464

        1 Reply Last reply Reply Quote 0
        • C
          c0lp4nik last edited by

          Thanks Room 7609!

          Tried it but alas same result :(

          Good idear though, I did say that mentioned a few times…

          Will keep you posted.

          CP

          1 Reply Last reply Reply Quote 0
          • First post
            Last post