Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple OpenVPN tunnels multicore CPU

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 5 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lunkens
      last edited by

      I have been trying to find info on this subject for days via google. Since I do not what the technical term of this is it’s hard to to find  ::)

      Multi-core CPU, multiple OpenVPN tunnels (4 tunnels to same provider) 1 tunnel to each Core for maximum speed in decrytpion. Is that possible and will it increase speed?

      I see statements a Celeron Quadcore J1900 can do upto 600Mbit with 4 active tunnels. By ”balancing” load on all 4 cores.  :o

      Can someone please point me in the direction of a solution? Or if it’s even possible and what ”the name” of it is called.  ;D

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        I don't think you can assign a tunnel to a core.  The operating system balances the load around the cores as needed.  You can even use CPU monitors to see that.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • H
          heper
          last edited by

          @JKnott:

          I don't think you can assign a tunnel to a core.  The operating system balances the load around the cores as needed.  You can even use CPU monitors to see that.

          no but ovpn is single threaded. so on a quad-core you can't use more then 1/4 of its potential when using a single ovpn-instance.

          more instances can theoretically improve throughput…. but that'll depend much on the protocols that are used. (torrents could possibly benefit, a http-session to a single website won't)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Each client will be its own openvpn process. The kernel scheduler will do whatever it thinks is appropriate there.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • L
              lunkens
              last edited by

              So if I understand this…  :o setting up 4 OPT interfaces configuring them a interface group?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Why an interface group? What are you trying to accomplish?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • L
                  lunkens
                  last edited by

                  My goal is to saturate my WAN as much as possible (500Mbit) with my current 4core router.

                  I am connecting to a VPN provider which allow 4 simultaneous tunnels with
                  OpenVPN AES-256-GCM encryption.

                  Goal is to have OpenVPN to use all 4 cores of the CPU to decrypt the traffic. This to increase the total speed and utilize all processor-power over the cores.

                  My reasoning of this statement is founded from the info that 1 OpenVPN tunnel can only utilize 1 core in the CPU. This is not a multi wan, rather a multi tunnel solution.

                  Current setup using 1 tunnel and 1 core giving me about 120Mbit.

                  Is this possible?  :)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Depends on the traffic. It sounds like you want a load balancing gateway group, not an interface group.

                    In that case it WILL NOT bond all the connections into one large pipe. It will, however, distribute outgoing connections among the various tunnels on a per-state basis according to the gateway weights.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • L
                      lunkens
                      last edited by

                      So basically if I understand this right. Several tunnels will not increase download speed due to more CPU power at it disposal?

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Load balancing does not bond multiple connections into one large pipe.

                        The benefit you gain depends on the traffic in your environment.

                        https://forum.pfsense.org/index.php?topic=124373.msg697215#msg697215

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • J
                          JoeDiffieHellman
                          last edited by

                          Gateway load balancing seems to work well. I have two PIA VPN tunnels configured on an SG-3100. I have them both as part of a gateway group in tier 1, and my test machine matches a firewall rule that sends all traffic to that gateway group by default.

                          When running a Speedtest, the download test uses both tunnels - one openvpn process on each CPU. During the upload test, it only uses one of the tunnels. If I have the gateway group prefer one tunnel over the other, the download test only uses that tunnel and not the other, and the upload behavior doesn't change. I was able to confirm that by watching top from a console and looking at the bandwidth monitor.

                          I managed to pull down 60 mbit over OpenVPN doing it this way a few times, but on average it was about 50 mbit. I know there's more throughput available here given the hardware specs, so I need to figure out the best encryption algorithm to use. I want to try a real bench test to take the intertubes variable out of the equation to see how this really works.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.