Pfsense as vpn concentrator. What protocol and cpu?



  • Hi,

    For a customer I'm setting up a VPN network to connect some 80 sites. I would like to use pfSense (since most of their firewalls are already pfsense anyway) as a concentrator to accomplish this.
    Simply put a proper 1u box in a datacenter running pfSense acting as a concentrator that routes traffic between their sites while also connecting a couple of critical servers for their organization that will be placed in the same datacenter.
    I will add some connections between sites as well but it isn't necessary to create a full mesh so please I don't need any remarks on the topology ;)

    Usually I'm a cisco guy but as I said I'm fine with pfSense.

    However I have some trouble finding clear, not-ambiguous information on 2 questions.
    1. Ipsec vs openvpn. It seems that ipsec is faster and more robust  but I have found some contradictory info. How good is openvpn for this sort of solution? I love it as a road warrior solution but have no experience creating large vpn networks with it.
    2. Is openvpn multithreaded? (keeping in mind there will be 80 site-to-site tunnels. Don't care about multithreading a single tunnel obviously). Is the ipsec implementation?

    I was thinking about a 1u box with a xeon cpu (8cores/16 threads) which they have but aren't using. It has a lot of intel gbit connections so it should be great as a firewall but it has relatively low clock so if none of the vpn solutions can make use of the high thread count this cpu might actually be lacking to calculate the encryption (I intend to use aes-256 and would like at least 100Mb throughput).

    Anyone who can give me some clear information on this?

    sorry if this is supposed to be in oVPN and/or ipSec forum but since it covers both and hardware I thought general might be the best option ;)

    kind regards



  • As far as personal experience, I have two small datacenters that connect almost 30 sites through OpenVPN and I've been using this with pfSense for years. Datacenters are setup with CARP with OpenVPN as the server and the branch sites are the client. Absolutely love pfSense and OpenVPN, rock solid. We did test a VDI solution over VPN with IPSEC before Strongwan was implemented but had a few seconds of disconnects during rekey that were causing issues with end users. After switching to OpenVPN, problems went away. Again, this was around the 2.2 era before strongwan was implemented so I suspect alot of improvements since then.

    Ipsec vs openvpn. It seems that ipsec is faster and more robust  but I have found some contradictory info.

    I believe LAB results will show IPSEC being faster but honestly until you test on your hardware with your WAN connections theres no telling which will give you the best results. If all branch sites will have pfSense as their firewall than OpenVPN is a good option. If your going to have a mix of firewalls and you don't want to manage IPSEC and OpenVPN than IPSEC might be your only choice as not all firewalls support OpenVPN where almost all support IPSEC.

    Is openvpn multithreaded? (keeping in mind there will be 80 site-to-site tunnels. Don't care about multithreading a single tunnel obviously). Is the ipsec implementation?

    I'm not 100% sure on this, I'm wanting to say its single thread per tunnel but with the amount of tunnels your using I would think all cores would be used. I thought I read something recently in the blogs about IPSEC and multithreading but I honestly can't remember. You defiantly want to make sure your using a modern CPU that has aes-ni support.

    I was thinking about a 1u box with a xeon cpu (8cores/16 threads) which they have but aren't using.

    CPU specs? Support aes-ni? How old is the server and how important is the VPN? Might want to think about a HA setup.

    I intend to use aes-256 and would like at least 100Mb throughput

    If you need at least 100mb/s than you better test before telling your client you can deliver and invest money. You need to test both IPSEC and OpenVPN and see what the results are. What type of connection and bandwidth do you have between the sites?

    Just an example, I have a VPN site to site connected through the same carrier with the sites about a mile away. Both 200MB fiber and I can get about 180MB on IPERF test at around 4ms.
    Another site to site, different ISP, different state, both have 500MB fiber and I only get around 120MB around 30ms. So testing is key if you absolutely need a set amount.

    Overall I love OpenVPN and it has been very reliable for me. I cross-replicate my VMs over the VPN and very happy with the speeds and not having to pay the ISP for additional services.

    Hope this helps.



  • It's a Kirby Lake generation Xeon so it's pretty new and supports AES-NI.
    I've also understood from multiple sources that oVPN should support multithreading if multiple tunnels are used.
    Guess I'll have to test to find out if I can get the required throughpit.

    Thanks :)