Tuning openvpn / pfsense2.4.3 / vmware 6.5



  • Heya,

    I'd be after some pointers regarding tuning openvpn for maximum throughput over our 100/40 mbit fibre.
    We'll be using openvpn to let our staff connect back to HQ using AUTH ONLY.

    I've allocated 4 x CPUs to pfsense

    
    CPU:
    Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
    4 CPUs: 4 package(s)
    AES-NI CPU Crypto: Yes (active)
    
    Hardware crypto:
    AES-CBC,AES-XTS,AES-GCM,AES-ICM
    
    

    I have scheduled a maintenance window to play with all parameters and so far found the following:
    1/ vmware vm CPU option to "Expose VMware Hardware Assisted Virtualization"
    2/ pfsense Advanced > system tunables "net.inet.ip.fastforwarding"
    3/ pfsense advanced > misc "Cryptographic Hardware" set to AES-NI + cryptodev
    4/ crypto variants AES-128-CBC vs AES-256-CBC
    5/ openvpn UDP vs TCP (UDP will most likely outperform)
    6/ openvpn with no / cryptodev / aesni acceleration

    My initial tests (before optimizing) came out with a transfer rate of 2MB out of 5MB bandwidth (SMB/CIFS, download from openvpn client), I'll do further testing with FTP/HTTP as well.

    Some extra troubleshooting I've done (CPU hiked to 25%):

    
    # openssl speed -evp aes-128-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc      33798.90k   126848.16k   556705.72k  2283964.09k  9407707.36k
    
    # openssl speed -evp aes-128-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc      36647.86k   154494.76k   481879.36k  2412279.05k 33554222.28k
    
    # openssl speed -evp aes-256-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc      39785.37k   143402.97k   618940.81k  2181518.68k 17871330.16k
    
    # openssl speed -evp aes-256-cbc
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc      38101.69k   147163.68k   554992.81k  2396367.53k 11637287.10k
    
    

    Would there be any other parameters that have a huge impact on OpenVPN throughput ?
    Any best practice guide for pfsense running on vmware in the scope of OpenVPN ?
    Any other advice ?



  • I would try deactivating AES in System>Advanced>Miscellaneous, as the AES instructions are available to OpenSSL natively and don't need additional wrappers to be used.  This is mentioned in other threads.  You might also try using the AES-GCM encryption modes.  Another thing to try is using LZ4 compression and pushing it to all clients.

    I  am running with the settings I have mentioned under QEMU/KVM on AMD for remote access with SSL/TLS and User Auth, and for peer to peer tunnels, and it seems to serve me well.

    Cheers.