4. Tuning openvpn / pfsense2.4.3 / vmware 6.5

Tuning openvpn / pfsense2.4.3 / vmware 6.5

  • R

    Heya,

    I'd be after some pointers regarding tuning openvpn for maximum throughput over our 100/40 mbit fibre.
    We'll be using openvpn to let our staff connect back to HQ using AUTH ONLY.

    I've allocated 4 x CPUs to pfsense

    
CPU:
Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
4 CPUs: 4 package(s)
AES-NI CPU Crypto: Yes (active)

Hardware crypto:
AES-CBC,AES-XTS,AES-GCM,AES-ICM

    I have scheduled a maintenance window to play with all parameters and so far found the following:
    1/ vmware vm CPU option to "Expose VMware Hardware Assisted Virtualization"
    2/ pfsense Advanced > system tunables "net.inet.ip.fastforwarding"
    3/ pfsense advanced > misc "Cryptographic Hardware" set to AES-NI + cryptodev
    4/ crypto variants AES-128-CBC vs AES-256-CBC
    5/ openvpn UDP vs TCP (UDP will most likely outperform)
    6/ openvpn with no / cryptodev / aesni acceleration

    My initial tests (before optimizing) came out with a transfer rate of 2MB out of 5MB bandwidth (SMB/CIFS, download from openvpn client), I'll do further testing with FTP/HTTP as well.

    Some extra troubleshooting I've done (CPU hiked to 25%):

    
# openssl speed -evp aes-128-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      33798.90k   126848.16k   556705.72k  2283964.09k  9407707.36k

# openssl speed -evp aes-128-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      36647.86k   154494.76k   481879.36k  2412279.05k 33554222.28k

# openssl speed -evp aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      39785.37k   143402.97k   618940.81k  2181518.68k 17871330.16k

# openssl speed -evp aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      38101.69k   147163.68k   554992.81k  2396367.53k 11637287.10k

    Would there be any other parameters that have a huge impact on OpenVPN throughput ?
    Any best practice guide for pfsense running on vmware in the scope of OpenVPN ?
    Any other advice ?

    0
  • B

    I would try deactivating AES in System>Advanced>Miscellaneous, as the AES instructions are available to OpenSSL natively and don't need additional wrappers to be used.  This is mentioned in other threads.  You might also try using the AES-GCM encryption modes.  Another thing to try is using LZ4 compression and pushing it to all clients.

    I  am running with the settings I have mentioned under QEMU/KVM on AMD for remote access with SSL/TLS and User Auth, and for peer to peer tunnels, and it seems to serve me well.

    Cheers.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy