Tuning openvpn / pfsense2.4.3 / vmware 6.5

reddwarf

Heya,

I'd be after some pointers regarding tuning openvpn for maximum throughput over our 100/40 mbit fibre.
We'll be using openvpn to let our staff connect back to HQ using AUTH ONLY.

I've allocated 4 x CPUs to pfsense

CPU:
Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
4 CPUs: 4 package(s)
AES-NI CPU Crypto: Yes (active)

Hardware crypto:
AES-CBC,AES-XTS,AES-GCM,AES-ICM

I have scheduled a maintenance window to play with all parameters and so far found the following:
1/ vmware vm CPU option to "Expose VMware Hardware Assisted Virtualization"
2/ pfsense Advanced > system tunables "net.inet.ip.fastforwarding"
3/ pfsense advanced > misc "Cryptographic Hardware" set to AES-NI + cryptodev
4/ crypto variants AES-128-CBC vs AES-256-CBC
5/ openvpn UDP vs TCP (UDP will most likely outperform)
6/ openvpn with no / cryptodev / aesni acceleration

My initial tests (before optimizing) came out with a transfer rate of 2MB out of 5MB bandwidth (SMB/CIFS, download from openvpn client), I'll do further testing with FTP/HTTP as well.

Some extra troubleshooting I've done (CPU hiked to 25%):

# openssl speed -evp aes-128-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      33798.90k   126848.16k   556705.72k  2283964.09k  9407707.36k

# openssl speed -evp aes-128-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      36647.86k   154494.76k   481879.36k  2412279.05k 33554222.28k

# openssl speed -evp aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      39785.37k   143402.97k   618940.81k  2181518.68k 17871330.16k

# openssl speed -evp aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      38101.69k   147163.68k   554992.81k  2396367.53k 11637287.10k

Would there be any other parameters that have a huge impact on OpenVPN throughput ?
Any best practice guide for pfsense running on vmware in the scope of OpenVPN ?
Any other advice ?

bfeitell

I would try deactivating AES in System>Advanced>Miscellaneous, as the AES instructions are available to OpenSSL natively and don't need additional wrappers to be used.  This is mentioned in other threads.  You might also try using the AES-GCM encryption modes.  Another thing to try is using LZ4 compression and pushing it to all clients.

I  am running with the settings I have mentioned under QEMU/KVM on AMD for remote access with SSL/TLS and User Auth, and for peer to peer tunnels, and it seems to serve me well.

Cheers.