Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Tuning openvpn / pfsense2.4.3 / vmware 6.5

    OpenVPN
    2
    2
    993
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reddwarf last edited by

      Heya,

      I'd be after some pointers regarding tuning openvpn for maximum throughput over our 100/40 mbit fibre.
      We'll be using openvpn to let our staff connect back to HQ using AUTH ONLY.

      I've allocated 4 x CPUs to pfsense

      
CPU:
Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
4 CPUs: 4 package(s)
AES-NI CPU Crypto: Yes (active)

Hardware crypto:
AES-CBC,AES-XTS,AES-GCM,AES-ICM

      I have scheduled a maintenance window to play with all parameters and so far found the following:
      1/ vmware vm CPU option to "Expose VMware Hardware Assisted Virtualization"
      2/ pfsense Advanced > system tunables "net.inet.ip.fastforwarding"
      3/ pfsense advanced > misc "Cryptographic Hardware" set to AES-NI + cryptodev
      4/ crypto variants AES-128-CBC vs AES-256-CBC
      5/ openvpn UDP vs TCP (UDP will most likely outperform)
      6/ openvpn with no / cryptodev / aesni acceleration

      My initial tests (before optimizing) came out with a transfer rate of 2MB out of 5MB bandwidth (SMB/CIFS, download from openvpn client), I'll do further testing with FTP/HTTP as well.

      Some extra troubleshooting I've done (CPU hiked to 25%):

      
# openssl speed -evp aes-128-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      33798.90k   126848.16k   556705.72k  2283964.09k  9407707.36k

# openssl speed -evp aes-128-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      36647.86k   154494.76k   481879.36k  2412279.05k 33554222.28k

# openssl speed -evp aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      39785.37k   143402.97k   618940.81k  2181518.68k 17871330.16k

# openssl speed -evp aes-256-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      38101.69k   147163.68k   554992.81k  2396367.53k 11637287.10k

      Would there be any other parameters that have a huge impact on OpenVPN throughput ?
      Any best practice guide for pfsense running on vmware in the scope of OpenVPN ?
      Any other advice ?

      1 Reply Last reply Reply Quote 0
      • B
        bfeitell last edited by

        I would try deactivating AES in System>Advanced>Miscellaneous, as the AES instructions are available to OpenSSL natively and don't need additional wrappers to be used.  This is mentioned in other threads.  You might also try using the AES-GCM encryption modes.  Another thing to try is using LZ4 compression and pushing it to all clients.

        I  am running with the settings I have mentioned under QEMU/KVM on AMD for remote access with SSL/TLS and User Auth, and for peer to peer tunnels, and it seems to serve me well.

        Cheers.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post