Tuning openvpn / pfsense2.4.3 / vmware 6.5
I'd be after some pointers regarding tuning openvpn for maximum throughput over our 100/40 mbit fibre.
We'll be using openvpn to let our staff connect back to HQ using AUTH ONLY.
I've allocated 4 x CPUs to pfsense
CPU: Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz 4 CPUs: 4 package(s) AES-NI CPU Crypto: Yes (active) Hardware crypto: AES-CBC,AES-XTS,AES-GCM,AES-ICM
I have scheduled a maintenance window to play with all parameters and so far found the following:
1/ vmware vm CPU option to "Expose VMware Hardware Assisted Virtualization"
2/ pfsense Advanced > system tunables "net.inet.ip.fastforwarding"
3/ pfsense advanced > misc "Cryptographic Hardware" set to AES-NI + cryptodev
4/ crypto variants AES-128-CBC vs AES-256-CBC
5/ openvpn UDP vs TCP (UDP will most likely outperform)
6/ openvpn with no / cryptodev / aesni acceleration
My initial tests (before optimizing) came out with a transfer rate of 2MB out of 5MB bandwidth (SMB/CIFS, download from openvpn client), I'll do further testing with FTP/HTTP as well.
Some extra troubleshooting I've done (CPU hiked to 25%):
# openssl speed -evp aes-128-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 33798.90k 126848.16k 556705.72k 2283964.09k 9407707.36k # openssl speed -evp aes-128-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 36647.86k 154494.76k 481879.36k 2412279.05k 33554222.28k # openssl speed -evp aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 39785.37k 143402.97k 618940.81k 2181518.68k 17871330.16k # openssl speed -evp aes-256-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 38101.69k 147163.68k 554992.81k 2396367.53k 11637287.10k
Would there be any other parameters that have a huge impact on OpenVPN throughput ?
Any best practice guide for pfsense running on vmware in the scope of OpenVPN ?
Any other advice ?
I would try deactivating AES in System>Advanced>Miscellaneous, as the AES instructions are available to OpenSSL natively and don't need additional wrappers to be used. This is mentioned in other threads. You might also try using the AES-GCM encryption modes. Another thing to try is using LZ4 compression and pushing it to all clients.
I am running with the settings I have mentioned under QEMU/KVM on AMD for remote access with SSL/TLS and User Auth, and for peer to peer tunnels, and it seems to serve me well.