SG-5100 open vpn speeds



  • What is the maximum open vpn speeds should i expect from one point to point open vpn using an SG-5100 stock configuration?



  • Take the SG-4860 for reference: https://www.netgate.com/docs/pfsense/book/hardware/hardware-sizing-guidance.html
    It has a similar CPU, so I expect that the VPN throughput also will be similar.



  • Thanks for this.

    I note this paragraph:

    "Where high VPN throughput is a requirement for a firewall, hardware crypto acceleration is of utmost importance to ensure not only fast transmission speeds but also less CPU overhead. The reduction in CPU overhead means the VPN will not lower the performance of other services on the firewall. The current best available acceleration is available by using a CPU which includes AES-NI support combined with AES-GCM in IPsec."

    Does the SG-5100 CPU support AES-NI and AES-GCM?



  • The SG-5100 has an Atom C3558 CPU and that supports AES-NI. Use it with an up-to-date pfSense (at least 2.4) to get benefit of AES-GCM.



  • Thanks for that. I'm still not sure I really have an answer on what speeds to expect with Open VPN and AES-NI. There is nothing in the documentation that tells me what I should expect other than it will be faster than what is in the table.

    I'd love to know the Mbps throughout of what I'd get.


  • Netgate

    Depends on too many variables such as the link speeds at each end, latency between them, load at each end, etc.



  • One of the variables though is the capacity of the CPU and AES-NI enabled. What is the theoretical limit based on the CPU? I understand all the other network conditions can impact it - but that's not my question. What is the limitation of the CPU?


  • Netgate

    The table you have is what is available.



  • @derelict The table doesn't answer the question with AES-NI enabled. So basically Netgate are selling a box that can't tell me what the CPU limitations are with a VPN with AES-NI enabled for OpenVPN?


  • Netgate

    AES-NI is going to do very little for OpenVPN. OpenVPN spends most of its time context switching between user and kernel modes, not performing encryption.



  • Crickey - so there really isn't anything that does 100mbps or gigabit VPN other than building my own PC with a decent CPU?


  • Netgate

    The SG-5100 has a decent CPU. It's a 2.2GHz Denverton. But, yeah, for OpenVPN, single-core performance is what you seek as the code stands right now. I would expect the SG-5100 to be able to do better than 100Mbps OpenVPN if there isn't anything else (latency, the VPN provider, etc) slowing it down. But as I said, there are lots of factors in play.


  • Rebel Alliance

    My XG-7100 does around 280 MBit/s AES-256-GCM per OpenVPN Instance/Core and got the same CPU then the SG-5100 as far as I know.
    Just for your reference point.

    -Rico