SG-3100, OpenVPN and crypto settings



  • Saw this old post with no activity about hardware crypto settings: SG-3100 what setting for cryptographic hardware?

    FWIW, I used BSD Crypto Device (cryptodev) in System->Advanced->Miscellaneous and Hardware Crypto in the OpenVPN client config and saw no big difference with it on or off.

    I tried a few different crypto settings on the OpenVPN client, using ones that cryptodev supposedly assists (e.g. AES-128-CBC). Nothing I do gets the client chatting over 100Mb on a gig line, which seems to pair up to the old Speed estimate for openvpn on the SG-3100 thread.

    Tossing it out to the hive - anyone more recently find some great configs that push the 3100 to higher OpenVPN throughput? I'm willing to try IPSec, but I'd really need a recipe for that...


  • Rebel Alliance

    The maximum I was able to squeeze out the SG-3100 with OpenVPN is 98MBit with AES-128-CBC.
    AES-256-GCM is like 83MBit.
    Playing around with the crypto Settings in System->Adv->MISC and/or the OpenVPN Instance made it even 1-3MBit slower. 😳

    -Rico



  • @rico Well, at least they're consistent. That's right at my high mark as well. Bufferbloat was out of control, so turned CoDel on for the VPN interface and that smoothed out a bit - but didn't help reported speed number.

    Just ran two speed tests on it. Used a CLI tester that generally gives higher numbers than the others, seems it really pushes multiple paths to the max. This is with AES-128-CBC as well. SpeedTest++ does automatic line testing, it thinks mine is broadband and not fiber. When I run it without VPN, it sees fiber every time.

    Any clue why upload speed is so much slower on a symmetric link?

    Speedtest.net command line interface
    Info: https://github.com/taganaka/SpeedTest
    Author: Francesco Laurita <francesco.laurita@gmail.com>
    
    Finding fastest server... 7736 Servers online
    ............
    Ping: 3 ms.
    Jitter: 2 ms.
    Determine line type (2) ........................
    Broadband line type detected: profile selected broadband
    
    Testing download speed (32) .....................................................................................................................
    Download: 116.35 Mbit/s
    Testing upload speed (8) .......................................................
    Upload: 41.01 Mbit/s
    
    back-to-back run
    
    SpeedTest++ version 1.14
    Speedtest.net command line interface
    Info: https://github.com/taganaka/SpeedTest
    Author: Francesco Laurita <francesco.laurita@gmail.com>
    
    Finding fastest server... 7736 Servers online
    ............
    Ping: 4 ms.
    Jitter: 6 ms.
    Determine line type (2) ........................
    Broadband line type detected: profile selected broadband
    
    Testing download speed (32) ...................................................................................................................
    Download: 108.90 Mbit/s
    Testing upload speed (8) .......................................................
    Upload: 39.17 Mbit/s
    


  • @rico said in SG-3100, OpenVPN and crypto settings:

    The maximum I was able to squeeze out the SG-3100 with OpenVPN is 98MBit with AES-128-CBC.
    AES-256-GCM is like 83MBit.
    Playing around with the crypto Settings in System->Adv->MISC and/or the OpenVPN Instance made it even 1-3MBit slower. 😳

    -Rico

    For security you want to use 256-CBC but are fine with 128-GCM. GCM will be more secure even with the lower bit setting.


  • Rebel Alliance

    Yes I know, AES-128-CBC was the maximum Speed for my SG-3100.

    -Rico