VK-T40E VPN Limits



  • Re: Pfsense VK-T40E Max Data throughput over OpenVPN

    I probably already have the answer to this question : But was interested in others comments before moving to upgrade my FW.

    The VK-T40E has served tirelessly and is just for home use, although I do probably stretch it to the max. I recently upgraded my internet link to 50Mb/s and suspect that the time has come where the T40 can no longer deliver this speed via VPN.

    *Note: I send all traffic via VPN. Nothing goes out unless it is in one of 4 VPN tunnels and Policy based routing / FW rules sorts all of this out.

    I note that when attempting throughput / speed tests, the T40 appears to now struggle (High CPU usage - average. 85-90% CPU time for the OpenVPN process during a download). In addition, I can only drag around 30Mb/s via VPN in various testing I have done. The remote VPN endpoint can handle way more than this and I have confirmed this by testing via other links / connections.

    In addition, I have temporarily routed traffic direct (not via VPN) through the T40 and it will deliver approx. 48Mb/s during a speed test / download test etc.

    So is it correct to assume the T40 is performing at maximum - 30Mb/s via OpenVPN = Max CPU etc?

    l am considering an upgrade (its old Hardware anyway). Im assuming the Netgate SG-5100 will deliver the required speeds, specially considering the AES-NI chip.
    Is there any consideration for the roadmap of Pfsense ? I think I saw a rumour re: Pfsense V2.5 may be the last ? Hoping this is incorrect?

    Tnx.


  • Netgate Administrator

    What settings are you using in OpenVPN? Can you change what is used?

    The VK-T40E is a dual core CPU so if it's showing 85% CPU usage on the dashboard that could be 100% on one core. Check the CPU usage at the command line using top -aSH which will show the idle usage of each core.

    Steve



  • Thanks for the response.

    Re: VPN Settings - nothing too fancy:

    OpenVPN:
    UDP on IPv4
    Encryption Algorithm: AES128 CBC
    Compression Adaptive LZO - Enabled
    Certificate Verification

    Suricata Package also running on the LAN interface - but I don't see that package consuming high CPU so have some assumption that its not the biggest load on the system at this point.

    In throughput testing, the idle time of the CPU's dipped to the following.
    So although not too much room left, perhaps not @ maximum and hence possibly not yet impacting data throughput speed ?
    Im just guessing though as I don't have enough experience with this kit to say either way.

    18210 root 1 0 10196K 6560K RUN 0 26:42 65.01% /usr/local/sbin/openvpn --config /var/etc/openvpn/client5.conf
    11 root 155 ki31 0K 32K RUN 0 1785.5 23.20% [idle{idle: cpu0}]
    11 root 155 ki31 0K 32K RUN 1 1797.6 23.11% [idle{idle: cpu1}]


  • Netgate Administrator

    If you haven't set them already you should definitely enable 'UDP Fast I/O' and increase 'Send/Receive Buffer' to 512K.
    That can produce significant gains.

    Steve



  • You might be able to squeeze a little more VPN performance out of it, but not much.



  • Tnx. I've experimented a bit and have got up to about 35Mbits. But mostly it peaks at 32Mbits. As mentioned, the actual link seems to run at around 47Mbits generally, so although it is not too far off max link speed, there is a bit to go and I think it might be the hardware holding it back. Going to try a couple of other settings I can test tonight. The UDP fast I/O has helped a bit but not as much as I thought it would. Can't seem to notice the buffer settings when testing. But need to do more to confirm.

    If it's a hardware limitation, I will start looking at the SG-5100. Does anyone use this device currently for Open VPN / Whats your experience? If I buy one, it needs to deliver for several years so sizing is important. Link speeds may increase during this time as well which is a consideration.


  • Netgate Administrator

    It will pass >200Mbps with 1500B packets using AES-128-CBC. More than that if you can use AES-GCM. Far more if you can switch to IPSec.

    Steve