Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Scaling OpenVPN (and VPNs in general)

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 7 Posters 12.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Paulk201270
      last edited by

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @Paulk201270 said in Scaling OpenVPN (and VPNs in general):

        Many thanks and best regards
        Paul.

        Doesn't really fit into the topic of this post, getting VPNs to scale to large quantities of users.

        I'd post a better description of what you are trying to do in a new thread in the appropriate VPN section.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        P 1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate @Pippin
          last edited by

          @Pippin said in Scaling OpenVPN (and VPNs in general):

          Small correction, topology subnet /24 can house 256-4=252 clients.
          .0 network
          .1 server
          .254 dhcp
          .255 broadcast

          I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded but it does seem to be implied in some pseudocode in the docs around the topology option description. I went ahead and lowered that to 252 to be safe.

          I wonder if this is correct:
          https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
          I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
          OpenSSL has built-in code to detect it and will use it if CPU supports it...

          Experiences with that have varied. Some things in OpenSSL/OpenVPN can take direct advantage of AES-NI without the modules loaded, but for everything on the system to use it to its full extent, the modules should be loaded. I haven't seen any recent performance data comparisons which suggest any benefit to leaving it unloaded, either. If new data is presented, the suggestions can be changed.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 1
          • PippinP
            Pippin
            last edited by

            @jimp said in Scaling OpenVPN (and VPNs in general):

            I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded

            One can also see it in the server log:

            IFCONFIG POOL: base=10.8.0.2 size=252, .....
            

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 1
            • P
              Paulk201270 @Derelict
              last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                I didn't point anyone here yet, I just made the post. But if you are following my account (which it looks like you are), the forum might have notified you about my new post(s).

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                P 1 Reply Last reply Reply Quote 0
                • P
                  Paulk201270 @jimp
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • 6
                    69z28 @jimp
                    last edited by

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • RicoR
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      I'd suggest to open your own thread, not posting across general informations.

                      -Rico

                      1 Reply Last reply Reply Quote 0
                      • M
                        mgiammarco2
                        last edited by

                        I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post:
                        link text

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.