Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Scaling OpenVPN (and VPNs in general)

    OpenVPN
    7
    12
    1609
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimp
      jimp Rebel Alliance Developer Netgate last edited by jimp

      It's still somewhat of a work in progress, but we have added a new VPN scaling document with general advice for maximizing VPN capacity and performance as well as specific recommendations for IPsec and OpenVPN:

      https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html

      6 1 Reply Last reply Reply Quote 5
      • Pippin
        Pippin last edited by Pippin

        Hi,

        It's still somewhat of a work in progress

        Small correction, topology subnet /24 can house 256-4=252 clients.
        .0 network
        .1 server
        .254 dhcp
        .255 broadcast

        https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#check-tunnel-network-virtual-address-pool-sizes
        and
        https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#topology
        .
        .
        I wonder if this is correct:
        https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
        I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
        OpenSSL has built-in code to detect it and will use it if CPU supports it...

        jimp 1 Reply Last reply Reply Quote 0
        • P
          Paulk201270 last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            @Paulk201270 said in Scaling OpenVPN (and VPNs in general):

            Many thanks and best regards
            Paul.

            Doesn't really fit into the topic of this post, getting VPNs to scale to large quantities of users.

            I'd post a better description of what you are trying to do in a new thread in the appropriate VPN section.

            P 1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate @Pippin last edited by

              @Pippin said in Scaling OpenVPN (and VPNs in general):

              Small correction, topology subnet /24 can house 256-4=252 clients.
              .0 network
              .1 server
              .254 dhcp
              .255 broadcast

              I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded but it does seem to be implied in some pseudocode in the docs around the topology option description. I went ahead and lowered that to 252 to be safe.

              I wonder if this is correct:
              https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
              I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
              OpenSSL has built-in code to detect it and will use it if CPU supports it...

              Experiences with that have varied. Some things in OpenSSL/OpenVPN can take direct advantage of AES-NI without the modules loaded, but for everything on the system to use it to its full extent, the modules should be loaded. I haven't seen any recent performance data comparisons which suggest any benefit to leaving it unloaded, either. If new data is presented, the suggestions can be changed.

              1 Reply Last reply Reply Quote 1
              • Pippin
                Pippin last edited by

                @jimp said in Scaling OpenVPN (and VPNs in general):

                I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded

                One can also see it in the server log:

                IFCONFIG POOL: base=10.8.0.2 size=252, .....
                
                1 Reply Last reply Reply Quote 1
                • P
                  Paulk201270 @Derelict last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    I didn't point anyone here yet, I just made the post. But if you are following my account (which it looks like you are), the forum might have notified you about my new post(s).

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      Paulk201270 @jimp last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • 6
                        69z28 @jimp last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • Rico
                          Rico LAYER 8 Rebel Alliance last edited by

                          I'd suggest to open your own thread, not posting across general informations.

                          -Rico

                          1 Reply Last reply Reply Quote 0
                          • M
                            mgiammarco2 last edited by

                            I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post:
                            link text

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy