Scaling OpenVPN (and VPNs in general)
-
It's still somewhat of a work in progress, but we have added a new VPN scaling document with general advice for maximizing VPN capacity and performance as well as specific recommendations for IPsec and OpenVPN:
https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html
-
Hi,
It's still somewhat of a work in progress
Small correction, topology subnet /24 can house 256-4=252 clients.
.0 network
.1 server
.254 dhcp
.255 broadcasthttps://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#check-tunnel-network-virtual-address-pool-sizes
and
https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#topology
.
.
I wonder if this is correct:
https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
OpenSSL has built-in code to detect it and will use it if CPU supports it... -
This post is deleted! -
@Paulk201270 said in Scaling OpenVPN (and VPNs in general):
Many thanks and best regards
Paul.Doesn't really fit into the topic of this post, getting VPNs to scale to large quantities of users.
I'd post a better description of what you are trying to do in a new thread in the appropriate VPN section.
-
@Pippin said in Scaling OpenVPN (and VPNs in general):
Small correction, topology subnet /24 can house 256-4=252 clients.
.0 network
.1 server
.254 dhcp
.255 broadcastI don't see that it's stated clearly in the OpenVPN docs that the last address is excluded but it does seem to be implied in some pseudocode in the docs around the topology option description. I went ahead and lowered that to 252 to be safe.
I wonder if this is correct:
https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
OpenSSL has built-in code to detect it and will use it if CPU supports it...Experiences with that have varied. Some things in OpenSSL/OpenVPN can take direct advantage of AES-NI without the modules loaded, but for everything on the system to use it to its full extent, the modules should be loaded. I haven't seen any recent performance data comparisons which suggest any benefit to leaving it unloaded, either. If new data is presented, the suggestions can be changed.
-
@jimp said in Scaling OpenVPN (and VPNs in general):
I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded
One can also see it in the server log:
IFCONFIG POOL: base=10.8.0.2 size=252, ..... -
This post is deleted! -
I didn't point anyone here yet, I just made the post. But if you are following my account (which it looks like you are), the forum might have notified you about my new post(s).
-
This post is deleted! -
This post is deleted! -
I'd suggest to open your own thread, not posting across general informations.
-Rico
-
I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post:
link text
