Scaling OpenVPN (and VPNs in general)

jimp · Mar 20, 2020, 2:26 PM

It's still somewhat of a work in progress, but we have added a new VPN scaling document with general advice for maximizing VPN capacity and performance as well as specific recommendations for IPsec and OpenVPN:

https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html

Pippin · Mar 20, 2020, 1:38 PM

Hi,

It's still somewhat of a work in progress

Small correction, topology subnet /24 can house 256-4=252 clients.
.0 network
.1 server
.254 dhcp
.255 broadcast

https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#check-tunnel-network-virtual-address-pool-sizes
and
https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#topology
.
.
I wonder if this is correct:
https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
OpenSSL has built-in code to detect it and will use it if CPU supports it...

Paulk201270 · Mar 20, 2020, 12:07 AM

This post is deleted!

Derelict · Mar 20, 2020, 1:01 AM

@Paulk201270 said in Scaling OpenVPN (and VPNs in general):

Many thanks and best regards
Paul.

Doesn't really fit into the topic of this post, getting VPNs to scale to large quantities of users.

I'd post a better description of what you are trying to do in a new thread in the appropriate VPN section.

jimp · Mar 20, 2020, 1:38 PM

@Pippin said in Scaling OpenVPN (and VPNs in general):

Small correction, topology subnet /24 can house 256-4=252 clients.
.0 network
.1 server
.254 dhcp
.255 broadcast

I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded but it does seem to be implied in some pseudocode in the docs around the topology option description. I went ahead and lowered that to 252 to be safe.

I wonder if this is correct:
https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
OpenSSL has built-in code to detect it and will use it if CPU supports it...

Experiences with that have varied. Some things in OpenSSL/OpenVPN can take direct advantage of AES-NI without the modules loaded, but for everything on the system to use it to its full extent, the modules should be loaded. I haven't seen any recent performance data comparisons which suggest any benefit to leaving it unloaded, either. If new data is presented, the suggestions can be changed.

Pippin · Mar 20, 2020, 2:04 PM

@jimp said in Scaling OpenVPN (and VPNs in general):

I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded

One can also see it in the server log:

IFCONFIG POOL: base=10.8.0.2 size=252, .....

Paulk201270 · Mar 20, 2020, 4:36 PM

This post is deleted!

jimp · Mar 20, 2020, 5:00 PM

I didn't point anyone here yet, I just made the post. But if you are following my account (which it looks like you are), the forum might have notified you about my new post(s).

Paulk201270 · Mar 20, 2020, 5:18 PM

This post is deleted!

69z28 · Mar 29, 2020, 12:36 PM

This post is deleted!

Rico · Mar 29, 2020, 1:21 PM

I'd suggest to open your own thread, not posting across general informations.

-Rico

mgiammarco2 · Mar 15, 2021, 6:58 PM

I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post:
link text