Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Scaling OpenVPN (and VPNs in general)

    OpenVPN
    7
    12
    8986
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimp
      jimp Rebel Alliance Developer Netgate last edited by jimp

      It's still somewhat of a work in progress, but we have added a new VPN scaling document with general advice for maximizing VPN capacity and performance as well as specific recommendations for IPsec and OpenVPN:

      https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      6 1 Reply Last reply Reply Quote 5
      • Pippin
        Pippin last edited by Pippin

        Hi,

        It's still somewhat of a work in progress

        Small correction, topology subnet /24 can house 256-4=252 clients.
        .0 network
        .1 server
        .254 dhcp
        .255 broadcast

        https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#check-tunnel-network-virtual-address-pool-sizes
        and
        https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#topology
        .
        .
        I wonder if this is correct:
        https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
        I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
        OpenSSL has built-in code to detect it and will use it if CPU supports it...

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        jimp 1 Reply Last reply Reply Quote 0
        • P
          Paulk201270 last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            @Paulk201270 said in Scaling OpenVPN (and VPNs in general):

            Many thanks and best regards
            Paul.

            Doesn't really fit into the topic of this post, getting VPNs to scale to large quantities of users.

            I'd post a better description of what you are trying to do in a new thread in the appropriate VPN section.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            P 1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate @Pippin last edited by

              @Pippin said in Scaling OpenVPN (and VPNs in general):

              Small correction, topology subnet /24 can house 256-4=252 clients.
              .0 network
              .1 server
              .254 dhcp
              .255 broadcast

              I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded but it does seem to be implied in some pseudocode in the docs around the topology option description. I went ahead and lowered that to 252 to be safe.

              I wonder if this is correct:
              https://docs.netgate.com/pfsense/en/latest/vpn/scaling.html#use-hardware-acceleration
              I'm on 2.4.4 and for OpenVPN do not need any module loaded for AES-NI.
              OpenSSL has built-in code to detect it and will use it if CPU supports it...

              Experiences with that have varied. Some things in OpenSSL/OpenVPN can take direct advantage of AES-NI without the modules loaded, but for everything on the system to use it to its full extent, the modules should be loaded. I haven't seen any recent performance data comparisons which suggest any benefit to leaving it unloaded, either. If new data is presented, the suggestions can be changed.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • Pippin
                Pippin last edited by

                @jimp said in Scaling OpenVPN (and VPNs in general):

                I don't see that it's stated clearly in the OpenVPN docs that the last address is excluded

                One can also see it in the server log:

                IFCONFIG POOL: base=10.8.0.2 size=252, .....
                

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 1
                • P
                  Paulk201270 @Derelict last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    I didn't point anyone here yet, I just made the post. But if you are following my account (which it looks like you are), the forum might have notified you about my new post(s).

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      Paulk201270 @jimp last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • 6
                        69z28 @jimp last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • Rico
                          Rico LAYER 8 Rebel Alliance last edited by

                          I'd suggest to open your own thread, not posting across general informations.

                          -Rico

                          2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

                          1 Reply Last reply Reply Quote 0
                          • M
                            mgiammarco2 last edited by

                            I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post:
                            link text

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post