Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN performance tests don't match up

    Scheduled Pinned Locked Moved OpenVPN
    19 Posts 5 Posters 2.3k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PippinP Offline
      Pippin
      last edited by Pippin

      If you read back your topic, doesn't it occur to you that the test is flawed?

      Don't draw conclusions like "something is broken with pfSense OpenVPN or OpenSSL binaries" as it will bar you from advancing insight...
      ;)

      all the other platforms on the same hardware I tested

      Now try on real hardware...

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      D 1 Reply Last reply Reply Quote 0
      • D Offline
        dirtyfreebooter @Pippin
        last edited by dirtyfreebooter

        @Pippin wow, good insight! thanks! But I did experiments and I am drawing conclusions from those experiments. That is how scientific method works. You are welcome to dispute those findings, but you can't just say "you're wrong", either provide your wisdom or please stay out of this one-way post.

        I did try this installing 2.4.5-p1 on bare Xeon D-2146NT and got the exact same results.

        The D-2146NT is faster and stronger than any hardware offered by Netgate and does not match their advertised speeds.

        1 Reply Last reply Reply Quote 0
        • D Offline
          dirtyfreebooter
          last edited by

          Trying the 2.5.0 nightly again on the same hypervisor.

          openvpn --version
          OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 11 2020
          library versions: OpenSSL 1.1.1h-freebsd  22 Sep 2020, LZO 2.10
          Originally developed by James Yonan
          Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
          Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
          
          [2.5.0-DEVELOPMENT][root@pfSense.lan]/root: ./openvpn_test.sh
                  0.34 real         0.33 user         0.00 sys
                  0.35 real         0.34 user         0.00 sys
                  0.81 real         0.80 user         0.00 sys
                  0.86 real         0.86 user         0.00 sys
          

          So pfSense nightly matches OPNsense.

          1 Reply Last reply Reply Quote 0
          • PippinP Offline
            Pippin
            last edited by

            So you read over the ;)

            It's not about

            D-2146NT is faster and stronger than any hardware offered by Netgate

            but about the test.
            Anyway:

            [2.5.0-DEVELOPMENT][root@pfSense.lan]/root: ./openvpn_test.sh
            0.34 real 0.33 user 0.00 sys
            0.35 real 0.34 user 0.00 sys
            0.81 real 0.80 user 0.00 sys
            0.86 real 0.86 user 0.00 sys

            If we take 0.34 for aes-128-gcm and do the calculation to get an estimated maximum OpenVPN performance, as in line speed:

            3200/0.34 ~ 9411 Mbps

            something is wrong.
            Don't test in VM, results will vary/be skewed.

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 0
            • D Offline
              dirtyfreebooter
              last edited by

              VM is perfectly fine here. You literally don't know what you are talking about if you think otherwise.

              The fact that multiple OSes bare or VM all produce the same results and its only pfSense 2.4.5 (non even pfSense 2.5.0) is not suspect to you? How do you explain that? Why is pfSense 2.4.5 ok and all others Linux, FreeBSD, OPNsense, pfSense 2.5 all wrong?

              Its a 5.0Ghz CPU with AES-NI, that is about 10gbe of raw crypto, so i did say I found that strange in post #1... but instead of offering wisdom on that, you just say incorrect things like dont run on VM. hahahahhahahahahahahhahahahahahahahahahahahahahahah. so dumb

              1 Reply Last reply Reply Quote 0
              • E Offline
                elbuit
                last edited by

                In March I did similar test pfsense and OPNsense in a proxmox passing all AES-NI instructions from to the VM.
                Both performs similar and I got maximum performance of 170Mbps (iperf over VPN).

                When I moved to a non virtualized, I got close to a 1Gbps.
                That is the max I expected because openvpn isn't a multithreaded server.

                I don't know why that poor performance, I guess that It doesn't use aes-ni instructions although I enabled in OpenVPN conf, system conf, cryptodev, ...

                The good news are that both pfsense and opnsense solved this.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dirtyfreebooter
                  last edited by

                  I just don't get your logic here. I have no clue how you setup your VM or what hypervisor you were using, but maybe you setup your VMs incorrectly? I dunno.

                  I have test 2 systems:

                  • Intel Xeon D-2146NT (3.0 Ghz)
                  • Intel Xeon E-2278G (5.0 Ghz)

                  Both times I tested these in isolation (nothing else is running on the systems, just setup specifically for test)
                  Both times I tested bare metal install and with Proxmox and is all 4 cases (2 different systems * bare metal/vm), the results are exactly the same, whether run bare metal or run as a VM. pfSense 2.4.5-p1 is slower/different than pfSense 2.5, OPNsense, FreeBSD, Linux (Debian 10.6 / Ubuntu 20.04) is ALL cases. No matter the configuration.

                  So its clear to me, people offering "advise" are not reading and understanding the results I posted. I still feel something funny is going on here, but pfSense in a VM does seem to be a problem.. according to the direct evidence presented here.

                  1 Reply Last reply Reply Quote 0
                  • H Offline
                    heper
                    last edited by

                    so what you are saying is that it's already fixed in a soon-to-be-released version?

                    D 1 Reply Last reply Reply Quote 0
                    • D Offline
                      dirtyfreebooter @heper
                      last edited by

                      @heper said in OpenVPN performance tests don't match up:

                      so what you are saying is that it's already fixed in a soon-to-be-released version?

                      Yea, it does appear that 2.5.0 nightly seems match the output from all the other OSes. Is 2.5 coming soon? :)

                      1 Reply Last reply Reply Quote 0
                      • H Offline
                        heper
                        last edited by

                        https://forum.netgate.com/topic/146195/pfsense-2-5-release-date-news/72#

                        1 Reply Last reply Reply Quote 1
                        • D Offline
                          dirtyfreebooter
                          last edited by dirtyfreebooter

                          So I got bored and built a few systems to test, all bare metal.

                          • X11SCL-IF (G5400)
                          • X11SCM-LN8F (Xeon E-2278G)
                          • A2SDi-4C-HLN4F (Atom C3358)
                          • X10SDV-2C-TLN2F (Xeon D 1508)
                          • X10SDV-6C-TLN4F (Xeon D 1528)

                          Turns out the G5400 is great, idles at 16w (4w is supermicro IPMI/BMC), 3.7Ghz is great for OpenVPN, AES-NI (no AVX or turbo boost) and for a homelab the 2c/4t is great and can handle all the things pfSense can possibly do.

                          Here is the thing. I think this OpenVPN test that the entire internet says to do

                          openvpn --genkey --secret /tmp/secret
                          time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
                          

                          is not correct, or accurate, or whatever. not sure who came up with it, but it is not correct.

                          For example, on the G5400 cpu, the test shows 6.85 seconds, which translates to 3200 / 6.85 = 467 Mbps ... but I am sitting here with this machine in a test environment and running iperf3 through an actual OpenVPN tunnel and I am getting 800 Mbps ... and as high as 850 Mbps if I enabled fast-io and 512 KiB buffers.

                          So this internet suggested OpenVPN quick performance test is totally bogus in my opinion, backed by testing 5 different setups. It was inaccurate for every one of those systems, most where off by more than 2x ... I didn't expect it to be crazy accurate, but 467 Mbps vs 850 Mbps isn't something to base any decisions off of.

                          bingo600B 1 Reply Last reply Reply Quote 0
                          • bingo600B Offline
                            bingo600 @dirtyfreebooter
                            last edited by bingo600

                            @dirtyfreebooter

                            Are you running those (slow tests) on the pfSense box ?

                            AFAIK
                            The general recommendation for iperf and others , is to generate the traffic on another node (than the pfSense).
                            pfSense is much faster at forwarding packets , than generating them.

                            /Bingo

                            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                            pfSense+ 23.05.1 (ZFS)

                            QOTOM-Q355G4 Quad Lan.
                            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                            D 1 Reply Last reply Reply Quote 0
                            • D Offline
                              dirtyfreebooter @bingo600
                              last edited by dirtyfreebooter

                              @bingo600 TL;DR; iperf3 is never being run on pfSense.

                              I the iperf3 tests are

                              i7-9800X (iperf client) -> WAN -> pfSense -> LAN -> i9-9900KF (iperf server)
                              

                              Also this is being done in an isolated environment, I setup this simple 3 machine environment without any other hardware, switches, etc. Just 3 machines, swapping the pfSense hardware, directly connecting with cat 6a ethernet cables.

                              To make sure everything is setup correctly, I also made a simple port forward to test firewall/forwarding speed and every pfSense box I tested was able to forward at 1 Gbps (941 Mbits/s), before I involved OpenVPN at all. Then when I added OpenVPN, it is the same setup, but instead of going through the port forward (NAT), things are directly connected to AES-256-GCM OpenVPN tunnel.

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                dirtyfreebooter
                                last edited by

                                doing more and more testing. two systems now. both 1151 based. both setups have the same memory, 32GB (16GB x2 of DDR4-2666Mhz ECC UDIMM)

                                pfSense Hardware

                                • Supermicro 1019C-FHTN8 with Intel Xeon E-2278G (8c/16t, 3.4Ghz, 5.0Ghz turbo), idles at ~26w
                                • Supermicro 505-203B / X11SCL-IF with Intel Pentium Gold G5400 (2c/4t, 3.7Ghz, no turbo), idles at ~16w

                                Both systems have Intel I210 NICs, but I also tested an Intel X710-DA2 10g dual port SFP+ NIC (on the LAN side only). The 1019C-FHTN8 is fun because it has 8 i210 NICs!

                                aaaf76da-644d-4dc7-a768-d6f05bb91d92-image.png

                                OpenVPN Clients

                                • i9-9900KF running Ubuntu 20.04
                                • i7-7800X running Ubuntu 20.04

                                Both clients are AIO water-cooled and slightly overclocked, so there should be no client-side bottlenecks with 1 Gbps links.

                                Testing Matrix

                                • pfSense 2.4.5-p1 vs pfSense 2.5.0-nightly
                                • VM vs Bare metal installs
                                • PCIe pass-through of NICs vs VirtIO

                                Again, is all cases, this OpenVPN test is totally bogus and is wildly off from real world numbers.

                                openvpn --genkey --secret /tmp/secret
                                time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
                                

                                Observations

                                • Proxmox KVM adds about 10-20% overhead
                                • VirtIO NIC perform nearly identical for 1 Gbps vs PCI pass-through (probably due to both CPUs being fairly powerful)
                                • pfSense 2.5 is about 4% faster than pfSense 2.4 in iperf3 tests
                                • OpenSSL could be used to compare
                                  • openssl speed -elapsed -evp aes-256-gcm the results of this test matched nearly the differences in each iperf3 test, percentage-wise
                                • X710-DA2 NIC adds about 4-5 watts to each system's total idle power

                                Bare Metal Results

                                • Intel Xeon E-2278G through using OpenVPN with AES-256-GCM was ~810-850 Mbps
                                • Intel Pentium Gold G5400 using OpenVPN with AES-256-GCM was ~760-800 Mbps

                                Before I sent back my Supermicro A2SDi-4C-HLN4F, Intel Atom C3558, I managed to do some quick testing

                                Observations

                                • Idles at 22w, but maxed out at 26w, whereas the 1151 systems maxed at at 40w and 110w when CPUs are loaded with stress-ng --matrix 0
                                • Under Proxmox as a guest, OpenVPN performed at nearly 50% loss in total throughput using a simple iperf3 test

                                C3558 was just not great under Hypervisor/Guest situation, even though pfSense was the only guest on an otherwise idle system. I have no explanation, other than it was repeatable and what I observed.

                                Conclusions

                                If you are using some embedded CPU like Intel Atom, than bare metal setup is the way to go. If you are using a fairly fast CPU, even the Pentium Gold series, it seems like for gigabit speeds on firewall, CPU is not the bottleneck. For OpenVPN itself, I was unable to achieve 1 Gbps AES-256-GCM even with the E-2278G @ 5Ghz.

                                The convenience of VM, being able to easily snapshot VM before a major upgrade, etc, probably outweighs the OpenVPN performance hit, plus the power savings if you are already running a Proxmox setup. I would love for pfSense with ZFS to support taking a snapshot of itself before an upgrade so you can easily rollback if it goes south. If you needed real serious OpenVPN performance, you'd probably wouldn't be doing it on your router anyway and using a VPN appliance.

                                I did not test any VLAN performance, which is all done on the CPU with pfSense, but I would imagine the VM overhead would exist there as well.

                                I have CenturyLink Fiber, so it uses PPPoE and the FreeBSD bug (although pfSense won't call it bug for some odd reason, which it does not exist in Linux), basically only uses 1 of the WAN NIC's queues, so when testing outside of my lab and actually hooking this up to the internet, my overall speeds were even worst, given its basically singled thread now inside the kernel. Documented here, here, and here.

                                Thoughts

                                FreeBSD has become a toy compared to Linux over the past decade. The Linux device drivers, kernel, applications, etc all have eclipsed BSDs at this point and with nftables replacing iptables on Linux, I would love to see pfSense router based on Linux instead of FreeBSD :)

                                I also tested Wireguard on Debian 10.6 and Ubuntu 20.04, behind pfSense, and in each case, Wireguard was easily able to achieve 1 Gbps. Wireguard is probably the future of VPNs at this point :)

                                1 Reply Last reply Reply Quote 1
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.