Openvpn slow even with cipher=none
I have looked at this guide to improve openvpn performance:
I am using servers with xeon cpu and aesni acceleration.
After many experiments I was not able to go over 75/100mbit with iperf3.
So I have chosen to disable completely cipher and auth.
I was then really surprised to see that the openvpn in pfsense saturates a cpu core (100%) to do 75mbit of openvpn traffic WITHOUT encryption!
On the same server I have installed linux with openvpn and I was able to reach 700mbit without encryption and 500 with encryption. In both cases I have not saturated the cpu core.
Can someone explain me what is the problem?
@mgiammarco2 must be something with your configuration rules I've been using pfsense for serval year.
For example i have 4 tunnels for loadbalancing hmac 512 eas 256 gcm with aes-ni and managed a 800 a 900 mb/s and 20% cpu even have suricata/pfblockerng enabled on every interface so without it the cpu is even lower.
So check your config nothing to do with pfsense...
@genuine sorry but I have tried also on an empty firewall created just for that test.
I have also tried different cloud providers (I cannot use a physical server because my office line is fttc 100mbit max)
You can tweak the Send/Receive Buffer options and try UDP Fast I/O to see how much of a boost you get there. Those help the most with performance on higher-end hardware/links.
Though OpenVPN itself is going to be slower than IPsec/WireGuard due to its design. There is a lot of context switching going on to handle each OpenVPN packet.
Don't see the problem if it works on your Linux server at max speed then it must work with pfsense can you provide logs and pcaps rules and so on because we walking in the dark with less info
Just FYI supposed you know but pfsense blocks everything so for iperf you need to create rules to open the ports high cpu can lead if you payload that port
Sorry to break open this thread again.
Linux OpenVPN has the parameter --txqueuelen which does not exist in OpenVPN for BSD. Apparently it makes a lot of difference on long distance connections.
BSD apparently has the parameter fixed to 50 i read somewhere else.