Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn slow even with cipher=none

    OpenVPN
    4
    6
    1766
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mgiammarco2
      last edited by

      Hello,
      I have looked at this guide to improve openvpn performance:
      openvpn community

      I am using servers with xeon cpu and aesni acceleration.
      After many experiments I was not able to go over 75/100mbit with iperf3.
      So I have chosen to disable completely cipher and auth.
      I was then really surprised to see that the openvpn in pfsense saturates a cpu core (100%) to do 75mbit of openvpn traffic WITHOUT encryption!
      On the same server I have installed linux with openvpn and I was able to reach 700mbit without encryption and 500 with encryption. In both cases I have not saturated the cpu core.

      Can someone explain me what is the problem?
      Thanks,
      Mario

      1 Reply Last reply Reply Quote 0
      • G
        genuine
        last edited by

        @mgiammarco2 must be something with your configuration rules I've been using pfsense for serval year.
        For example i have 4 tunnels for loadbalancing hmac 512 eas 256 gcm with aes-ni and managed a 800 a 900 mb/s and 20% cpu even have suricata/pfblockerng enabled on every interface so without it the cpu is even lower.
        So check your config nothing to do with pfsense...

        M 1 Reply Last reply Reply Quote 0
        • M
          mgiammarco2 @genuine
          last edited by

          @genuine sorry but I have tried also on an empty firewall created just for that test.
          I have also tried different cloud providers (I cannot use a physical server because my office line is fttc 100mbit max)

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by jimp

            You can tweak the Send/Receive Buffer options and try UDP Fast I/O to see how much of a boost you get there. Those help the most with performance on higher-end hardware/links.

            Though OpenVPN itself is going to be slower than IPsec/WireGuard due to its design. There is a lot of context switching going on to handle each OpenVPN packet.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • G
              genuine
              last edited by genuine

              Don't see the problem if it works on your Linux server at max speed then it must work with pfsense can you provide logs and pcaps rules and so on because we walking in the dark with less info
              Just FYI supposed you know but pfsense blocks everything so for iperf you need to create rules to open the ports high cpu can lead if you payload that port๐Ÿ˜œ

              1 Reply Last reply Reply Quote 0
              • P
                Pelle900
                last edited by

                Sorry to break open this thread again.

                Linux OpenVPN has the parameter --txqueuelen which does not exist in OpenVPN for BSD. Apparently it makes a lot of difference on long distance connections.

                BSD apparently has the parameter fixed to 50 i read somewhere else.

                https://serverfault.com/questions/686286/very-low-tcp-openvpn-throughput-100mbit-port-low-cpu-utilization

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post