Is this performance to be expected?
-
Hello!
I've recently acquired this mini-pc/firewall and I'm very disappointed with its openVPN performance. My model has a Celeron J4125, 8 gigs and 125 GB SSD. My bandwidth is a 500/500 mbps fiber connection. When I run iperf from a computer from an external network (which has a 300/300 mbps fiber connection), these are my results:
But when I do file transfers through smb, the performance is worse and very unstable (120 mbps on average). If I use SFTP or WebDAV (HTTPS), I get close to reach the connection limit (around 275 mbps) and it will probably go even higher if the network had more bandwidth.
The guys from Protectli have a mini-pc with the same processor (the VP2410) and they achieve much better results than me. I don't know if it's just a configuration issue or something else.
These are my pfSense settings:
- On System/Advanced/Miscellaneous I have tried None (default), AES-NI CPU-based acceleration and AES-NI and BSD Crypto Device. None seam to have much of a difference to be honest.
- These are my server settings. Bear in mind that I've tried several options (AES-128/256-GCM/CBD) and it did not make any noticeable difference. I've also tested different hardware crypto options and same thing; nothing changed substantially.
- And this is the export file for the windows client (I've used the android file export and imported it into a Windows OpenVPN client).
Just for comparison, I also have an OpenVPN server inside a DS220+ Synology NAS with a Intel Celeron J4025 (2Ghz, 2 cores) and 2 GB of RAM and I manage to get around 230 mbps on average when doing samba file transfers.
Am I doing something wrong or is this the performance I should expect from this mini-pc? And why samba file transfer speeds vary so much?
-
@s1l3nce are you testing iperf through pfSense or to it? Test through it.
What is the CPU usage on by pfSense during the OpenVPN test?
-
@steveits Oh man... I forgot to mention that. My bad
It is an average of 14%I'm testing iperf between my NAS and the external computer, the NAS being the server.
-
@s1l3nce Are you running multiple parallel streams? That will be the -P option.
-
@michmoor Yep. That's why there are 2 entries from both sender and receiver and a SUM. I used -P2.
-
@s1l3nce said in Is this performance to be expected?:
But when I do file transfers through smb
That's the problem. SMB is lousy for anything other than the local LAN.
Your own testing shows that -
@jknott Yep, I'm aware
But why do you think the Synology NAS deals with it much better? What could be causing that difference in performance, even when the NAS has a weaker processor? -
@s1l3nce Looks like it has 4 cores so 15% would be less than one. OpenVPN is single threaded as I recall. You could verify usage with "top" during the test.
I didn't dig through your settings but did you review
https://docs.netgate.com/pfsense/en/latest/recipes/index.html#openvpn -
Sorry for my ignorance guys. I've just launched iperf with -P4 (4 threads) instead of -P2 and now I'm getting nearly 300 mbps (which is the connection cap) and 25% CPU usage, which means that I'm maxing out one core.
So that's definitely a relief but now I need to figure out why my smb transfers are so bad. If you have any tips on that, I'm all ears
@steveits said in Is this performance to be expected?:
https://docs.netgate.com/pfsense/en/latest/recipes/index.html#openvpn
Yep, I did
-
@s1l3nce said in Is this performance to be expected?:
So that's definitely a relief but now I need to figure out why my smb transfers are so bad. If you have any tips on that, I'm all ears
I would avoid SMB transfers period.
What is the latency between the client and the server? -
@michmoor said in Is this performance to be expected?:
What is the latency between the client and the server?
20ms and very stable.
I've just found something very interesting. When I do smb transfers between server and client, this happens:
-
Client downloading a file from OpenVPN server
![5434d0353fd5795e7cef14575605ad5c[1].png](/assets/uploads/files/1675451975472-5434d0353fd5795e7cef14575605ad5c-1.png)
-
Client uploading a file to OpenVPN server
![f9603d5520619dfcd2bb01164de1f4ab[1].png](/assets/uploads/files/1675452042163-f9603d5520619dfcd2bb01164de1f4ab-1.png)
I've also tried using WireGuard and the downloading was even worse than OpenVPN but the upload was the same; network capped.
-
Client downloading a file from WireGuard server
![f4f693a257deba66646412ebe171e249[1].png](/assets/uploads/files/1675452768503-f4f693a257deba66646412ebe171e249-1.png)
-
Client uploading a file to WireGuard server
![cd15d09115104fb1b3562c66d758e404[1].png](/assets/uploads/files/1675452642727-cd15d09115104fb1b3562c66d758e404-1.png)
I think I'm very close to finding the culprit. Thanks for the help and all the interest
Sharing all this stuff with you is helping me a lot.Btw, just to clarify, this is a speed test on the network where the NAS is hosted. I said 500/500 mpbs in the op because it's in my contract but for some reason I'm receiving 100 extra mbps. Not complaining
And just to be sure that the NAS is not causing this issue, I've also downloaded files from a Windows machine inside the same network to the machine with the openVPN client and the download speeds where the same as from the NAS (around 15 Megabytes/s).
-
-
Tomorrow I will try to do the same test but with a client from a different network that also has a 600/600 mbps connection, because I'm starting to think that it could be an issue on the receiving end, meaning that maybe the client that I'm using right now has some issue with VPN downloads. I doubt this is the case but who knows...
I will update this post tomorrow with the results.
-
Ok, I've done some testing from this other client and the results are pretty much the same: uploads are great (400 mbps, which is the maximum that I can expect from my firewall's processor with AES-NI) and downloads are still poor (average of 150 mbps).
I've also tested doing FTP file transfers through VPN and I got the same results as with smb. So smb is not the issue.
So these are my findings so far:
- OpenVPN does not seem to be the problem: I've got even worse server upload with WireGuard.
- SMB is not the problem: FTP through VPN gives similar results.
- My server upload is not the problem: direct SFTP uploads (bypassing the VPN) are just fine.
- My firewall processor is not the problem: the CPU caps at 25% (one core at full usage) when the upload reaches about 400 mbps.
I'm really out of ideas now but at least I've discarded loads of things
-
I still haven't figured out why this is happening. The only update I have is that I've also tested this on macOS using the official openVPN client and I had the same results: perfect upload speeds (to the server) and terrible download speeds (from the server).
I don't know what else to try at this point.
-
I know this topic is quite old but I just want to give a small update.
I ended up changing from OpenVPN to Wireguard. I managed to reach my maximum upload/download server speeds through Wireguard. So, even though it is more painful to configure each client, the performance increase makes a huge difference.
-
Here is my transfer performance using Wireguard
DOWNLOADING FROM SERVER (Server upload performance)
![fa6458705745c2fe12cf2ee4b989de6b[1].png](/assets/uploads/files/1705852885802-fa6458705745c2fe12cf2ee4b989de6b-1.png)
UPLOADING TO SERVER (Server download performance)
![cbd266b143cfdf96762c54a44e8b5656[1].png](/assets/uploads/files/1705853123719-cbd266b143cfdf96762c54a44e8b5656-1.png)
I'm very happy with these results.
