Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ovpn with Qat - poor performance

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      I have a Netgate 6100 so QAT is enabled out the box. I’m using a privacy VPN. My provider offers wireguard or OpenVPN. Because I have Qat and using the supported ciphers I figured I would use ovpn. Speedtest results were pretty poor around 100Mbps down. My internet line is 500/500.
      Switching to Wireguard has shown it to be extremely performant having achieved 400-500Mbps down with very minimal cpu. The opposite of what I expected. I’m running latest firmware.

      Question is why is ovpn with QAT enabled not showing the same performance?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      M JonathanLeeJ 2 Replies Last reply Reply Quote 0
      • M
        mcury Rebel Alliance @michmoor
        last edited by

        @michmoor said in Ovpn with Qat - poor performance:

        Question is why is ovpn with QAT enabled not showing the same performance?

        For that to work, according to what I've been reading lately, you need to enable DCO.
        https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#cryptographic-thermal-hardware

        dead on arrival, nowhere to be found.

        M 1 Reply Last reply Reply Quote 1
        • M
          michmoor LAYER 8 Rebel Alliance @mcury
          last edited by

          @mcury Alright i'll give it a shot and report back.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          M 1 Reply Last reply Reply Quote 1
          • M
            mcury Rebel Alliance @michmoor
            last edited by mcury

            @michmoor said in Ovpn with Qat - poor performance:

            @mcury Alright i'll give it a shot and report back.

            I tried to use it but the OpenVPN server I'm connecting to requires some settings that are not compatible with DCO, so I had to disable it..

            DCO limitations

            dead on arrival, nowhere to be found.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Yes you need DCO to use QAT with OpenVPN.

              But note: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html#limitations

              Steve

              1 Reply Last reply Reply Quote 1
              • M
                michmoor LAYER 8 Rebel Alliance
                last edited by

                Update

                Switched over to DCO. The gains are there now. I see im approaching my bandwidth limit.
                The slight edge does go to wireguard tho but can confirm that enabling DCO improves speeds considerably.
                A few speed tests and im getting the following
                916f54be-0bfa-41b4-9ba0-296e9dbf0433-image.png

                Keep in mind prior to DCO i was pulling maybe 200Mbps so its roughly a 2x increase.

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                1 Reply Last reply Reply Quote 3
                • JonathanLeeJ
                  JonathanLee @michmoor
                  last edited by

                  @michmoor

                  Have you enabled DOC in OpenVPN and turned on ipim and hardware cryptography in system ——> advanced —-> miscellaneous.

                  check to see if it’s working after a connection with command

                  vmstat see if interrupts increment.

                  Make sure to upvote

                  1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ
                    JonathanLee
                    last edited by

                    https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html

                    The best help guide is in this

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ
                      JonathanLee
                      last edited by

                      What’s weird is my safexcel cipher chip shows id errors in 23.09.01 and no info. Like it’s having issues.

                      Make sure to upvote

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.