Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    4200 real world "openvpn client" performance

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    13 Posts 2 Posters 924 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mikek
      last edited by

      Sorry if this is a duplicate, I did a few searches and didn't find what i am looking for.

      looking to replace my firewall hardware,
      must be able to handle these requirements:

      • 1gb internet connection.
      • openvpn client to public provider "no DCO" 500 to 700mb throughput.
      • second openvpn or ipsec client to private network. +- 300mb throughput. "potential DCO enabled"

      i am also looking to replace firewall hardware on 4 small business offices.
      must be able to handle these requirements:

      • 500mb internet connection.
      • openvpn (dco) or ipsec server for incoming connections from the other 3 offices
      • openvpn (dco) or ipsec client for connection to the other 3 offices.

      The question is this.
      There are "official" model 4200 stats for IPSEC but nothing for openvpn with and without DCO. What real world numbers are people seeing. and are there any tweaks that are needed to achieve them.

      If the 4200 cannot handle this, are there any recommendations?

      appreciate any insight i can get before making a purchase and finding out it's not going to work.

      Thanks
      Mike

      stephenw10S 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator @mikek
        last edited by

        @mikek said in 4200 real world "openvpn client" performance:

        openvpn client to public provider "no DCO" 500 to 700mb throughput.

        Any particular reason you don't want to use DCO there? Provider doesn't accept DCO compatible ciphers?

        M 1 Reply Last reply Reply Quote 0
        • M
          mikek @stephenw10
          last edited by

          @stephenw10
          nope they don't, they provide wireguard, but pfsense implementation will not connect to it. my little travel router does. be nice to get a client that could use wireguard for pfsense. then i know the 4200 would work!

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            What OpenVPN ciphers do they support then? AES-GCM is almost universal these days.

            Just to be clear the client can run DCO without the server explicitly supporting it. It only has to use the the ciphers DCO requires; which is a very restricted subset but also almost always supported.

            M 1 Reply Last reply Reply Quote 0
            • M
              mikek @stephenw10
              last edited by

              @stephenw10 said in 4200 real world "openvpn client" performance:

              What OpenVPN ciphers do they support then? A

              I was under the impression that both sides had to have some sort of setup for DCO to work. this is news!

              from their setup doc for pfsense:
              8d9cbc46-6923-4e0e-b399-305ce67a1638-image.png

              i am going to try and get a connection to work with DCO enabled. if so, think i am going to go with 4 4200 and convert everything over to pfsense.

              Thanks
              Mike

              1 Reply Last reply Reply Quote 1
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yup as long as they support AES-GCM it should fine. And yes it can be enabled on client or server side (or both) and the other end doesn't have to do anything. Or will even know the other side is using it.

                See: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html#limitations

                M 1 Reply Last reply Reply Quote 0
                • M
                  mikek @stephenw10
                  last edited by

                  @stephenw10

                  Not sure i understand this. it seems to be complaining that "comp-lzo no" is not supported because compression is not supported.
                  yet "comp-lzo no" disabled compression if i am not mistaken.

                  "Compression is not supported with DCO. The GUI disables compression options when DCO is enabled for an instance, but for a client instance the server could still push a compression option which would make the client fail to pass traffic."

                  what the logs say:

                  PUSH: Received control message:

                  'PUSH_REPLY
                  ,explicit-exit-notify 2
                  ,comp-lzo no
                  ,sndbuf 524288
                  ,rcvbuf 524288
                  ,redirect-gateway def1
                  ,dhcp-option DISABLE-NBT
                  ,dhcp-option DNS 10.35.53.1
                  ,dhcp-option DNS 10.35.53.2
                  ,route-gateway 10.35.14.1
                  ,topology subnet
                  ,ping 20
                  ,ping-restart 60
                  ,ifconfig 10.35.14.34 255.255.254.0
                  ,peer-id 64
                  ,cipher AES-256-GCM'

                  Jul 31 08:57:13 openvpn 32580 Failed to open tun/tap interface
                  Jul 31 08:57:13 openvpn 32580 ERROR: Failed to apply push options
                  Jul 31 08:57:13 openvpn 32580 OPTIONS ERROR: server pushed compression settings that are not allowed and will result in a non-working connection. See also allow-compression in the manual.
                  Jul 31 08:57:13 openvpn 32580 Compression or compression stub framing is not allowed since data-channel offloading is enabled.
                  Jul 31 08:57:13 openvpn 32580 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
                  Jul 31 08:57:13 openvpn 32580 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
                  Jul 31 08:57:13 openvpn 32580 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
                  Jul 31 08:57:13 openvpn 32580 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])

                  any way around this?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Hmm, interesting. Let me see....

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Ok try adding in the custom options field:
                      pull-filter ignore "comp-lzo"

                      That is allowed for me here.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        mikek @stephenw10
                        last edited by

                        @stephenw10
                        That allowed successful connection. Seem to have some other issue. sending packets but not getting responses. I will look into that see what i can figure out.

                        this is awesome if i get it working.

                        thanks
                        Mike

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Do you see any incoming traffic at all? It could be the server side is using compression in one direction.

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            mikek @stephenw10
                            last edited by

                            @stephenw10
                            nothing, but I am not ruling out me having something jacked up at this point.
                            This weekend I will set to factory default and configure one step at a time, if it still doesn't work, going to call them and see if your suspicions are correct.

                            thanks for all the help
                            Mike

                            M 1 Reply Last reply Reply Quote 1
                            • M
                              mikek @mikek
                              last edited by

                              @mikek
                              complete rebuild did not lead to a better result. have a support case with my provider that is not really progressing either. looks like for the immediate future DCO is not available.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.