4200 real world "openvpn client" performance

mikek

Sorry if this is a duplicate, I did a few searches and didn't find what i am looking for.

looking to replace my firewall hardware,
must be able to handle these requirements:

• 1gb internet connection.
• openvpn client to public provider "no DCO" 500 to 700mb throughput.
• second openvpn or ipsec client to private network. +- 300mb throughput. "potential DCO enabled"

i am also looking to replace firewall hardware on 4 small business offices.
must be able to handle these requirements:

• 500mb internet connection.
• openvpn (dco) or ipsec server for incoming connections from the other 3 offices
• openvpn (dco) or ipsec client for connection to the other 3 offices.

The question is this.
There are "official" model 4200 stats for IPSEC but nothing for openvpn with and without DCO. What real world numbers are people seeing. and are there any tweaks that are needed to achieve them.

If the 4200 cannot handle this, are there any recommendations?

appreciate any insight i can get before making a purchase and finding out it's not going to work.

Thanks
Mike

stephenw10

@mikek said in 4200 real world "openvpn client" performance:

openvpn client to public provider "no DCO" 500 to 700mb throughput.

Any particular reason you don't want to use DCO there? Provider doesn't accept DCO compatible ciphers?

mikek

@stephenw10
nope they don't, they provide wireguard, but pfsense implementation will not connect to it. my little travel router does. be nice to get a client that could use wireguard for pfsense. then i know the 4200 would work!

stephenw10

What OpenVPN ciphers do they support then? AES-GCM is almost universal these days.

Just to be clear the client can run DCO without the server explicitly supporting it. It only has to use the the ciphers DCO requires; which is a very restricted subset but also almost always supported.

mikek

@stephenw10 said in 4200 real world "openvpn client" performance:

What OpenVPN ciphers do they support then? A

I was under the impression that both sides had to have some sort of setup for DCO to work. this is news!

from their setup doc for pfsense:

i am going to try and get a connection to work with DCO enabled. if so, think i am going to go with 4 4200 and convert everything over to pfsense.

Thanks
Mike

stephenw10

Yup as long as they support AES-GCM it should fine. And yes it can be enabled on client or server side (or both) and the other end doesn't have to do anything. Or will even know the other side is using it.

See: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html#limitations

mikek

@stephenw10

Not sure i understand this. it seems to be complaining that "comp-lzo no" is not supported because compression is not supported.
yet "comp-lzo no" disabled compression if i am not mistaken.

"Compression is not supported with DCO. The GUI disables compression options when DCO is enabled for an instance, but for a client instance the server could still push a compression option which would make the client fail to pass traffic."

what the logs say:

PUSH: Received control message:

'PUSH_REPLY
,explicit-exit-notify 2
,comp-lzo no
,sndbuf 524288
,rcvbuf 524288
,redirect-gateway def1
,dhcp-option DISABLE-NBT
,dhcp-option DNS 10.35.53.1
,dhcp-option DNS 10.35.53.2
,route-gateway 10.35.14.1
,topology subnet
,ping 20
,ping-restart 60
,ifconfig 10.35.14.34 255.255.254.0
,peer-id 64
,cipher AES-256-GCM'

Jul 31 08:57:13 openvpn 32580 Failed to open tun/tap interface
Jul 31 08:57:13 openvpn 32580 ERROR: Failed to apply push options
Jul 31 08:57:13 openvpn 32580 OPTIONS ERROR: server pushed compression settings that are not allowed and will result in a non-working connection. See also allow-compression in the manual.
Jul 31 08:57:13 openvpn 32580 Compression or compression stub framing is not allowed since data-channel offloading is enabled.
Jul 31 08:57:13 openvpn 32580 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jul 31 08:57:13 openvpn 32580 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jul 31 08:57:13 openvpn 32580 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jul 31 08:57:13 openvpn 32580 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])

any way around this?

stephenw10

Hmm, interesting. Let me see....

stephenw10

Ok try adding in the custom options field:
pull-filter ignore "comp-lzo"

That is allowed for me here.

mikek

@stephenw10
That allowed successful connection. Seem to have some other issue. sending packets but not getting responses. I will look into that see what i can figure out.

this is awesome if i get it working.

thanks
Mike

stephenw10

Do you see any incoming traffic at all? It could be the server side is using compression in one direction.

mikek

@stephenw10
nothing, but I am not ruling out me having something jacked up at this point.
This weekend I will set to factory default and configure one step at a time, if it still doesn't work, going to call them and see if your suspicions are correct.

thanks for all the help
Mike

mikek

@mikek
complete rebuild did not lead to a better result. have a support case with my provider that is not really progressing either. looks like for the immediate future DCO is not available.