4. OpenVPN Througput: What to Buy? Intel Atom or Alix hardware crypto?

OpenVPN Througput: What to Buy? Intel Atom or Alix hardware crypto?

  • J

    Hello there,

    I've got kind of a problem with determing the way to go and hope for some suggestions. I've been running an Alix 2D3 since two years with great success. Lately I've switched to cable with 64 Mbit/sec down, 5 Mbit/sec up. Now, I'm planning to tunnel my whole traffic through a tunnel (to get a static IP) to a server I control. I've got the whole OpenVPN stuff setup and ready to go, but:

    • Alix 2D3 only gets me whopping 14 Mbit/sec down, 5 Mbit/sec up when using AES-128-CBC, UDP-Tunnel, OpenBSD 4.6
    • My Homeserver (Intel E2140) gets me order of magnitude more, but only with 80% CPU utilization

    So what I'm now looking for is a permanent and easy to maintain router solution (hence I'm here) that can easily saturate my cable connection without adding too much latency.

    I've come across two feasible (I'm a poor student!) solutions:

    1.) Add a vpn1411 to the mix
    I've read all I could find about OpenVPN on OpenBSD/FreeBSD and this little beast. But the comments here and on the net and the vendor specification differ. They say it can sustain 210 Mbit/sec plus, the "net" says it's more in the range of 45 Mbit/sec. So could it improve the situation to a point where it's near 64 Mbit/sec down or shouldn't I expect anything above 45 Mbit/sec?

    2.) Throw away the ALIX and go for an Intel Atom D510
    This would be a software only solution, but I couldn't find ANY experiences with this processor and pfSense+OpenVPN throughput. Do any of you guys have experience with it?

    If you should have any nice hacks to push the Alix 2D3 to 64 Mbit/sec without any of the above, I'd like to hear it. I've been benchmarking around with all kinds of options from MSS/MTU to different ciphers.

    btw: the server is not limiting, it's 30% utilized when running at 100Mbit/sec AES-256-CBC, UDP-Tunnel.

    Thank you in advance and

    Greets

    0
  • Rebel Alliance Developer Netgate

    If you put "device cryptodev;" in the OpenVPN custom options you might get a little more throughput, but it won't top 20Mbit.

    I think even with a VPN1411 it still won't get much over 34Mbit.

    Atom should get much higher.

    0
  • J

    Hello jimp,

    thank you, that did shed a little light on my question.

    Any suggestions for what Atom to opt?

    Greets

    0
  • Rebel Alliance Developer Netgate

    For performance, go for an atom d510. There are plenty of boards out there, try to get one with Intel network cards.

    0
  • J

    Hello,

    ssooooo, I bought the VPN1411 and it did … nothing. At least not to the OpenVPN througput, using any Engine my OpenBSD offered (cryptodev too).

    I will test a little more, but I guess now it's an Atom I have to go for. What a shame.

    Greets

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy