Q. Regarding OpenVPN client and CPU bottleneck



  • Hi I use to own an Asus RT-N16 router and connect to my VPN provider Mullvad,  use to max out around 8-9meg download speeds I hear this is due to the CPU speed of the router (480mhz).

    I was wondering what cpu should I get for pfsense which would allow me to push say 100meg broadband speeds ?

    I would hate to build a pfsense router build and get a cpu that could not cope ! Any ideas are welcome thx



  • Have you consulted the hardware requirements page?  -> https://doc.pfsense.org/index.php/Hardware_requirements

    I can tell you I'm running PFsense on old, leftover desktop hardware (P4-2.4 Ghz, 512 MB) and it handles my 100 Mbit business line just fine.  Honestly, any CPU that has been made in the last 8-10 years will be fine if you're on a budget.  If you have the money, go server class board and NIC's, but to just answer the question…. any CPU over 1 Ghz will push 100 Mbit, but that's not your only obstacle. You will also want hardware-based NIC's to sustain that kind of throughput.



  • marvosa:

    thanks for the reply,  but can I ask are your 100meg speeds going through OpenVPN client on pfsense ?



  • I haven't tested being connected as a client for site-to-site or VPN as WAN… but if I'm connected via roadwarrior and on a connection that can push 100 Mbit, it'll receive it @ 100 Mbit.  I only have 5 Mbit up, so I can't test how much I can push, but I suspect I wouldn't have any issues pushing 100 Mbit if I could.



  • Yeah this is the big question on my mind…. running through a internet connection is fine,  its once its encrypted thru a VPN service it kills the performance.

    I have asked on 3-4 different forums,  regarding the cpu and openvpn client use say under AirVPN or BolehVPN without much joy..

    I know from Asus/Netgear routers with DDWRT/opensource/tomato etc they tend to hit around 8meg max speeds or some say 12meg,  even with the latest routers with 800mhz,  which obviously is painful if you have say a 100meg line!

    Its that cpu performance holding it back I believe.

    Find it very strange not many people use VPN clients on pfsense with such VPN providers like Mulvad or Bolehvpn,  I think I may have to build my own pfsense router/mini pc and really test it out,  but it just involves plenty money and changing ISPs which is bit excessive to get the answer to something that may not work ;)



  • @Fevan:

    Yeah this is the big question on my mind…. running through a internet connection is fine,  its once its encrypted thru a VPN service it kills the performance.

    I have asked on 3-4 different forums,  regarding the cpu and openvpn client use say under AirVPN or BolehVPN without much joy..

    I know from Asus/Netgear routers with DDWRT/opensource/tomato etc they tend to hit around 8meg max speeds or some say 12meg,  even with the latest routers with 800mhz,  which obviously is painful if you have say a 100meg line!

    Its that cpu performance holding it back I believe.

    Find it very strange not many people use VPN clients on pfsense with such VPN providers like Mulvad or Bolehvpn,  I think I may have to build my own pfsense router/mini pc and really test it out,  but it just involves plenty money and changing ISPs which is bit excessive to get the answer to something that may not work ;)

    A $35 celeron G16x0 (2.x Ghz ivy bridge) won't even blink at 100mbps openvpn crypto.
    The challenge becomes building the rest of the box cheap and/or small. (mostly or)



  • I suspect I've already replied to you on SNB forums but here goes.

    You'll get by with just about any 2nd to 4th gen Core i series dual-core Celeron/ Pentium gunning above 2GHz as Aluminum mentioned.

    I do recommend getting an entry level Core i3 (IVB or Haswell) on an ITX setup because the graphics is better and you can re-purpose the rig in future for desktop or HTPC (Core i3 has Quicksync) uses.



  • thanks guys

    I am surprised a 2ghz celeron would do fine,  I found many low end to mid range intel cpus not supporting AES instructions so figured the cpu overhead would struggle at best to even cheap 20-30meg.  My VPN uses AES encryption also….

    DreamSlacker No escaping from yourself ;)

    I would have loved to find out if the R7000 really could muster up 100meg with an AES encrypted VPN provider,  which am still considering,  but yeah not sure the 1ghz could handle it,  if only openvpn supported dual cores that would help.



  • @Fevan:

    thanks guys

    I am surprised a 2ghz celeron would do fine,  I found many low end to mid range intel cpus not supporting AES instructions so figured the cpu overhead would struggle at best to even cheap 20-30meg.  My VPN uses AES encryption also….

    DreamSlacker No escaping from yourself ;)

    I would have loved to find out if the R7000 really could muster up 100meg with an AES encrypted VPN provider,  which am still considering,  but yeah not sure the 1ghz could handle it,  if only openvpn supported dual cores that would help.

    AES-NI is nice but from the various tests I've seen its only a ~3x real world improvement with openvpn versus a cpu without acceleration. (modern x86 cores, not crippled atoms or embedded arch)

    Just don't suffer yourself with an old atom to save money, they really aren't much cheaper than celerons/pentium builds, if at all.



  • @Fevan:

    thanks guys

    I am surprised a 2ghz celeron would do fine,  I found many low end to mid range intel cpus not supporting AES instructions so figured the cpu overhead would struggle at best to even cheap 20-30meg.  My VPN uses AES encryption also….

    DreamSlacker No escaping from yourself ;)

    I would have loved to find out if the R7000 really could muster up 100meg with an AES encrypted VPN provider,  which am still considering,  but yeah not sure the 1ghz could handle it,  if only openvpn supported dual cores that would help.

    It is extremely unlikely that the R7000 can do anywhere near that kind of throughput.

    Cryptographic speeds scale fairly linearly.  If the RT-N16 with a 480MHz core does 8-12Mbps for your VPN, the Netgear at 1GHz should give you results around double of that.



  • Aluminum: Yeah I agree I would not bother with atoms,  celerons @ 3ghz with 55watt can be had for cheap.  So can AMD dual core 4ghz cpus with 65watt similar prices also,  they would do well in a dedicated pfsense box I feel.

    Speaking of htpcs or future purposes,  I did have additional thoughts of combining Nas or download box to the pfsense box.
    But as one other thread from 2010 suggested,  best to keep it seperated :)

    dreamslacker:

    Yeah was thinking the same thing, from 500mhz to 1ghz I could expect 16-24meg max which is no good,  if one spends that much money…. perhaps a dedicated super router would be future proof + benefit if something goes wrong can be easily fixed be it software or hardware replacement/re-installation.  I think ill forget the R7000 for now,  even looking at Mikro routers none seem to hit more then 1.8ghz and atom type builds.

    But its nice to see a few others asking about VPN/OpenVPN performance with different builds at least.... can see my thoughts are not too far off !



  • Fevan:  If your VPN provider supports IPSEC, the RB1000 & RB1100 from Mikrotik have hardware cryptographic acceleration for AES.  They will do >100mbps throughput but the hardware acceleration only works for IPSEC.



  • Thx interesting to know,  I checked my VPN but no mention of IPSEC support it does support AES 256 though.

    Am going to give pfsense a go soon as I get the settings,  see if its what I would like to use more long term.


Log in to reply