Hardware for 300Mbit/s VPN?



  • Hello everyone,

    I'm looking to setup a site-site VPN where all of the traffic from site A is routed through site B.

    Site A has a 300Mbit connection.

    Site B has Gigabit.

    What hardware would be ideal for this in a 1U form factor?

    Latency is important, I haven't decided on which VPN technology to use yet (was thinking openvpn). I'd like to use a VPN solution that introduces the least amount of latency while still providing strong encryption (aes 256?). VOIP traffic will be passed over the VPN as well as other latency sensitive traffic (games).

    Thanks!

    Thanks for any help!



  • @diablo266:

    Latency is important, I haven't decided on which VPN technology to use yet (was thinking openvpn). I'd like to use a VPN solution that introduces the least amount of latency while still providing strong encryption (aes 256?). VOIP traffic will be passed over the VPN as well as other latency sensitive traffic (games).

    Any cpu with AES-NI enabled is powerful enough for 300mb+ OpenVPN as they are all recent designs of x86, as for how fast the clocks on a non-AES version would need to be I'm not sure.
    I would also make sure the other end of the tunnel is fast enough for this, or are you in control of both sites?

    If you don't mind potential bleeding edge motherboard support issues, the haswell generation has enabled these instructions down to the i3 tier.



  • Agree with above,  AES is critical for VPN and openVPN support.

    So far no one has really done much testing on cpu speeds and AES performance, but I know one guy with a 3ghz Xeon AES enabled cpu and he hits over 80ish meg with a 100meg line. Without VPN he hit 90s.

    With a Celeron 2.7ghz cpu he hit the same however the CPU load was massive (95%) with the xeon AES cpu cpu use was 25-30%.

    I was going to be bold and try an AMD 1.5ghz CPU with AES A4-500) but with my poor 8meg bb connection its pointless to test if the cpu can peak or max out VPN speeds.

    My gut tells me any 1ghz+ cpu with AES should in theory hit 60-80meg at the very least on VPN/Openvpn, but its a pure guesstimate so take with salt !



  • @Fevan:

    So far no one has really done much testing on cpu speeds and AES performance, but I know one guy with a 3ghz Xeon AES enabled cpu and he hits over 80ish meg with a 100meg line. Without VPN he hit 90s.

    Here's a test, but I don't know how helpful it will be.  I just ran a file transfer across an IPSec tunnel between one of my pfSense boxes (Xeon E3-1245 V2) and a Cisco ASA 5515-X IPS.

    Transfer rates held pretty steady at between 48-50MB/s (380-400Mbit/s) across the tunnel.  This is actually above the rated VPN throughput on the Cisco (and even a bit above the firewall performance), so my bottleneck is likely there.

    "System" CPU usage was about 25% of two cores (3 & 4), and Interrupt usage about 90% of one core (0).  I need to look into that second bit as interrupts shouldn't be that high and I would have expected them to spread across multiple cores a bit better.



  • I think you are right just about any CPU with AES should even hit 100meg+ bb speeds, I see people with 1.6ghz atom single cores hitting 60-70meg bb speeds under pfsense openvpn so in theory any cpu with AES should best it even a 1ghz + should in theory.

    If AES cpus are hitting 25-35% cpu usage when the speeds maxed under openvpn, that alone shows how much head room there is for greater speeds :)



  • So read some other posts here and apparently AES-NI is broken on FreeBSD right now? (functionally works but no real help for OpenVPN etc)

    I guess I should be glad it will be a few years until I can get >80Mbit internet.


  • Rebel Alliance Developer Netgate

    AES-NI is broken on FreeBSD for things that need cryptodev support.

    If you do not load the AES-NI kernel module, OpenVPN will use OpenSSL's internal AES-NI code which is quite fast.

    I have had reports from a customer that they were able to push a sustained >600Mbit/s transfer over OpenVPN on hardware with AES-NI.


  • Netgate Administrator

    Any idea what sort of hardware is required for that Jim?

    Steve


  • Rebel Alliance Developer Netgate

    Not at the moment. I didn't get the CPU specs from him, but it was a brand new system installed in the last 2 months or so. I'd ping the customer but they're away for the holidays.



  • @jimp:

    AES-NI is broken on FreeBSD for things that need cryptodev support.

    If you do not load the AES-NI kernel module, OpenVPN will use OpenSSL's internal AES-NI code which is quite fast.

    I have had reports from a customer that they were able to push a sustained >600Mbit/s transfer over OpenVPN on hardware with AES-NI.

    AES-NI is not broken on FreeBSD.  It's just that the modes which are implemented (in cryptodev) can't be effectively pipelined, and as a result, AES-NI is … hobbled on FreeBSD.

    However, the problem is now understood, and we're fixing it.  You should be able to get 750-850 Mbps with the right hardware using IPSEC tunnel mode.  (In theory, AES-NI is good for 2Gbps per core, but using tunnel mode adds a few bytes to the packet, the encapsulation/decapsulation costs a few instructions, and that test was using a single core processor and 1Gbps Ethernet interfaces.)

    With the right hardware ($$$), you should be able to run 20-50Gbps throughputs.  8)  No, I did not stutter.


Log in to reply