Install / Upgrade OpenVPN/OpenSSL on pfsense 2.1.5 box. (vmware vm)



  • Hi,

    I'm still quite newby at pfsense, however I have been playing with VPN possibilities available in pfsense, and I noticed an interesting behavior.
    My setup is the following:

    • 1 own a  phyiscal host with 2x Intel Xeon E5-2620v2 CPU (with AES-NI support) in a datacenter in a different country than I am. (due to couple of reasons)
    • On the top of the physical box I run VMware ESXi 5.5 and also have a pfsense 2.1.5 x64 VM (2 vcpu assigned to it) with a public IP assigned to it. (this is my main firewall between internet and dmz)
    • Additional info: at my home I have a 200mbit/sec internet connection, which uses full bandwidth even between the 2 countries. Without VPN I can utilize full bandwidth from the other country.

    What I test:

    • OpenVPN / IPSec VPN: I could make both work, however the main reason I utilize VPN is to hide my torrent activities from ISP, as here where I live is little bit dangerous the play with torrent stuffs, and since I have my own box I'm not gonna pay for other vpn providers.

    What is the problem:

    • After some pimp I made on pfsense and my client I can achieve 10-12mbyte/sec (approx 100mbit/sec) download speed over VPN regardless of the type of the VPN - which for me is quite enough -  but the problem is that it costs 90-95% CPU usage on my pfsense VM, when only myself is connected. Taking into account that I plan to extend the VPN possibility to other parties, this amount of load would not be sustainable anymore.

    I have done some research and found out, that my physical box's cpus do have AES-NI support + I have enabled the cryptographic hardware in pfsense as well + vmware passes this over to the VM which needs + also set it up in openvpn options, but I suspect openvpn still does not take this into account. Why is that? As far as I checked there are currently two different version of OpenSSL packages available on pfsense, 0.9.8zb AND version 1.0.1i

    The point is that 0.9.8zb version DOES NOT support AES-NI at all (based on what I found on this topic), and I am afraid my openvpn (version 2.3.3) still uses by default the older version of OpenSSL instead the newer one, which gives me only disadvantages and headache.

    The questions:

    • Is there any way to workaround / solve this and make openvpn use openssl 1.0.1i?
    • Is there any way to upgrade openvpn version to the newest one from the current 2.3.3?
    • Is there any way to remove the older openssl package and make the entire system use the newer one?
    • If none of the above points would be possible, what other suggestions/options/etc.. can I have?

    Thanks in advance!
    Leva



  • After some testing, I have installed a new VM acting as a vpn server with pfsense 2.2 beta.

    pfsense 2.2 has openvpn version 2.3.6 and openssl 1.0.1i by default, therefore it utilizes finally AES-NI feature, which reduces the cpu load by 45% in average, meanwhile I keep the 15mbyte/sec download bandwidth over vpn.


Log in to reply