Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN benchmark in pfSense 2.2

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyberfinn
      last edited by

      Hey
      Im running some benchmark-test using pfSense 2.2, but can't get the performance as I expected.

      Setup:    PC1 (192.168.100.23)    <–->    (WAN: 192.168.100.200) pfSense (LAN: 192.168.1.1)    <--->    PC2 (192.168.1.100)

      Tunnel without any encryption:

      iperf.exe -c 192.168.1.100 -w 130k -P 5
      –----------------------------------------------------------
      Client connecting to 192.168.1.100, TCP port 5001
      TCP window size:  130 KByte

      [  7] local 192.168.3.6 port 49533 connected with 192.168.1.100 port 5001
      [  6] local 192.168.3.6 port 49532 connected with 192.168.1.100 port 5001
      [  4] local 192.168.3.6 port 49530 connected with 192.168.1.100 port 5001
      [  3] local 192.168.3.6 port 49529 connected with 192.168.1.100 port 5001
      [  5] local 192.168.3.6 port 49531 connected with 192.168.1.100 port 5001
      [ ID] Interval      Transfer    Bandwidth
      [  7]  0.0-10.0 sec  65.9 MBytes  55.2 Mbits/sec
      [  6]  0.0-10.0 sec  65.9 MBytes  55.2 Mbits/sec
      [  4]  0.0-10.0 sec  66.0 MBytes  55.2 Mbits/sec
      [  3]  0.0-10.0 sec  66.0 MBytes  55.1 Mbits/sec
      [  5]  0.0-10.0 sec  66.0 MBytes  55.2 Mbits/sec
      [SUM]  0.0-10.0 sec  330 MBytes  276 Mbits/sec

      Tunnel with aes-128-cbc:

      iperf.exe -c 192.168.1.100 -P 5 -w 130k
      –----------------------------------------------------------
      Client connecting to 192.168.1.100, TCP port 5001
      TCP window size:  130 KByte

      [  7] local 192.168.3.6 port 50283 connected with 192.168.1.100 port 5001
      [  5] local 192.168.3.6 port 50281 connected with 192.168.1.100 port 5001
      [  6] local 192.168.3.6 port 50282 connected with 192.168.1.100 port 5001
      [  3] local 192.168.3.6 port 50279 connected with 192.168.1.100 port 5001
      [  4] local 192.168.3.6 port 50280 connected with 192.168.1.100 port 5001
      [ ID] Interval      Transfer    Bandwidth
      [  7]  0.0-10.0 sec  38.2 MBytes  32.0 Mbits/sec
      [  6]  0.0-10.0 sec  38.4 MBytes  32.0 Mbits/sec
      [  3]  0.0-10.0 sec  38.4 MBytes  32.0 Mbits/sec
      [  4]  0.0-10.1 sec  38.2 MBytes  31.9 Mbits/sec
      [  5]  0.0-10.1 sec  38.4 MBytes  32.0 Mbits/sec
      [SUM]  0.0-10.1 sec  192 MBytes  160 Mbits/sec

      Port forwarded port 5001 from WAN to LAN as :

      iperf.exe -c 192.168.100.37 -P 5 -w 130k
      –----------------------------------------------------------
      Client connecting to 192.168.100.37, TCP port 5001
      TCP window size:  130 KByte

      [  3] local 192.168.100.23 port 50310 connected with 192.168.100.200 port 5001
      [  6] local 192.168.100.23 port 50313 connected with 192.168.100.200 port 5001
      [  4] local 192.168.100.23 port 50311 connected with 192.168.100.200 port 5001
      [  5] local 192.168.100.23 port 50312 connected with 192.168.100.200 port 5001
      [  7] local 192.168.100.23 port 50314 connected with 192.168.100.200 port 5001
      [ ID] Interval      Transfer    Bandwidth
      [  6]  0.0-10.0 sec  222 MBytes  187 Mbits/sec
      [  4]  0.0-10.0 sec  227 MBytes  191 Mbits/sec
      [  5]  0.0-10.0 sec  222 MBytes  186 Mbits/sec
      [  7]  0.0-10.0 sec  222 MBytes  186 Mbits/sec
      [  3]  0.0-10.0 sec  228 MBytes  191 Mbits/sec
      [SUM]  0.0-10.0 sec  1.09 GBytes  939 Mbits/sec

      Why can i only get 276 Mbits/sec via the tunnel running without encryption? I was expecting more?

      All network running 1 Gbit
      Hardware: Super Micro A1SRi-2758F, 16 GB ECC, 120 GB SSD.

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        i think thats about as good as it gets until the people at openvpn enable aes-ni or quickassist on freebsd. why did you expect more?
        did you enable aes-ni in System: Advanced: Miscellaneous: Cryptographic Hardware  ?

        @cmb:

        AES-NI has little to no affect on AES-CBC. Its benefit comes with AES-GCM, which is supported by IPsec (and tested to increase its maximum throughput around 4-5 times over, up to near 2 Gbps with the packet filter enabled). OpenVPN doesn't yet offer AES-GCM support, though it's coming in a future release.

        @jbfuzier:

        From my experience, AESNI does improve AES-CBC encryption a lot.

        With AESNI enable, my NUC is reaching 350MB/s in openssl aes128CBC benchmark.

        It works fine for me in 2.2, in previous versions you had to make sure that aesni.ko does not get loaded otherwise you got very poor performance and high CPU load.

        You can try an openssl benchmark to test if it is working properly (openssl speed -evp aes-128-cbc )

        In my openvpn config I did not select any hardware acceleration, it seems openssl is just using aesni fine on its own.

        1 Reply Last reply Reply Quote 0
        • B
          BoMbY
          last edited by

          You can select the "BSD cryptodev engine" for OpenVPN in pfSense, which should support AES-128-CBC with AES-NI, or not?

          Edit: OpenVPN is probably only using a single core/thread per process, though.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.