Hardware for 200 Mbit/s via OpenVPN



  • Hello,

    I want to build my own PFsense firewall to have a reliable connection between my home network and my VPN provider.

    What is difficult about it is, that I want to achieve around 200 Mbit/s over OpenVPN. Via the OpenVPN client I get these results which is absolutely fine, but I want that speed for my whole network over PFsense.

    I guess I need a CPU which supports AES-NI, could someone tell me a hardware setup which is able to achieve that speed?

    Regards,
    coolstorybro



  • What is difficult about it is, that I want to achieve around 200 Mbit/s over OpenVPN.

    For sure a good throughput you want to archive, but if on the other side where your provider
    is sharing to many customers over one router or vpn endpoint, you can own the best Harware ever,
    but you will not receive the half of the 200 MBit/s! So it is not really able to tell you what you should
    buy, and then on the other side the bottleneck will be created.

    I guess I need a CPU which supports AES-NI,

    Or another crypto accelerator card supported by pfSense, that is really able to serve you this VPN speed.

    What I want to explain in shorter words, if you have the best equipment on your side, is not able to
    work out the ISP side of this VPN connection if there is the bottleneck with an over booked router.



  • For your inspiration, my setup:

    Using OpenVPN (BF-CBC, 128-bit and no hardware crypto) VPN connection to a VPN service provider and can utilize 100% 500/500 mbit fiber connection.

    Setup:

    • Intel i3-2100 on bare metal

    • Created 2 concurrent gateways to my VPN service provider and created a new group(gateway) combining the two VPN connections. This is done because each VPN connection can deliver only up to max 300 mbit.

    When running flat out (using both OpenVPN  gateways to VPN service provider) on 500 mbit, CPU load is between 50% and 60%



  • Not sure if anybody should be using 128 bit for encryption these days.  256 bit or higher is preferred.  I am using AES-256-CBC which is the best choice.  Also make sure LZO compression is disabled as there is a vulnerability.

    I am running a VM OpenVPN Access Server (commercial) at work with almost 100 users running 256 bit encryption and that server is hardly breaking a sweat.  I think the only concern if all of my users are uploading / downloading full bandwidth at 100Mb at the same time which is hardly ever.


  • Netgate

    128-bit AES/BF is fine.