Speed



  • I have a friend in another country who wants to watch football, so I am setting up a VPN server for him (to have a US IP address).  All this will be used for is streaming video, so the top priority is speed and the concern for security is low.

    My ISP caps my upstream at 4 Mbps.  It was ok last week, but the quality varied.

    I've enabled net.inet.ip.fastforwarding which I hope will help this week.

    My pfsense box is an Atom CPU D2500 @ 1.86GHz with 4gb of RAM.

    The client is a Mac with a really fast fiber connection.

    Any ideas to optimize for top speed?



  • May play with the compression settings. You can switch on compression. If you switch compression on, more data will go through the line at the cost of cpu power. If bandwith is the limiting factor, you may get a small boost if you switch it on. If your Atom CPU is the limiting factor, its probably better, to switch compression off.

    But dont expect to much bandwith gain with compression, because the video stream is already compressed.

    If the CPU is the limiting factor, you also may switch from OpenVPN to IPsec, because OpenVPN takes place in userspace, and IPsec takes place in Kernelspace. It should go faster. At least at Linux, I guess FreeBSD behaves similar.

    If you don't concern in security, you just want your mate gets a US IP, think about a good old proxy server, it probably does the job and may be faster because it's more simple than VPN.

    Also may you should do a benchmark test of your upstream to test if your ISP really provides you the promised 4Mbps all the time. I don't know the situation in US, but in Germany the ISP not always provide the speed they advertise.



  • If the CPU is the limiting factor, you also may switch from OpenVPN to IPsec, because OpenVPN takes place in userspace, and IPsec takes place in Kernelspace. It should go faster. At least at Linux, I guess FreeBSD behaves similar.

    Just a small side question, is this comment still applicable?

    Back in 2009, that was all the rave about IPSEC over OpenVPN, but my impression today (and for the last few years) is that OpenVPN is at least on par performance wise as IPSEC in the real world.  In addition it's definitely as robust and certainly easier to configure IMHO (YMMV).


  • LAYER 8 Global Moderator

    4mbps up – why don't you just get a vps for like $12 a year and have him use that as his vpn exit point.



  • @divsys:

    Back in 2009, that was all the rave about IPSEC over OpenVPN, but my impression today (and for the last few years) is that OpenVPN is at least on par performance wise as IPSEC in the real world.

    I'm not sure if that is true on FreeBSD. I sadly never found the time to learn the internal principals, how FreeBSD (kernel) works. I made the assumption, that it works on FreeBSD in a similar way how IPsec works like it on Linux does. I'm not sure about that, may a FreeBSD can help you on that question. On Linux, IPsec works on Kernelspace, OpenVPN has to wrap the packets arround a SSL Layer in userspace. This is probably slower, but i havn't made any real world benchmarks. Also IPsec feels more native and almost every OS support it out of the box.

    I think the thing, which is more easy to setup is a question of personal taste. I've read from many ppl, who say, IPsec is just so easy to setup. But i had not just one time fiddle around the configs for several hours, to get it work probably.On the other side, i always got OpenVPN work immediately, and found the setup very straight forward, even behind NAT  :)


  • LAYER 8 Global Moderator

    While many OS support ipsec out of the box yes, good luck getting it to work in a road warrior sort of setup..  The protocol is mostly blocked when your on some sort of hotspot like hotel or starbucks, etc.  Anything with nat really..  Sure if your going to use it site to site on actual public ip space its never an issue.

    I don't really see why the OP is messing with any sort of vpn connection when he only has 4mbps uplink..  He can get any lowend vps for cheaper than his time in setting it up on his home box..  And then during football games his bandwidth is crap while his buddy watches a game..

    Now if he had a nice fat pipe and wasn't using most of it anyway, ok - but 4mbps.. ouch….



  • @johnpoz:

    While many OS support ipsec out of the box yes, good luck getting it to work in a road warrior sort of setup..  The protocol is mostly blocked when your on some sort of hotspot like hotel or starbucks, etc.

    I definitely agree on that, but IKEv2 fixes many of these "issues". I'm experimenting with an android road warrior these days, and got very satisfactonary  results with my android road warrior, even it is behind nat. I just don't  got the routing to the internet through the native vpn working, but i guess this is an android issue and also not object of this topic.

    I also guess, the CPU is not the bottleneck in this topic, but the used Atom CPU is not really the fastest. So the starter of this topic may should take a look on the cpu load, just to be sure that this is not the problem


  • LAYER 8 Global Moderator

    I really don't think his cpu has anything to do with it.. 4mbps is going to be CRAP to stream video through.. And then add the overhead of vpn tunnel.. Good luck trying to use his own internet connection when the remote guy is watching a video.. If he does its going to mess up the stream most likely..


  • LAYER 8 Netgate

    Any ideas to optimize for top speed?

    Yeah, get a faster connection. 4M is going to suck. Maybe your friend should just buy VPN service like everyone else.


  • LAYER 8 Global Moderator

    He could do that or just get a lowend vps (12-15$ a YEAR) and put openvpn-as on it in like 30 seconds, clickity clickity you have a vpn exit point wherever your vps is.

    Why does he even need a US ip, I would think he would want an outside the US IP since nfl.com streaming works for international.. Only the US is stuck with preseason and watching after the fact.. This is going to be his best option for best quality.. http://www.nfl.com/watch-nfl-live

    With NFL.com Game Pass you can watch every NFL game online1 live or on demand in high definition. NFL.com Game Pass features DVR controls, multi-game viewing mode options, and many more enhanced features
    1Certain restrictions apply. NFL Game Pass is only available to users located outside the United States, Mexico, Bermuda, Antigua, the Bahamas, and any U.S. territories, possessions and commonwealths.
    2Additional blackout restrictions apply in Canada, the UK and Republic of Ireland. NFL Network access is not available in Canada



  • Thank you for all of the replies.  He said the quality was good after switching on the fastforwarding, which surprises me too, but he seems happy.

    The cpu doesn't seem to be an issue at all.  There is nobody around here that will sell me a faster upstream.  I hope Ting or someone like that will come here someday.

    This is for college sports, which they should sell internationally, but they don't, so he needs the US.

    Is this the type of vps you are talking about?  http://lowendbox.com  I thought about something like this before, but the ones I looked at were much more expensive.

    We started this way, because he was complaining about it and it dawned on me that it would be really easy to do with pfsense, so we could test it for free and go from there.


  • Banned

    This post is deleted!

  • Banned

    This post is deleted!

Log in to reply