Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What makes the 32-bit version 2.1.5 the fastest openvpn performer?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tigs
      last edited by

      I have a supermicro C2758 board, and Private internet access as my VPN provider. I have tested exptensively, and this version of pfsense is better by a large margin.

      I have tested:

      pfsense 2.2.5 64-bit
      pfsense 2.2.6 64-bit
      pfsense 2.3 beta nightly build 64-bit

      opnsense 1.1.6 64 bit

      DD-WRT, Dec 2015 build 64-bit

      Vyos 1.1.6 64-bit

      These were all in the range of 45-70M to be best. While with 32-bit pfsense version 2.1.5, I can reach 125M down, the same with openvpn off.

      I wonder what made that version unique and why we lost that edge in the subsequent releases.

      I am now stuck with version 2.1.5. I do wish developers can look into this and regain the lost power of pfsense.

      Thanks

      1 Reply Last reply Reply Quote 0
      • D Offline
        David_W
        last edited by

        Realistically, the comparison you ask for isn't going to happen. pfSense 2.1 is End of Life - it's based on the End of Life FreeBSD 8.3 operating system and probably contains an End of Life version of OpenVPN. 32 bit pfSense is probably going to be discontinued after the pfSense 2.3 series.

        There are so many changes between pfSense 2.1.5 and pfSense 2.2, let alone between 2.1.5 and 2.3, that trying to work out why the performance of your VPN has regressed is going to be very difficult.

        The best you can do is take advantage of your board's features - your C2758 supports AES-NI, which OpenVPN can utilise.

        1 Reply Last reply Reply Quote 0
        • T Offline
          tigs
          last edited by

          Thanks David.

          I know all these: the version has reached its end of life; so many changes have been made in later releases. Changes are introduced to improve performance. Obviously, this is not the case here.

          The tests were rough. I did use HA-aes-ni in both opnsense and all versions of pfsense in my testing.

          I don't know if vyos support aes-ni and how. So, result with vyos was without aes-ni.

          1 Reply Last reply Reply Quote 0
          • D Offline
            divsys
            last edited by

            I'd be extremely suspicious of any "testing" result that showed data speed Through pfSense that was the same whether I was using OpenVPN or not for the transfer.

            OpenVPN is very robust and an excellent  tool for VPN connections in my experience.
            It also has very real overhead requirements for CPU and packet sizes that "cost" in any transfer of data.

            A file transfer over OpenVPN is always going to be slower than the same transfer without OpenVPN.

            -jfp

            1 Reply Last reply Reply Quote 0
            • T Offline
              tigs
              last edited by

              @divsys:

              I'd be extremely suspicious of any "testing" result that showed data speed Through pfSense that was the same whether I was using OpenVPN or not for the transfer.

              OpenVPN is very robust and an excellent  tool for VPN connections in my experience.
              It also has very real overhead requirements for CPU and packet sizes that "cost" in any transfer of data.

              A file transfer over OpenVPN is always going to be slower than the same transfer without OpenVPN.

              I am running 32-bit version 2.1.5. I just had these tests done:

              with openvpn to PIA:

              The attached image is without openVPN:

              You can tell the difference by shorter ping time when openvpn is off.

              With the newer 64-bit version, 2.2.6, on a good day, I can achieve 80-90. This happens very rarely and brief. I have done 5 times of each. They are basically the same consistent results. I have a 100M down and 10M up cable internet.

              2.1.5 is the best version by a huge margin in all my tests. And, I have test almost everything except the openwrt. It is not scientific, but, for the purpose of my need, I am convinced.

              I have also tested the 64-bit version 2.1.5. It is not good at all. I have had difficulty installing the newer 32-versions.

              It is a regret, the newer version aren't better version. Too bad, the older version aren't supported anymore.

              Untitled.jpg
              Untitled.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • D Offline
                David_W
                last edited by

                @tigs:

                With the newer 64-bit version, 2.2.6, on a good day, I can achieve 80-90. This happens very rarely and brief. I have done 5 times of each. They are basically the same consistent results. I have a 100M down and 10M up cable internet.

                2.1.5 is the best version by a huge margin in all my tests. And, I have test almost everything except the openwrt. It is not scientific, but, for the purpose of my need, I am convinced.

                How can a VPN get real world throughput of 125Mbit/s on a 100Mbit/s capped connection? If 125Mbit/s traffic is genuinely travelling over a VPN over your 100Mbit/s connection, you appear to have found an example of compression producing an unexpectedly high throughput in a pathological case that is unlikely to bear any resemblance to real-world throughput.

                Rather than testing with speedtest.net, which can report erroneously high figures in some scenarios (especially on a PC with certain brands of antivirus software running), I suggest that you find some FTP servers with test files, traceroute to them to show that the traffic is going via the VPN, then download some test files to get the throughput figures. It is true that this will be a single threaded rather than multi-threaded test, but it is more consistent and repeatable.

                ~90Mbit/s sounds more realistic for a 100Mbit/s capped connection, as the VPN will introduce some overhead.

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  How about you do an actual test??  21ms ping time testing to where some server in Chicago area, and your vpn is where in the Jersey Choopa hosting service?  Why would your speedtest server not be in area of your exit point?

                  As divsys mentions a vpn is going to always have overhead… It would be not possible to have the same top end speed as no vpn, since your in a tunnel with overhead.. Are you using UDP or TCP?  What cipher? etc..

                  A real test would be done on a local network where you have control and can test network speeds..  But if your going to do testing with something like speedtest.. You should test speed to server near your vpn exit point with your native connection.  And then check it going through the vpn.  Keep in mind that you could also have peering issues where one connection vs the other.

                  Also keep in mind that speedtest doesn't always get the geographic area of a vpn IP correct.. I connect to my VPS in luxumburg and it thinks Im in WY.. Comes down to where the company that owns the IP is registered, etc..

                  If your going to test make sure you get the basics right.. If you really want to test then you need to make sure everything is same other than changing version..  Something like attached pic where all that you change is the pfsense version..

                  test.png
                  test.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    tigs
                    last edited by

                    How can a VPN get real world throughput of 125Mbit/s on a 100Mbit/s capped connection?

                    My ISP most of time gives you a bit room over the cap. As can be seen when openvpn is off.

                    Why would your speedtest server not be in area of your exit point?

                    Chicago is the vpn exit point. more than 400 miles away from me. The test without openvpn was with a local server. That is why I cut that part away.

                    Are you using UDP or TCP?  What cipher? etc..

                    UDP and ase-128-cbc

                    And then check it going through the vpn

                    I did not do a traceroute, but I always do DNS leak test making sure my IP is the IP as the VPN provider's IP, in this case the Chicago.

                    If you really want to test then you need to make sure everything is same other than changing version

                    I know this is not scientific testing. However, all the tests I ran were done with exactly the same setting and in the same way. I understand it will vary. But i have been consistently getting better result with this version.

                    I am not the only one observed this. Here is another thread reporting vpn speed drop after upgrading from 2.1.5 to 2.2.2.

                    https://forum.pfsense.org/index.php?topic=88758.msg490684#msg490684

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.