What makes the 32-bit version 2.1.5 the fastest openvpn performer?

tigs

I have a supermicro C2758 board, and Private internet access as my VPN provider. I have tested exptensively, and this version of pfsense is better by a large margin.

I have tested:

pfsense 2.2.5 64-bit
pfsense 2.2.6 64-bit
pfsense 2.3 beta nightly build 64-bit

opnsense 1.1.6 64 bit

DD-WRT, Dec 2015 build 64-bit

Vyos 1.1.6 64-bit

These were all in the range of 45-70M to be best. While with 32-bit pfsense version 2.1.5, I can reach 125M down, the same with openvpn off.

I wonder what made that version unique and why we lost that edge in the subsequent releases.

I am now stuck with version 2.1.5. I do wish developers can look into this and regain the lost power of pfsense.

Thanks

David_W

Realistically, the comparison you ask for isn't going to happen. pfSense 2.1 is End of Life - it's based on the End of Life FreeBSD 8.3 operating system and probably contains an End of Life version of OpenVPN. 32 bit pfSense is probably going to be discontinued after the pfSense 2.3 series.

There are so many changes between pfSense 2.1.5 and pfSense 2.2, let alone between 2.1.5 and 2.3, that trying to work out why the performance of your VPN has regressed is going to be very difficult.

The best you can do is take advantage of your board's features - your C2758 supports AES-NI, which OpenVPN can utilise.

tigs

Thanks David.

I know all these: the version has reached its end of life; so many changes have been made in later releases. Changes are introduced to improve performance. Obviously, this is not the case here.

The tests were rough. I did use HA-aes-ni in both opnsense and all versions of pfsense in my testing.

I don't know if vyos support aes-ni and how. So, result with vyos was without aes-ni.

divsys

I'd be extremely suspicious of any "testing" result that showed data speed Through pfSense that was the same whether I was using OpenVPN or not for the transfer.

OpenVPN is very robust and an excellent tool for VPN connections in my experience.
It also has very real overhead requirements for CPU and packet sizes that "cost" in any transfer of data.

A file transfer over OpenVPN is always going to be slower than the same transfer without OpenVPN.

tigs

@divsys:

I'd be extremely suspicious of any "testing" result that showed data speed Through pfSense that was the same whether I was using OpenVPN or not for the transfer.

OpenVPN is very robust and an excellent tool for VPN connections in my experience.
It also has very real overhead requirements for CPU and packet sizes that "cost" in any transfer of data.

A file transfer over OpenVPN is always going to be slower than the same transfer without OpenVPN.

I am running 32-bit version 2.1.5. I just had these tests done:

with openvpn to PIA:

The attached image is without openVPN:

You can tell the difference by shorter ping time when openvpn is off.

With the newer 64-bit version, 2.2.6, on a good day, I can achieve 80-90. This happens very rarely and brief. I have done 5 times of each. They are basically the same consistent results. I have a 100M down and 10M up cable internet.

2.1.5 is the best version by a huge margin in all my tests. And, I have test almost everything except the openwrt. It is not scientific, but, for the purpose of my need, I am convinced.

I have also tested the 64-bit version 2.1.5. It is not good at all. I have had difficulty installing the newer 32-versions.

It is a regret, the newer version aren't better version. Too bad, the older version aren't supported anymore.

Untitled.jpg_thumb

David_W

@tigs:

With the newer 64-bit version, 2.2.6, on a good day, I can achieve 80-90. This happens very rarely and brief. I have done 5 times of each. They are basically the same consistent results. I have a 100M down and 10M up cable internet.

2.1.5 is the best version by a huge margin in all my tests. And, I have test almost everything except the openwrt. It is not scientific, but, for the purpose of my need, I am convinced.

How can a VPN get real world throughput of 125Mbit/s on a 100Mbit/s capped connection? If 125Mbit/s traffic is genuinely travelling over a VPN over your 100Mbit/s connection, you appear to have found an example of compression producing an unexpectedly high throughput in a pathological case that is unlikely to bear any resemblance to real-world throughput.

Rather than testing with speedtest.net, which can report erroneously high figures in some scenarios (especially on a PC with certain brands of antivirus software running), I suggest that you find some FTP servers with test files, traceroute to them to show that the traffic is going via the VPN, then download some test files to get the throughput figures. It is true that this will be a single threaded rather than multi-threaded test, but it is more consistent and repeatable.

~90Mbit/s sounds more realistic for a 100Mbit/s capped connection, as the VPN will introduce some overhead.

johnpoz

How about you do an actual test?? 21ms ping time testing to where some server in Chicago area, and your vpn is where in the Jersey Choopa hosting service? Why would your speedtest server not be in area of your exit point?

As divsys mentions a vpn is going to always have overhead… It would be not possible to have the same top end speed as no vpn, since your in a tunnel with overhead.. Are you using UDP or TCP? What cipher? etc..

A real test would be done on a local network where you have control and can test network speeds.. But if your going to do testing with something like speedtest.. You should test speed to server near your vpn exit point with your native connection. And then check it going through the vpn. Keep in mind that you could also have peering issues where one connection vs the other.

Also keep in mind that speedtest doesn't always get the geographic area of a vpn IP correct.. I connect to my VPS in luxumburg and it thinks Im in WY.. Comes down to where the company that owns the IP is registered, etc..

If your going to test make sure you get the basics right.. If you really want to test then you need to make sure everything is same other than changing version.. Something like attached pic where all that you change is the pfsense version..

test.png_thumb

tigs

How can a VPN get real world throughput of 125Mbit/s on a 100Mbit/s capped connection?

My ISP most of time gives you a bit room over the cap. As can be seen when openvpn is off.

Why would your speedtest server not be in area of your exit point?

Chicago is the vpn exit point. more than 400 miles away from me. The test without openvpn was with a local server. That is why I cut that part away.

Are you using UDP or TCP? What cipher? etc..

UDP and ase-128-cbc

And then check it going through the vpn

I did not do a traceroute, but I always do DNS leak test making sure my IP is the IP as the VPN provider's IP, in this case the Chicago.

If you really want to test then you need to make sure everything is same other than changing version

I know this is not scientific testing. However, all the tests I ran were done with exactly the same setting and in the same way. I understand it will vary. But i have been consistently getting better result with this version.

I am not the only one observed this. Here is another thread reporting vpn speed drop after upgrading from 2.1.5 to 2.2.2.

https://forum.pfsense.org/index.php?topic=88758.msg490684#msg490684