Netgate SG-1000 microFirewall

Author Topic: pfSense hardware for home router - OpenVPN performance  (Read 25687 times)

0 Members and 2 Guests are viewing this topic.

Offline sirozha

  • Jr. Member
  • **
  • Posts: 57
  • Karma: +0/-3
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #30 on: August 31, 2016, 06:46:19 am »
Test VPN from the gear you own (and whose specs you know) to your pfSense box across a reliable internet connection. That will give you the performance indication of your hardware. Better yet, test the VPN throughput in the lab to see the maximum throughput your hardware is capable of.

Stating the VPN throughput of 5 Mbps to some third-party VPN service is hardly an indication that something is wrong with your hardware or software.


Offline Paint

  • Full Member
  • ***
  • Posts: 209
  • Karma: +32/-2
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #31 on: August 31, 2016, 04:33:18 pm »
here are my advanced server settings:

fast-io;sndbuf 0;rcvbuf 0;push "sndbuf 524288";push "rcvbuf 524288";keepalive 10 120;push "redirect-gateway def1";push "redirect-gateway-ipv6 def1";push "route-ipv6 2000::/3";

Here are my advanced client settings:

Code: [Select]
fast-io
fragment 0
mssfix 0
sndbuf 524288
rcvbuf 524288
lport 0
remote-random
remote-cert-tls server
resolv-retry 4
key-method 2
mute 10
mute-replay-warnings
keepalive 10 120
auth-retry nointeract
setenv FORWARD_COMPATIBLE 1
verb 3
reneg-sec 0
script-security 2

Ultimately, I think we should push to change to Softether as the VPN client.  It supports backwards compatibility to OpenVPN and is much faster than OpenVPN for the same hardware. 

Here is a feature list: https://www.softether.org/1-features

I started a thread in the package sub-forum regarding my SoftEther FreeBSD package port and performance. My initial tests show I can easily push 150/150 mbps (maximum of my WAN speed) through SoftEther with very low load on my pfSense machine!

https://forum.pfsense.org/index.php?topic=117626

I will post some benchmarks and run some theoretical maximum tests to see how fast SoftEther is compared to OpenVPN on my machine (my theoretical OpenVPN max is 299 mbps).
pfSense i7-4510U + 2x Intel 82574 + 2x Intel i350 Mini-ITX Build
940/880 mbit Fiber Internet from FiOS
Dell PowerConnect 2716 Gigabit Switch
Netgear R8000 AP (DD-WRT)
Asus RT-66U AP (DD-WRT)


Offline cinnamon

  • Jr. Member
  • **
  • Posts: 45
  • Karma: +3/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #32 on: September 21, 2016, 06:59:05 pm »
ci323 nano u

Stats for you guys

hw.model: Intel(R) Celeron(R) CPU  N3150  @ 1.60GHz
(cryptodev) BSD cryptodev engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support


openssl speed aes-128-cbc aes-192-cbc aes-256-cbc
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc      27446.63k    31065.88k    32203.01k    79808.59k    80497.95k
aes-192 cbc      23419.20k    25885.49k    26810.11k    66946.05k    67553.96k
aes-256 cbc      20250.74k    22164.16k    22912.07k    57832.11k    58552.27k

openssl speed -engine cryptodev -multi 4 aes-128-cbc aes-192-cbc aes-256-cbc
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
aes-128 cbc     104805.14k   118668.96k   128936.14k   318822.11k   321327.26k
aes-192 cbc      93729.09k   103600.58k   107154.76k   267119.27k   271302.66k
aes-256 cbc      80937.83k    88656.43k    91726.42k   226115.54k   230708.57k


openssl speed -multi 4 bf-cbc
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
blowfish cbc    164957.33k   185746.01k   191440.98k   193272.15k   193628.57k


openssl speed bf-cbc
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     41251.69k    46459.56k    47838.06k    48378.47k    48452.95k

Offline spon901

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #33 on: December 04, 2016, 05:31:12 am »
The measurement above using command:
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc

seem to be total innacurate. 

I made following tests.  I connect a i5 laptop and a RK3288 based linux box to a vlan switch.  The RK3288 is used as a vlan router. On Laptop I runned a speed test through this router. and I obtain 300M/150M which is what provider offer.
Running the above test command I got :
For RK3288  27 sec which mean 118.5Mbps
For I5 Laptop 6 sec which mean 533 Mbps.

So I expect a throughput of around 120Mbps .  However insialling openwrt on both RK3288 box and I5 laptop, performing same test I have only 32Mbps/43Mbps.  Why so big difference comparative with theoeretical speed of 120Mbps

Offline VAMike

  • Sr. Member
  • ****
  • Posts: 429
  • Karma: +65/-11
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #34 on: December 04, 2016, 08:42:14 am »
Very much doubt these calculations or any....., to much variables to make a good estimate that will reflect reality.
Cipher, digest, hash, compression, mtu, buffersizes, network, latency, etc. all play a role.
And also the type of data that goes through the tunnel.

Quote
Intel Celeron N3150 4x1.6GHz    -TDP 6W  -CPU Mark 1642 -Single Thread  456
3200/27,5 = 116 Mbps OpenVPN performance (estimate)

As argument, with N3150 (Gigabyte N3150N-D3V), I can tell you that in a client to client Iperf test, I was getting 160 Mbit/s throughput, I used:
No crypto hardware selected (meaning AES-NI will be used automatically if it`s supported, N3150 does)
no compression
DH 2048
AES-256-CBC
SHA512
prng SHA512 32 #(prng_hash = 'RSA-SHA512'/prng_nonce_secret_len = 32)
cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384/2048 bit RSA

As you can see, with these somewhat "heavier" settings it is higher then the calculated 116 Mbit/s.

Furthermore, keep in mind that this was client to client, meaning there is an extra round of crypto happening at server.....

I'd guess that the original benchmark was done with aesni.ko loaded, hence the low crypto performance. Without aesni.ko I benchmark just about exactly 160Mbps on that hardware...

Offline VAMike

  • Sr. Member
  • ****
  • Posts: 429
  • Karma: +65/-11
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #35 on: December 04, 2016, 08:51:50 am »
I made following tests.  I connect a i5 laptop and a RK3288 based linux box to a vlan switch.  The RK3288 is used as a vlan router. On Laptop I runned a speed test through this router. and I obtain 300M/150M which is what provider offer.
Running the above test command I got :
For RK3288  27 sec which mean 118.5Mbps
For I5 Laptop 6 sec which mean 533 Mbps.

So I expect a throughput of around 120Mbps .  However insialling openwrt on both RK3288 box and I5 laptop, performing same test I have only 32Mbps/43Mbps.  Why so big difference comparative with theoeretical speed of 120Mbps
Do I understand correctly that you changed the OS after running the benchmark? Try running the benchmark on the OS you're using for the test.

Offline spon901

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #36 on: December 04, 2016, 11:39:44 am »
No,  was the same OS .  I did not change anything.  Just test  directly and the immediately run same test through openvpn. The again run same test directly just to be sure.  The results are :

Directly 300/150, through vpn 32/43.

BlueKobold

  • Guest
Re: pfSense hardware for home router - OpenVPN performance
« Reply #37 on: December 04, 2016, 02:49:37 pm »
The measurement above using command:
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc

seem to be total innacurate. 

I made following tests.  I connect a i5 laptop and a RK3288 based linux box to a vlan switch.  The RK3288 is used as a vlan router. On Laptop I runned a speed test through this router. and I obtain 300M/150M which is what provider offer.
Running the above test command I got :
For RK3288  27 sec which mean 118.5Mbps
For I5 Laptop 6 sec which mean 533 Mbps.

So I expect a throughput of around 120Mbps .  However insialling openwrt on both RK3288 box and I5 laptop, performing same test I have only 32Mbps/43Mbps.  Why so big difference comparative with theoeretical speed of 120Mbps

OpenWRT is Linux based and not BSD based! This at first. But you will be also getting total
other results if you take on both sides Intel Core i5 CPUs and or i7 CPUs. And theoretical
you could do a test on the same devices for OpenSSL likes many others are doing, but
what you get then out as a result in the real life you should know, is totally another thing!

This numbers even can be and will be different pending on the;
used hardware (horse power), devices it self and topology of the network or done test.

And pease donīt forget that you will need more horse power such OpenWRT is needing,
but on the other side you get then not only a small router, you might be able to set up until
a fully UTM device if needed.
« Last Edit: December 04, 2016, 04:00:42 pm by BlueKobold »

Offline Dalsland

  • Newbie
  • *
  • Posts: 6
  • Karma: +3/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #38 on: December 04, 2016, 03:02:01 pm »
Here is my benchmark for

Intel J1900 Quad Core 4x2GHz
Network 4*Intel WG82583
Eglobal Fanless Mini PC


Code: [Select]
[2.3.2-RELEASE][admin@pfSense.localdomain]/root: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
30.309u 0.023s 0:30.35 99.9%    742+177k 0+0io 0pf+0w
30s = 106 Mbps according to the calculation.


"Real world"  performance:
I have a 100/100 connection

No VPN


VPN



Offline mauroman33

  • Full Member
  • ***
  • Posts: 175
  • Karma: +23/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #39 on: December 05, 2016, 01:46:00 am »
No,  was the same OS .  I did not change anything.  Just test  directly and the immediately run same test through openvpn. The again run same test directly just to be sure.  The results are :

Directly 300/150, through vpn 32/43.

Don't you have doubt that it could be related to your VPN provider?

Offline spon901

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #40 on: December 05, 2016, 02:23:06 am »
Both i5 laptop and RK3288 box are in my location connected through a gigabit network.  There is no VPN provider involved, only normal ISP that provide connection with 300Mbit/150Mbit. On laptop I have Windows 7 installed and on RK3288 Ubuntu 14.10.  As I said the RK3288 act like a VLAN router and connected directly , on laptop I can successfully reach maximum speed provider offer (300/150). Now maing the same speed but through openvpn (I simulate laptop using openvpn client tried to conect to RK3288 openvpn server that connect to internet.  In this case the speed was just 32/43.  he issue here is not why the speed is so low.  It maybe because RK3288 cannot do more (however this is also strange becasue is a capable processor having crypto hardware accelerated).  The issue is why testing openvpn speed (and not openssl) gives a so big difference.  And all those tests were repeated several times, just to be sure.  The results were consistent.   Is there any way to be sure that openvpn use hardware accelerated crypto or not.  Because maybe this is the reason of so big difference.


Offline mauroman33

  • Full Member
  • ***
  • Posts: 175
  • Karma: +23/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #41 on: December 05, 2016, 05:09:23 am »
Sorry mate, but I didn't understand how pfSense is involved in your test.

Offline spon901

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #42 on: December 05, 2016, 05:57:21 am »
It is not yet.  I intend to install it.  ut what I wrote has nothing to do with pfsense, or to any operating system.  It has to do with theoretical speed calculation cs real speed.

Offline mauroman33

  • Full Member
  • ***
  • Posts: 175
  • Karma: +23/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #43 on: December 05, 2016, 06:16:34 am »
You should consider this thread is about the theoretical speed and the real speed obtained through a device running pfSense.

Offline spon901

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: pfSense hardware for home router - OpenVPN performance
« Reply #44 on: December 05, 2016, 06:34:46 am »
Ok, so on a non pFsense device there is no correlation between theoretical and real sped ?