Netgate SG-1000 microFirewall

Author Topic: CPU capable of doing gigabit OPENVPN?  (Read 1261 times)

0 Members and 1 Guest are viewing this topic.

Offline psulions5

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
CPU capable of doing gigabit OPENVPN?
« on: January 18, 2018, 11:11:13 am »
Is there a CPU out there that can do OPENVPN at gigabit speeds?  The highest end CPU at my disposal right now is a 7700K (which I am not using as a router).  I have seen theoretical benchmarks of 256AES on that around 550mbps.   So is there an actual CPU that can handle gigabit yet?

Thanks :)

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2318
  • Karma: +213/-12
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #1 on: January 18, 2018, 12:06:17 pm »
Mind you, a multi-core CPU may only be able to do 500Mb/s per core. Each VPN tunnel can only run on one core, but multiple tunnels can run at the same time, allowing a theoretical aggregate of about 2Gb/s. 128AES may be enough, unless you're trying to protect against a state level actor saving your streams and trying to crack them some time in the far future.

In theory, 128bits of protection is effectively unbreakable with known physics without being a type 2 civilization. But there are flaws, weakening the strength. The current understood strength of AES128 is about 126bits of strength against direct attacks. Indirect attacks like if you can influence the system, like controlling the RNG of the key generator to create related keys, technically reduces the strength of AES128 to 2^45 operations but AES256 would have 2^71 operations. Both of which are technically well below the "safe" level, even if neither are practical attacks.

Beware the $5 wrench side-channel attack.

Offline psulions5

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #2 on: January 19, 2018, 07:21:36 am »
So basically it isn't happening with any CPU worth using?  On my gig connection through PIA, I get around 42 megabytes per second download.  Through my ISP I get around 92-95.  I guess that is manageable.  I am using a Xeon D-1528 currently, but maybe bump to the 7700k.  I tried the 7700K before, and it would not reboot PFSense for some reason.  That was over a year ago so maybe the latest software will function well.

Thank you for your input :)

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2318
  • Karma: +213/-12
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #3 on: January 19, 2018, 12:08:49 pm »
My input is more of food for thought than instructional. As for "So basically it isn't happening with any CPU worth using?", i'm not sure. I just used "500Mb/s/core" as a hypothetical value using roughly what you claimed to be getting in throughput. Mostly pointing out that while a single client may not be able to get gigabit rates, multiple clients in aggregate probably can, depending on how many cores you have and other hardware limitations.

I would not say I answered anything, but I did give some new perspective to hopefully help in your investigations.

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 369
  • Karma: +104/-34
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #4 on: January 19, 2018, 12:53:48 pm »
requires a software 'fix' (rewrite).

it's on the schedule for TNSR (and SCLR).

Offline jgiannakas

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +18/-0
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #5 on: January 19, 2018, 01:47:41 pm »
Is there a CPU out there that can do OPENVPN at gigabit speeds?  The highest end CPU at my disposal right now is a 7700K (which I am not using as a router).  I have seen theoretical benchmarks of 256AES on that around 550mbps.   So is there an actual CPU that can handle gigabit yet?

Thanks :)

None will. Also PIA does not allow you for more than 150/200 mbps per connection so the only way is to run multiple clients as a gateway group. This will help parallelisable load but won’t give you a single connection gigabit bandwidth.

Offline psulions5

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #6 on: January 22, 2018, 07:46:47 am »
I don't think that is entirely true.  I am running 256AES PIA on my PFSense (I also have two connections to PIA for different subnets) and regularly get well over 500mb down.  Normal cable directly in I get 980ish. 

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11994
  • Karma: +474/-15
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #7 on: January 23, 2018, 11:05:27 am »
Multiple tunnels is the way to go though if you have multiple connections in the carried traffic. No single tunnel will ever be that quick.

Steve

Offline adminadmin

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #8 on: January 29, 2018, 01:51:58 pm »
Multiple tunnels is the way to go though if you have multiple connections in the carried traffic. No single tunnel will ever be that quick.

Steve

Is there a guide somewhere to setting up gateway grouping for exactly this: OpenVPN.

Offline Soarin

  • Jr. Member
  • **
  • Posts: 85
  • Karma: +7/-0
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #9 on: January 31, 2018, 08:40:25 am »
I wonder how the Ryzen CPUs would do with pfSense + encryption since Ryzen seems to have overkill encryption. I doubt it'll reach the 1Gbps mark but I'm curious how far they go
I hardly understand pfSense but it was love at first sight.

Offline VAMike

  • Sr. Member
  • ****
  • Posts: 429
  • Karma: +65/-11
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #10 on: January 31, 2018, 11:38:09 am »
I wonder how the Ryzen CPUs would do with pfSense + encryption since Ryzen seems to have overkill encryption. I doubt it'll reach the 1Gbps mark but I'm curious how far they go
The bottleneck isn't the crypto--a skylake can AES-128-GCM more than 40 gigabits per second on a single core--the problem is elsewhere in the openvpn code, and throwing hardware at it has rapidly diminishing returns. I have not yet seen ryzen results with higher per-core throughput than intel, but I also haven't run a test myself and can't speak to the methodology. (They do seem to have high -ctr numbers, but that's basically a so-what until combined with a mac and also irrelevant for openvpn.)

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11994
  • Karma: +474/-15
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #11 on: February 06, 2018, 05:57:10 pm »
Is there a guide somewhere to setting up gateway grouping for exactly this: OpenVPN.

Not really though it may be covered ion the advanced OpenVPN hangout we did a while back. Still in the archive for Gold members.

But it's pretty easy:

Create multiple clients preferably to multiple server instances. Each tunnel must have a different remote gateway in order to load balance correctly, just like a normal multiWAN scenario.

Set each client to not pull routes from the server as they will conflict.

Assign each of the client interfaces to get a gateway assigned.

Create a gateway group containing all the client gateways.

Policy route traffic from internal clients via that gateway group.

Steve

Offline johnkeates

  • Hero Member
  • *****
  • Posts: 827
  • Karma: +59/-1
    • View Profile
Re: CPU capable of doing gigabit OPENVPN?
« Reply #12 on: February 07, 2018, 02:33:59 pm »
7700 should work fine. Ryzen or other AMD chips don't really help. Having a ton of 'extra' cores doesn't help either. If you have decent per-core speed and about 4 cores, that's about the best you can do at this time.