OpenVPN Support Forum

[oconf=]HI ,
I am using OpenVPN on Netgate SG-4860 on our datacenter and i do have a symmetric WAN link for 1 Gbps speed,
when on lan i can test that speed on speedtest, but when connected remotely via openvpn i can only get 50 to 60 Mbps on speedtest.
i was wondering what could be wrong on my setup and what parameters i can change under my settings to increase the speed for VPN users.
is there is a limit on bandwidth that we can control under openVPN

i am on pfsense 2.4.5 version and i tested that also on version pfsense+ 22.05

This is my current configuration , i have removed the tls and dns section for privacy


<openvpn>
<openvpn-server>
<vpnid>1</vpnid>
<mode>server_tls_user</mode>
<authmode>Local Database</authmode>
<protocol>UDP4</protocol>
<dev_mode>tun</dev_mode>
<interface>wan</interface>
<ipaddr></ipaddr>
<local_port>1194</local_port>
<description><![CDATA[PAID OpenVPN server]]></description>
<custom_options></custom_options>
<tls></tls>
<tls_type>auth</tls_type>
<tlsauth_keydir>default</tlsauth_keydir>
<caref>59a47a78cfd5b</caref>
<crlref>59a47fec1401d</crlref>
<certref>59a5ca057de10</certref>
<dh_length>2048</dh_length>
<ecdh_curve>none</ecdh_curve>
<cert_depth>1</cert_depth>
<strictusercn>yes</strictusercn>
<crypto>AES-256-CBC</crypto>
<digest>SHA256</digest>
<engine>cryptodev</engine>
<tunnel_network>192.168.72.0/24</tunnel_network>
<tunnel_networkv6></tunnel_networkv6>
<remote_network></remote_network>
<remote_networkv6></remote_networkv6>
<gwredir>yes</gwredir>
<gwredir6></gwredir6>
<local_network></local_network>
<local_networkv6></local_networkv6>
<maxclients>100</maxclients>
<compression></compression>
<compression_push></compression_push>
<passtos></passtos>
<client2client>yes</client2client>
<dynamic_ip>yes</dynamic_ip>
<topology>subnet</topology>
<serverbridge_dhcp></serverbridge_dhcp>
<serverbridge_interface>none</serverbridge_interface>
<serverbridge_routegateway></serverbridge_routegateway>
<serverbridge_dhcp_start></serverbridge_dhcp_start>
<serverbridge_dhcp_end></serverbridge_dhcp_end>
<dns_domain>company.local</dns_domain>
<dns_server1></dns_server1>
<dns_server2></dns_server2>
<dns_server3></dns_server3>
<dns_server4></dns_server4>
<push_blockoutsidedns>yes</push_blockoutsidedns>
<username_as_common_name><![CDATA[enabled]]></username_as_common_name>
<exit_notify>none</exit_notify>
<sndrcvbuf></sndrcvbuf>
<push_register_dns>yes</push_register_dns>
<netbios_enable></netbios_enable>
<netbios_ntype>0</netbios_ntype>
<netbios_scope></netbios_scope>
<create_gw>both</create_gw>
<verbosity_level>4</verbosity_level>
<ncp-ciphers>AES-128-GCM,AES-256-CBC</ncp-ciphers>
<ncp_enable>enabled</ncp_enable>
<ping_method>keepalive</ping_method>
<keepalive_interval>10</keepalive_interval>
<keepalive_timeout>60</keepalive_timeout>
<ping_seconds>10</ping_seconds>
<ping_push></ping_push>
<ping_action>ping_restart</ping_action>
<ping_action_seconds>60</ping_action_seconds>
<ping_action_push></ping_action_push>
<inactive_seconds>60</inactive_seconds>
</openvpn-server>
</openvpn>

The only known limits to Openvpn speed are the quality of the hardware you throw at it.

Openvpn can saturate a 10Gbps link, given enough oomph.

Sorry i didn't get your point, i have tested 2 netgate devices :
SG-4860 and 6100 MAx with 1Gbps Wan speed , on the lan network i can reach the same speed, but when using openvpn client connection, the speed test shows a result of 50 to 60 Mbps, i have in total 50 users using openvpn and i have tested the speed when no one else is connected

Hi,

On pfSense, what does give on CLI?

Id Refs Address Size Name
1 10 0xffffffff80200000 3724440 kernel
2 1 0xffffffff83a21000 10d0 cpuctl.ko
3 1 0xffffffff83a23000 32e8 cryptodev.ko
4 1 0xffffffff83a27000 7038 aesni.ko

It's a bad idea to load --engine in Openvpn.
Please disable hardware crypto for the server.

It's probably easier to do in CLI because then no restart needed: and OpenVPN uses OpenSSL for crypto tasks.
Using AES-NI via kernel cryptodev is almost always a bad idea because it is slower than just using the same AES-NI instructions in openssl userland ("same CPU opcodes, less jump-to-kernel-and-back")

Test again.

to be honest i loaded those kernels an hour ago , so the performance was the same with and without encryption
when i wrote the topic the settings was this:
CPU Type Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
Current: 1200 MHz, Max: 2400 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)

i have read this article and asking to enable crypto if your hardware support it:

https://docs.netgate.com/pfsense/en/lat ... celeration

CPU Type Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
Current: 1200 MHz, Max: 2400 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (Active)

What is your recmmendation here, i am getting the same speed on both configuration

[2.4.5-RELEASE][root@pfsense]/root: kldunload cryptodev.ko

[2.4.5-RELEASE][root@pfsense]/root: kldstat
Id Refs Address Size Name
1 8 0xffffffff80200000 3724440 kernel
2 1 0xffffffff83a21000 10d0 cpuctl.ko
4 1 0xffffffff83a27000 7038 aesni.ko
5 1 0xffffffff83a2f000 c90 coretemp.ko
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: /usr/bin/openssl engine -t -c
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: kldunload aesni.ko
[2.4.5-RELEASE][root@pfsense]/root: /usr/bin/openssl engine -t -c
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:

########### After unloading the modules ########################

[2.4.5-RELEASE][root@pfsense]/root: openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 19437386 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 7511765 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 2274301 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 1024 size blocks: 596823 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 78900 aes-128-cbc's in 3.13s
OpenSSL 1.0.2u-freebsd 20 Dec 2019
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 103396.80k 160250.99k 193068.12k 203715.58k 206831.62k
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: openssl speed -evp aes-128-gcm
Doing aes-128-gcm for 3s on 16 size blocks: 10964746 aes-128-gcm's in 2.99s
Doing aes-128-gcm for 3s on 64 size blocks: 5336145 aes-128-gcm's in 3.01s
Doing aes-128-gcm for 3s on 256 size blocks: 1868933 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 1024 size blocks: 521176 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 67189 aes-128-gcm's in 3.00s
OpenSSL 1.0.2u-freebsd 20 Dec 2019
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-gcm 58631.33k 113542.08k 158655.95k 177894.74k 183470.76k
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:

################## After Reloading Modules #########################

[2.4.5-RELEASE][root@pfsense]/root: /usr/bin/openssl engine -t -c
(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: kldstat
Id Refs Address Size Name
1 12 0xffffffff80200000 3724440 kernel
2 1 0xffffffff83a21000 10d0 cpuctl.ko
5 1 0xffffffff83a2f000 c90 coretemp.ko
6 1 0xffffffff83a23000 7038 aesni.ko
7 1 0xffffffff83a2b000 32e8 cryptodev.ko
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root:
[2.4.5-RELEASE][root@pfsense]/root: openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 318269 aes-128-cbc's in 0.52s
Doing aes-128-cbc for 3s on 64 size blocks: 307693 aes-128-cbc's in 0.48s
Doing aes-128-cbc for 3s on 256 size blocks: 272028 aes-128-cbc's in 0.48s
Doing aes-128-cbc for 3s on 1024 size blocks: 187180 aes-128-cbc's in 0.39s
Doing aes-128-cbc for 3s on 8192 size blocks: 47687 aes-128-cbc's in 0.05s
OpenSSL 1.0.2u-freebsd 20 Dec 2019
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 9875.98k 41321.66k 146128.09k 490681.14k 8333907.29k
[2.4.5-RELEASE][root@pfsense]/root: openssl speed -evp aes-128-gcm
Doing aes-128-gcm for 3s on 16 size blocks: 10987038 aes-128-gcm's in 3.01s
Doing aes-128-gcm for 3s on 64 size blocks: 5323839 aes-128-gcm's in 2.99s
Doing aes-128-gcm for 3s on 256 size blocks: 1882455 aes-128-gcm's in 3.04s
Doing aes-128-gcm for 3s on 1024 size blocks: 525094 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 8192 size blocks: 67508 aes-128-gcm's in 3.00s
OpenSSL 1.0.2u-freebsd 20 Dec 2019
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-gcm 58445.33k 113871.77k 158571.43k 177842.69k 184341.85k


i seems openssl is faster with AES-128-cbc when hardware cryoto is enabled AES-ENI

Correct me if i am wrong