Jump to content
Not connected, Your IP: 54.163.221.133

Recommended Posts

Hello,

 

I have been using AirVPN for quite some time now... I was previously using the Eddie client on a single machine, but decided to build a PFSense box and configure the VPN there.

I am located in Canada, and setting a connection to a single VPN server in Toronto. It seems to give the best connection and reliability rather then going for the ca.airvpn (I seem to always end up at a BC server using this entry)

My issue is.... I currently have a 150mbps connection with my ISP.

Using PFSense without AirVPN I am able to reach my advertised speeds

With AirVPN configured, I am only ever seeing a max of about 30mbps.

 

My hardware setup is quite decent.

Intel® Core i5 CPU 650 @ 3.20GHz

4gb DDR3 memory
120gb SSD
2 Intel NICs (both showing as igb)
 
My speeds using Eddie were very very good, much better then the PFSense speeds; so I can only assume that I have a configuration error (my hardware seems to be quite good from what I have been reading) 
 
Some research from other posts did not help better my issue, so I am hoping that posting my own thread on this topic can being me closer to a conclusion with mine.
 
I followed the guide by "pfSense_fan"
 
I can post any diagnostics or logs as necessary, I just do not know what you guys would like to see.
 
Any help with this would be appreactiated
 
Regards

Share this post


Link to post

 

My hardware setup is quite decent.

Intel® Core i5 CPU 650 @ 3.20GHz

Are you sure about that?

It's not the setup or us, its' your hardware.

https://ark.intel.com/products/43546/Intel-Core-i5-650-Processor-4M-Cache-3_20-GHz

Launch date: Q1 2010

 

This is not exactly decent. By any means an 8 year old CPU is usable, but cannot be

expected to achieve high speeds with OpenVPN AES-256.

We don't exactly have any benchmarks from this CPU but a 30-40Mbit mark is my high bet.

 

Note when you build a high end dedicated box for OpenVPN/other tasks, you have to consider

it's max throughput before - CPU and RAM from the past 5 years should cost almost the  same

and give about twice better performance.

 

Just as you can't expect running some games on such machine, or running new apps on a phone

from 8 years ago, this is almost the same. Your CPU is the Galaxy 1st gen / iPhone 3G of today standards.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build.

 

refer to these threads.

https://forum.pfsense.org/index.php?topic=128698.15

https://forum.pfsense.org/index.php?topic=130350.0

 

It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page)

 

 

Share this post


Link to post

@strakur

With all possible tweaks I don't think the CPU will reach above 40Mbit.

 

OP probably built and set up everything correct, it's just the actual limit

that is capped in this case.  He probably didn't consider some other things.

 

We would be happy to see benchmarks on a 2010 CPU. It's quite a relic.

To be conclusive, just LAN<->LAN speeds with OpenVPN AES-256.

My bet is still on the 40Mbit top, maybe 50 with low latency UDP on LAN.

 

 

If  testing methodology  and commands are needed, reply.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build.

 

refer to these threads.

https://forum.pfsense.org/index.php?topic=128698.15

https://forum.pfsense.org/index.php?topic=130350.0

 

It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page)

 

 

I was having some issues with my OpenVPN clients from a pfSense box. Setting the send/receive buffers to 512 more than doubled my speeds from ~10-15Mbps to 30-35Mbps on a 50Mbps internet connection. I have the SG-3100, so there's no aes-ni because it's an ARM a9 processor. Curious if you have any other suggestions?

 

 

Share this post


Link to post

My hardware setup is quite decent.

Intel® Core i5 CPU 650 @ 3.20GHz

Are you sure about that?

It's not the setup or us, its' your hardware.

https://ark.intel.com/products/43546/Intel-Core-i5-650-Processor-4M-Cache-3_20-GHz

Launch date: Q1 2010

 

This is not exactly decent. By any means an 8 year old CPU is usable, but cannot be

expected to achieve high speeds with OpenVPN AES-256.

We don't exactly have any benchmarks from this CPU but a 30-40Mbit mark is my high bet.

 

Note when you build a high end dedicated box for OpenVPN/other tasks, you have to consider

it's max throughput before - CPU and RAM from the past 5 years should cost almost the  same

and give about twice better performance.

 

Just as you can't expect running some games on such machine, or running new apps on a phone

from 8 years ago, this is almost the same. Your CPU is the Galaxy 1st gen / iPhone 3G of today standards.

 

That is fair.

I have a spare i7 6700k box lying around that I can test out my configuration on.

This should give a solid comparison as to if hardware is the issue, as this CPU should handle the crypto very well.

 

I will get it configured sometime this week and report back.

Share this post


Link to post

@strakur

With all possible tweaks I don't think the CPU will reach above 40Mbit.

 

OP probably built and set up everything correct, it's just the actual limit

that is capped in this case.  He probably didn't consider some other things.

 

We would be happy to see benchmarks on a 2010 CPU. It's quite a relic.

To be conclusive, just LAN<->LAN speeds with OpenVPN AES-256.

My bet is still on the 40Mbit top, maybe 50 with low latency UDP on LAN.

 

 

If  testing methodology  and commands are needed, reply.

 

I would love testing methodology and commands.

That would be very helpful! Thank you!

Share this post


Link to post

That

 

 

While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build.

 

refer to these threads.

https://forum.pfsense.org/index.php?topic=128698.15

https://forum.pfsense.org/index.php?topic=130350.0

 

It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page)

 

 

 

Why would you turn AES-NI off?

 

This is my CPU

AMD A6-7400K Radeon R5, 6 Compute Cores 2C+4G

Current: 1400 MHz, Max: 3500 MHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (active)

 

For my setup I have cryptographic hardware in system_advanced_misc.php set to AES-NI and BSD Crypto device.  Then in the OpenVPN client I have BSD Cryptodev engine selected (it's my only option besides no hardware crypto).  I can max my ISP connection of 430mbit/s even through the openvpn tunnel with this.

 

https://www.cpubenchmark.net/compare.php?cmp[]=2392&cmp[]=767

 

Comparing my CPU with the OP's CPU, mine has slightly higher single thread rating.  Still, I see no reason why, with AES-NI, higher speeds can't be achieved. 

Share this post


Link to post

@go558a83nk

 

“Why would you turn AES-NI off?” I agree; I personally keep my AES-NI setting turned on.

 

However, when researching this topic; users having OpenVPN speed issues with pfSense stated that when AES-NI was turned on, they did not see any change in speed.  In troubleshooting the issue (since version 2.4 of pfSense), they turned off AES-NI and used the OpenVPN Fast I/O setting with the Send/Receive buffers set to 512 to gain the performance boost.

 

"It seems that the AES-NI can be turned off since v2.4”. This comment was based not finding any definitive answer stating that AES-NI should be turned off or on since v2.4. I’m not sure that since 2.4 it uses it by default regardless of setting.

 

In my opinion, I would just keep AES-NI turned on unless you are seeing a negative impact with it on.

Share this post


Link to post

@go558a83nk

 

“Why would you turn AES-NI off?” I agree; I personally keep my AES-NI setting turned on.

 

However, when researching this topic; users having OpenVPN speed issues with pfSense stated that when AES-NI was turned on, they did not see any change in speed.  In troubleshooting the issue (since version 2.4 of pfSense), they turned off AES-NI and used the OpenVPN Fast I/O setting with the Send/Receive buffers set to 512 to gain the performance boost.

 

"It seems that the AES-NI can be turned off since v2.4”. This comment was based not finding any definitive answer stating that AES-NI should be turned off or on since v2.4. I’m not sure that since 2.4 it uses it by default regardless of setting.

 

In my opinion, I would just keep AES-NI turned on unless you are seeing a negative impact with it on.

 

I've done theoretical testing on my pfsense box with AES-NI enabled at the system level, and not.  It makes a huge difference - an order of magnitude perhaps.  I've always used fast-io and larger buffers.

Share this post


Link to post

I have confirmed that it is a misconfiguration and not a hardware issue. Just swapped over to a box with the below specs. 

VPN speeds are around the same if not slightly worse. Exact same configuration and NICs

 

https://imgur.com/a/sKa2w

 

 

i'm having exactly same issue. even worse my vpn speed on pfsene don't exceed 10mbps. did you solve this ? 

Share this post


Link to post

 

While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build.

 

refer to these threads.

https://forum.pfsense.org/index.php?topic=128698.15

https://forum.pfsense.org/index.php?topic=130350.0

 

It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page)

 

 

 

OMG this worked!!

 

For the longest time, I wasnt getting my full ISP speed after years of getting it just fine on PIA. I eventually concluded it was my ISP throttling my VPN and I switched to AirVPN using TCP tls crypt and then was finally able to get my full 100Mbps. 

 

I recently just upgraded my speed to 300Mbps yet I was still getting only 100Mbps. After changing my send/recieve buffer to 512 and adding fast i/o to custom options, im finally getting my full 300Mbps! I left Hardware Crypto on Intel RAND and im all good.

Share this post


Link to post

 

While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build.

 

refer to these threads.

https://forum.pfsense.org/index.php?topic=128698.15

https://forum.pfsense.org/index.php?topic=130350.0

 

It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page)

 

 

I was having some issues with my OpenVPN clients from a pfSense box. Setting the send/receive buffers to 512 more than doubled my speeds from ~10-15Mbps to 30-35Mbps on a 50Mbps internet connection. I have the SG-3100, so there's no aes-ni because it's an ARM a9 processor. Curious if you have any other suggestions?

 

 

Since its a netgate (pfsense) it has built in aes-ni into the arm chip. At 349 USD for the base it better support crypto since 2.5 will require it

Share this post


Link to post

 

 

While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build.

 

refer to these threads.

https://forum.pfsense.org/index.php?topic=128698.15

https://forum.pfsense.org/index.php?topic=130350.0

 

It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page)

 

 

I was having some issues with my OpenVPN clients from a pfSense box. Setting the send/receive buffers to 512 more than doubled my speeds from ~10-15Mbps to 30-35Mbps on a 50Mbps internet connection. I have the SG-3100, so there's no aes-ni because it's an ARM a9 processor. Curious if you have any other suggestions?

 

 

Since its a netgate (pfsense) it has built in aes-ni into the arm chip. At 349 USD for the base it better support crypto since 2.5 will require it

 

 

https://www.netgate.com/solutions/pfsense/sg-3100.html  This says nothing about AES-NI.  Unfortunately, I think a lot of people will either be buying new hardware or won't be updating to 2.5.

Share this post


Link to post
It appears that the issue persists even after swapping to a different hardware setup with identical specifications. VPN speeds remain consistent or slightly worse, indicating that the problem might be related to configuration rather than hardware.

Share this post


Link to post

Just my 2 cents, worth to read:
https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html

IPsec Multi-Buffer (IPsec-MB, IIMB) Cryptographic Acceleration [Plus only] --> PfSense Plus is free for personal use.


- Router/Firewall pfSense 23.01 (11th Gen Intel(R) Core(TM) i5-11320H @ 3.20GHz)

- Switch Cisco SG350-10

- AP Netgear RAX200 (Stock FW)

- NAS Synology DS1621+ (5 x 5TB WD Red)

- ISP: Fiber 1000/300 (PPPoE)

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...