johndom4774 1 Posted ... Hello, I have been using AirVPN for quite some time now... I was previously using the Eddie client on a single machine, but decided to build a PFSense box and configure the VPN there.I am located in Canada, and setting a connection to a single VPN server in Toronto. It seems to give the best connection and reliability rather then going for the ca.airvpn (I seem to always end up at a BC server using this entry)My issue is.... I currently have a 150mbps connection with my ISP.Using PFSense without AirVPN I am able to reach my advertised speedsWith AirVPN configured, I am only ever seeing a max of about 30mbps. My hardware setup is quite decent.Intel® Core i5 CPU 650 @ 3.20GHz4gb DDR3 memory120gb SSD2 Intel NICs (both showing as igb) My speeds using Eddie were very very good, much better then the PFSense speeds; so I can only assume that I have a configuration error (my hardware seems to be quite good from what I have been reading) Some research from other posts did not help better my issue, so I am hoping that posting my own thread on this topic can being me closer to a conclusion with mine. I followed the guide by "pfSense_fan"https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/ I can post any diagnostics or logs as necessary, I just do not know what you guys would like to see. Any help with this would be appreactiated Regards Quote Share this post Link to post
zhang888 1066 Posted ... My hardware setup is quite decent.Intel® Core i5 CPU 650 @ 3.20GHzAre you sure about that?It's not the setup or us, its' your hardware.https://ark.intel.com/products/43546/Intel-Core-i5-650-Processor-4M-Cache-3_20-GHzLaunch date: Q1 2010 This is not exactly decent. By any means an 8 year old CPU is usable, but cannot beexpected to achieve high speeds with OpenVPN AES-256.We don't exactly have any benchmarks from this CPU but a 30-40Mbit mark is my high bet. Note when you build a high end dedicated box for OpenVPN/other tasks, you have to considerit's max throughput before - CPU and RAM from the past 5 years should cost almost the sameand give about twice better performance. Just as you can't expect running some games on such machine, or running new apps on a phonefrom 8 years ago, this is almost the same. Your CPU is the Galaxy 1st gen / iPhone 3G of today standards. 1 Wolf666 reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
strakur 1 Posted ... While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build. refer to these threads.https://forum.pfsense.org/index.php?topic=128698.15https://forum.pfsense.org/index.php?topic=130350.0 It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page) 1 TDJ211 reacted to this Quote Share this post Link to post
zhang888 1066 Posted ... @strakurWith all possible tweaks I don't think the CPU will reach above 40Mbit. OP probably built and set up everything correct, it's just the actual limitthat is capped in this case. He probably didn't consider some other things. We would be happy to see benchmarks on a 2010 CPU. It's quite a relic.To be conclusive, just LAN<->LAN speeds with OpenVPN AES-256.My bet is still on the 40Mbit top, maybe 50 with low latency UDP on LAN. If testing methodology and commands are needed, reply. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
ethix 2 Posted ... While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build. refer to these threads.https://forum.pfsense.org/index.php?topic=128698.15https://forum.pfsense.org/index.php?topic=130350.0 It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page) I was having some issues with my OpenVPN clients from a pfSense box. Setting the send/receive buffers to 512 more than doubled my speeds from ~10-15Mbps to 30-35Mbps on a 50Mbps internet connection. I have the SG-3100, so there's no aes-ni because it's an ARM a9 processor. Curious if you have any other suggestions? Quote Share this post Link to post
johndom4774 1 Posted ... My hardware setup is quite decent.Intel® Core i5 CPU 650 @ 3.20GHzAre you sure about that?It's not the setup or us, its' your hardware.https://ark.intel.com/products/43546/Intel-Core-i5-650-Processor-4M-Cache-3_20-GHzLaunch date: Q1 2010 This is not exactly decent. By any means an 8 year old CPU is usable, but cannot beexpected to achieve high speeds with OpenVPN AES-256.We don't exactly have any benchmarks from this CPU but a 30-40Mbit mark is my high bet. Note when you build a high end dedicated box for OpenVPN/other tasks, you have to considerit's max throughput before - CPU and RAM from the past 5 years should cost almost the sameand give about twice better performance. Just as you can't expect running some games on such machine, or running new apps on a phonefrom 8 years ago, this is almost the same. Your CPU is the Galaxy 1st gen / iPhone 3G of today standards. That is fair.I have a spare i7 6700k box lying around that I can test out my configuration on.This should give a solid comparison as to if hardware is the issue, as this CPU should handle the crypto very well. I will get it configured sometime this week and report back. Quote Share this post Link to post
johndom4774 1 Posted ... @strakurWith all possible tweaks I don't think the CPU will reach above 40Mbit. OP probably built and set up everything correct, it's just the actual limitthat is capped in this case. He probably didn't consider some other things. We would be happy to see benchmarks on a 2010 CPU. It's quite a relic.To be conclusive, just LAN<->LAN speeds with OpenVPN AES-256.My bet is still on the 40Mbit top, maybe 50 with low latency UDP on LAN. If testing methodology and commands are needed, reply. I would love testing methodology and commands.That would be very helpful! Thank you! Quote Share this post Link to post
go558a83nk 364 Posted ... That While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build. refer to these threads.https://forum.pfsense.org/index.php?topic=128698.15https://forum.pfsense.org/index.php?topic=130350.0 It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page) Why would you turn AES-NI off? This is my CPUAMD A6-7400K Radeon R5, 6 Compute Cores 2C+4GCurrent: 1400 MHz, Max: 3500 MHz2 CPUs: 1 package(s) x 2 core(s)AES-NI CPU Crypto: Yes (active) For my setup I have cryptographic hardware in system_advanced_misc.php set to AES-NI and BSD Crypto device. Then in the OpenVPN client I have BSD Cryptodev engine selected (it's my only option besides no hardware crypto). I can max my ISP connection of 430mbit/s even through the openvpn tunnel with this. https://www.cpubenchmark.net/compare.php?cmp[]=2392&cmp[]=767 Comparing my CPU with the OP's CPU, mine has slightly higher single thread rating. Still, I see no reason why, with AES-NI, higher speeds can't be achieved. Quote Share this post Link to post
strakur 1 Posted ... @go558a83nk “Why would you turn AES-NI off?” I agree; I personally keep my AES-NI setting turned on. However, when researching this topic; users having OpenVPN speed issues with pfSense stated that when AES-NI was turned on, they did not see any change in speed. In troubleshooting the issue (since version 2.4 of pfSense), they turned off AES-NI and used the OpenVPN Fast I/O setting with the Send/Receive buffers set to 512 to gain the performance boost. "It seems that the AES-NI can be turned off since v2.4”. This comment was based not finding any definitive answer stating that AES-NI should be turned off or on since v2.4. I’m not sure that since 2.4 it uses it by default regardless of setting. In my opinion, I would just keep AES-NI turned on unless you are seeing a negative impact with it on. Quote Share this post Link to post
go558a83nk 364 Posted ... @go558a83nk “Why would you turn AES-NI off?” I agree; I personally keep my AES-NI setting turned on. However, when researching this topic; users having OpenVPN speed issues with pfSense stated that when AES-NI was turned on, they did not see any change in speed. In troubleshooting the issue (since version 2.4 of pfSense), they turned off AES-NI and used the OpenVPN Fast I/O setting with the Send/Receive buffers set to 512 to gain the performance boost. "It seems that the AES-NI can be turned off since v2.4”. This comment was based not finding any definitive answer stating that AES-NI should be turned off or on since v2.4. I’m not sure that since 2.4 it uses it by default regardless of setting. In my opinion, I would just keep AES-NI turned on unless you are seeing a negative impact with it on. I've done theoretical testing on my pfsense box with AES-NI enabled at the system level, and not. It makes a huge difference - an order of magnitude perhaps. I've always used fast-io and larger buffers. Quote Share this post Link to post
johndom4774 1 Posted ... I have confirmed that it is a misconfiguration and not a hardware issue. Just swapped over to a box with the below specs. VPN speeds are around the same if not slightly worse. Exact same configuration and NICs https://imgur.com/a/sKa2w 1 User975 reacted to this Quote Share this post Link to post
User975 0 Posted ... I have confirmed that it is a misconfiguration and not a hardware issue. Just swapped over to a box with the below specs. VPN speeds are around the same if not slightly worse. Exact same configuration and NICs https://imgur.com/a/sKa2w i'm having exactly same issue. even worse my vpn speed on pfsene don't exceed 10mbps. did you solve this ? Quote Share this post Link to post
TDJ211 0 Posted ... While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build. refer to these threads.https://forum.pfsense.org/index.php?topic=128698.15https://forum.pfsense.org/index.php?topic=130350.0 It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page) OMG this worked!! For the longest time, I wasnt getting my full ISP speed after years of getting it just fine on PIA. I eventually concluded it was my ISP throttling my VPN and I switched to AirVPN using TCP tls crypt and then was finally able to get my full 100Mbps. I recently just upgraded my speed to 300Mbps yet I was still getting only 100Mbps. After changing my send/recieve buffer to 512 and adding fast i/o to custom options, im finally getting my full 300Mbps! I left Hardware Crypto on Intel RAND and im all good. Quote Share this post Link to post
flat4 79 Posted ... While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build. refer to these threads.https://forum.pfsense.org/index.php?topic=128698.15https://forum.pfsense.org/index.php?topic=130350.0 It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page) I was having some issues with my OpenVPN clients from a pfSense box. Setting the send/receive buffers to 512 more than doubled my speeds from ~10-15Mbps to 30-35Mbps on a 50Mbps internet connection. I have the SG-3100, so there's no aes-ni because it's an ARM a9 processor. Curious if you have any other suggestions? Since its a netgate (pfsense) it has built in aes-ni into the arm chip. At 349 USD for the base it better support crypto since 2.5 will require it Quote Hide flat4's signature Hide all signatures pFsense it works Share this post Link to post
go558a83nk 364 Posted ... While I agree with zhang888 that your CPU is old (8 years). It does not mean that your CPU isn't good enough for your pfSense build. refer to these threads.https://forum.pfsense.org/index.php?topic=128698.15https://forum.pfsense.org/index.php?topic=130350.0 It seems that the AES-NI can be turned off since v2.4 In the OpenVPN client section; setting the Fast I/O and Send/Receive buffers set to 512 seems to speed things up (bottom of the page) I was having some issues with my OpenVPN clients from a pfSense box. Setting the send/receive buffers to 512 more than doubled my speeds from ~10-15Mbps to 30-35Mbps on a 50Mbps internet connection. I have the SG-3100, so there's no aes-ni because it's an ARM a9 processor. Curious if you have any other suggestions? Since its a netgate (pfsense) it has built in aes-ni into the arm chip. At 349 USD for the base it better support crypto since 2.5 will require it https://www.netgate.com/solutions/pfsense/sg-3100.html This says nothing about AES-NI. Unfortunately, I think a lot of people will either be buying new hardware or won't be updating to 2.5. Quote Share this post Link to post
Ariyan77 0 Posted ... (edited) It appears that the issue persists even after swapping to a different hardware setup with identical specifications. https://instaups.org/ VPN speeds remain consistent or slightly worse, indicating that the problem might be related to configuration rather than hardware. Edited ... by Ariyan77 Quote Share this post Link to post
Wolf666 17 Posted ... Just my 2 cents, worth to read:https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.htmlIPsec Multi-Buffer (IPsec-MB, IIMB) Cryptographic Acceleration [Plus only] --> PfSense Plus is free for personal use. Quote Hide Wolf666's signature Hide all signatures - Router/Firewall pfSense 23.01 (11th Gen Intel(R) Core(TM) i5-11320H @ 3.20GHz) - Switch Cisco SG350-10 - AP Netgear RAX200 (Stock FW) - NAS Synology DS1621+ (5 x 5TB WD Red) - ISP: Fiber 1000/300 (PPPoE) Share this post Link to post