What's new

Converted a PC to a pfSense Router to test OpenVPN performance

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

i3 7100T @ 3.4 Ghz 35W on IPFire.

type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 1151736.60k 1241351.91k 1275924.65k 1285137.75k 1295377.12k
aes-256-cbc 861152.57k 909512.00k 930465.71k 936499.54k 938377.22k

[root@ipfire ~]# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc

real 0m3.903s
user 0m3.893s
sys 0m0.007s

819 Mbps

Use GCM with that chip... numbers below are from MacOS with Homebrew...

Code:
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-gcm     318858.04k   906715.01k  2038832.90k  3027272.36k  3720822.78k  3812321.96k
 
Indeed, seems better with gcm. Thank you.
Code:
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm     658666.97k  1470223.45k  2779063.98k  4239149.74k  5217189.89k
 
i3 7100T @ 3.4 Ghz 35W on IPFire.

type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 1151736.60k 1241351.91k 1275924.65k 1285137.75k 1295377.12k
aes-256-cbc 861152.57k 909512.00k 930465.71k 936499.54k 938377.22k

[root@ipfire ~]# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc

real 0m3.903s
user 0m3.893s
sys 0m0.007s

819 Mbps

Numbers for Kaby Lake seem reasonable... playing around with my new Kaby Lake NUC - i5-7260... Should get around wired speed on a gigabit connection...

Code:
aes-256-gcm: 3200/2.99 = 1070
aes-128-gcm: 3200/2.95 = 1084
aes-256-cbc: 3200/3.59 = 891
aes-128-cbc: 3200/3.52 = 909

openssl speed stuff...

Code:
openssl speed -evp aes-256-gcm -elapsed
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-gcm     569155.80k  1369094.40k  2320816.81k  3266713.26k  3777847.30k

Haven't had much time to tune things, but crypto is pretty fast - esp. with GCM...

Code:
sfx@nuc7:~$ gnutls-cli --benchmark-ciphers
Checking cipher-MAC combinations, payload size: 16384
             AES-128-GCM 5.15 GB/sec
             AES-128-CCM 0.66 GB/sec
       CHACHA20-POLY1305 0.48 GB/sec
                    NULL 37.64 GB/sec
        SALSA20-256-SHA1 0.35 GB/sec
        AES-128-CBC-SHA1 0.49 GB/sec
        AES-128-CBC-SHA256 0.30 GB/sec

Checking MAC algorithms, payload size: 16384
            SHA1 0.80 GB/sec
          SHA256 0.37 GB/sec
          SHA512 0.43 GB/sec

Checking ciphers, payload size: 16384
                3DES-CBC 26.96 MB/sec
             AES-128-CBC 1.29 GB/sec
             ARCFOUR-128 0.70 GB/sec
             SALSA20-256 0.60 GB/sec
 
VPN in a must have for my use case. But as we all know, the CPUs inside most consumer routers struggle in this regard.

I have been keeping eyes open for a PC to become available that had a CPU with AES-NI support so I could flash it with pfSense to see how OpenVPN performance compared with the AC88U. One became available yesterday. So I ran out to the store and purchased an extra Network Adapter. After installing the NIC, I installed pfSense using a USB. I used the config backup from my current pfSense appliance so setup was a non-event except I had to reinstall the pfBlockerNG package.

The specs of the CPU are:

Intel(R) Core(TM) i5-3450 CPU @ 3.10GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

It has been up and running under 24 hours. I am in SE Asia and connected to a VPN Server on the west coast of USA.

I am surprised by the increase in performance, especially when using an ethernet (ETH) connection. The other surprise is the difference between ethernet and wireless performance. I use a D-Link 880L flashed with DD-WRT as the Access Point.

Numbers are Mbps

View attachment 11882

View attachment 11883

I think I just found a new router for my home network!

I have achieved 5G download speeds up to 150 Mbit with the AC86U to VPN servers in various locations in USA , have not conducted any speed tests via ethernet connection.
 
sfx2000, that i5 is pretty nice.
My i3 7100T with 35W TDP scores exactly the same as that i5, only that the i5 is a 15W TDP.
 
sfx2000, that i5 is pretty nice.
My i3 7100T with 35W TDP scores exactly the same as that i5, only that the i5 is a 15W TDP.

the i5-7260U turbos up to the same 3.4GHz clock as the i3-7100T, so performance should be similar since both are on the same uARC - Kaby Lake. The i5-7260U brings other things to the party, mostly for GPU stuff (bigger GPU, the eDRAM, Thunderbolt 3, etc)

My biggest complaint with the 7260U is the price of memory - it needs DDR4, and because of supply and demand, it's expensive compared to DDR-3 - other than that, it's a great chip to work with.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top