Show Posts
1
Hardware and Performance / OpenVPN performance differential (openWRT, pfSense & OPNsense)
« on: April 09, 2018, 08:45:48 pm »
Hi folks,
Intro (skippable)
I recently decided to try using a self-hosted router to allow all my network traffic to be routed through my VPN provider transparently. It has been a very interesting journey so far. I started with OpenWRT, but it's stable releases were very old and the snapshots contained too many bugs to use on a daily basis. I then tried pfSense but I kept searching for alternatives and eventually stumbled upon OPNsense and it's vision and style align much better with my preference for software projects.
TL:DR: Recently started using OPNsense
I created essentially identical setups with openWRT, pfSense and OPNsense to tunnel my network traffic through my VPN. I would prefer to continue using OPNsense, however, the performance difference in terms of OpenVPN throughput is staggering:
pfSense (2.4.3) 60Mb/s
openWRT (1.17.04) 85Mb/s
OPNsense (18.1.5) 30Mb/s
For reference on my setup:
All softwares are running in a VirtualBox VM on a Windows 10 Pro host with the following specs:
CPU: Athlon X4 620 @ 3GHz
RAM: 4GB DDR3-1333
Of that, I dedicated 3 cores and 1024MB to the respective VMs and testing was done successively. Network adapters are emulated as Intel PRO/1000 MT Desktop (with the exception of OpenWRT which benefits from paravirtualized network adapters. They are not used on OPNsense and pfSense because in those two, they incur a steep performance penalty). Underlying hardware are Gbit-Realtek NICs (easily capable of pushing more than 100Mb/s consistently).
Connection using direct connection via the provider router:
Down: 100Mb/s (advertised), 90-110Mb/s (actual)
Up: 5Mb/s (advertised), 30Mb/s (actual)
The VPN provider (mullvad.net) uses AES-256-CBC to encrypt the traffic with LZO compression enabled (non-adaptive). They also provide a very complete guide to setup on openWRT and pfSense (which works for OPNsense with essentially no changes).
Now, I am not surprised that my CPU fails to achieve the maximum throughput given the usual performance of OpenVPN/OpenSSL, however, I am very surprised by the performance difference between OPNsense and pfSense. I expected a performance penalty coming from openWRT (given it's designed for embedded systems) but I expected OPNsense to perform similarly to pfSense (if not better).
So to you guys myquestion: is there something obvious in the OPNsense/OpenVPN settings that I might be missing that would massively influence the performance? Or is there a reason I should expect OPNsense to perform much worse in combination with OpenVPN?
Any tips or ideas would be greatly appreciated
Intro (skippable)
I recently decided to try using a self-hosted router to allow all my network traffic to be routed through my VPN provider transparently. It has been a very interesting journey so far. I started with OpenWRT, but it's stable releases were very old and the snapshots contained too many bugs to use on a daily basis. I then tried pfSense but I kept searching for alternatives and eventually stumbled upon OPNsense and it's vision and style align much better with my preference for software projects.
TL:DR: Recently started using OPNsense
I created essentially identical setups with openWRT, pfSense and OPNsense to tunnel my network traffic through my VPN. I would prefer to continue using OPNsense, however, the performance difference in terms of OpenVPN throughput is staggering:
pfSense (2.4.3) 60Mb/s
openWRT (1.17.04) 85Mb/s
OPNsense (18.1.5) 30Mb/s
For reference on my setup:
All softwares are running in a VirtualBox VM on a Windows 10 Pro host with the following specs:
CPU: Athlon X4 620 @ 3GHz
RAM: 4GB DDR3-1333
Of that, I dedicated 3 cores and 1024MB to the respective VMs and testing was done successively. Network adapters are emulated as Intel PRO/1000 MT Desktop (with the exception of OpenWRT which benefits from paravirtualized network adapters. They are not used on OPNsense and pfSense because in those two, they incur a steep performance penalty). Underlying hardware are Gbit-Realtek NICs (easily capable of pushing more than 100Mb/s consistently).
Connection using direct connection via the provider router:
Down: 100Mb/s (advertised), 90-110Mb/s (actual)
Up: 5Mb/s (advertised), 30Mb/s (actual)
The VPN provider (mullvad.net) uses AES-256-CBC to encrypt the traffic with LZO compression enabled (non-adaptive). They also provide a very complete guide to setup on openWRT and pfSense (which works for OPNsense with essentially no changes).
Now, I am not surprised that my CPU fails to achieve the maximum throughput given the usual performance of OpenVPN/OpenSSL, however, I am very surprised by the performance difference between OPNsense and pfSense. I expected a performance penalty coming from openWRT (given it's designed for embedded systems) but I expected OPNsense to perform similarly to pfSense (if not better).
So to you guys myquestion: is there something obvious in the OPNsense/OpenVPN settings that I might be missing that would massively influence the performance? Or is there a reason I should expect OPNsense to perform much worse in combination with OpenVPN?
Any tips or ideas would be greatly appreciated