How to optimize VPN speed vs security in OPNsense?

[elenagilbert]

Hi everyone,

I've been using OPNsense for a while and have set up VPN connections for remote workers. One thing I'm still trying to figure out is the best way to balance performance and security.
For example, when enabling stronger encryption (like AES-256-GCM), I notice a drop in throughput compared to lighter ciphers. On the other hand, I don't want to compromise security just for speed.
I'm curious—what are the best practices the community recommends for:
- Choosing encryption algorithms without losing too much performance
- Tweaking VPN settings to handle multiple users smoothly
- Hardware considerations that make the biggest impact on VPN performance
Any insights, real-world experiences, or recommended configurations would be greatly appreciated!

Agario

Thanks in advance!

[meyergru]

You can only choose between different ciphers with IPsec and OpenVPN, with Wireguard, ChaCha20 is always used.

Performance of such algorithms depends heavily on your hardware (for example, ChaCha20 is way faster than AES-256 for most low-power CPUs, but recent x64 CPUs often sport AES-NI support.

So for a practical approach, you can just measure how fast the relevant algorithms are for your setup (note that I say "setup", not "hardware", because it depends on the VPN partner, as well). You can use iperf3 for that.

After you have determined how fast the algorithms are, you can choose the one that you deem secure enough. There are plenty of comparisons out on the internet. I would say that both AES-256-GCM and ChaCha20 are good enough (tm).

That being said, of course, you may benefit from CPUs with AES-NI support for the AES-type variants of algorithms, and more generally with faster CPUs. For specific needs, there are hardware accelerators available (you can configure their use in OpnSense settings), but do you really want to spend that kind of money?