Virtual Private Networking → Re: OpenVPN (via PIA), PFSense, and gig internet at home. Only 400Mbps down

If I understood HELLFIRE correctly, that's a good point. Internally am I able to achieve over 400Mbps?

At a minimum I should be getting 400Mbps since I'm not dealing with the WAN at all, right?

So after much tinkering I was able to setup an OpenVPN server on my LAN.

I set it up via UDP, matching the same encryption algorithm as PIA VPN.

I used iperf3 on the router and win 10 machine to test speeds, here are the results:

60 second, TCP test with 1 stream

 
Test Complete. Summary Results:
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-60.00  sec  2.48 GBytes   354 Mbits/sec  3885             sender
[  5]   0.00-60.00  sec  2.48 GBytes   354 Mbits/sec                  receiver
 

60 second, TCP test with 2 streams

Test Complete. Summary Results:
[SUM]   0.00-60.00  sec  2.51 GBytes   359 Mbits/sec  9798             sender
[SUM]   0.00-60.00  sec  2.51 GBytes   359 Mbits/sec                  receiver
 

At no point did the PFsense load go too high, or the CPU usage exceed 10%
I tried many different tests and variable in iPerf and the above is the best I was able to achieve while in the VPN tunnel.

So my speeds are actually lower than with PIA. That's really frustrating because it doesn't make sense at all but at this point, I'm thinking there is A LOT I need to learn about networking, VPN, packet sizes, etc...

doczenith1 that's awesome! I couldn't get my 68u to get above 300Mbps or so, wondering if that's because I had QoS setup. I saw getting gig internet as a great opportunity to jump into PFSense and learn all about it so I didn't tinker with the Asus all that much.

Thanks again all!

can you create a simple diagram of your setup for your latest test, and provide some details about the box used for your OpenVPN server (if it was something other than your PFSense box)?

The kids went to bed early last night so I got tinker with this A LOT...

Here are all the details.

PFSense router specs: (OpenVPN Server)
• 4 port "Intel(R) PRO/1000 7.6.1-K" NIC where the WAN comes in on eth1
• Onboard "Intel(R) PRO/1000 7.6.1-K" NIC for the LAN on eth4
• Intel i7-6700, 16GB RAM
• 128GB SSD, 1TB HDD

Client Machine (OpenVPN Client)
• 2 port "Intel Pro/1000 PT Server Adapter" NIC where LAN comes in
• Onboard "Intel I219-LM" goes to a different subnet/VLAN for CCTV camera's
• Intel i7-6700, 16GB RAN
• A couple SSD's and HDD's

Physical Network
Motorola 8600 cable modem ---> PFSense eth1 (WAN) ---> PFSense eth4 (LAN) ---> TPLink TL-SG3424P 24 port PoE+ switch ---> Client(s)

For the latest test I did this:
PFSense box running OpenVPN server with the same encryption settings as PIA -> OpenVPN 2.43 for windows client

I used iperf and tried both the OVPN Server and OVPN Client as a server/client in iPerf which made no difference in speeds. I made sure iPerf was binding to the correct VPN interface, and tried multiple different tests. I tried enabling AES-NI to see if that made a difference and it didn't.

CPU usage on both the OVPN Client/Server was barely affected by the tests. I played with MTU settings on both the interface and the OVPN server settings with no change in speed.

I tried the tests with Suricata (IDS), Squid(Proxy), PFBlockerNG all off even though them being on vs off made no difference in the speed.

Let me know if you need any other details and thanks again all!

you have plenty of cpu power on both ends. I see 2 places in PFSense to configure H/W acceleration.

System/Advanced/Misc
Crypto H/W = AES-NI

VPN/OpenVPN/Server
H/W Crypto = BSD cryptodev

Do you have those 2 settings enabled?

I'm not sure what settings might be available in your windows client, but it might not hurt to check in there as well.

I also found this page on the OpenVPN wiki which has some interesting info. It shows that they were able to achieve close to 900 mb/s in some tests they did on a Gig network.

»community.openvpn.net/op ··· ks_Linux

Everyone that is trying to get very high through put using a commercial VPN provider needs to read this article.

The conclussion one can draw is that even if you have a fast processor at your end there is no telling what your VPN provider is using and while you can tweak some settings at your end such as the level of encryption to maximize through put you have little or no control of the VPN providers setup.

Also the attempt to maximize throug put didn't examine what the impact of multiple users trying to connect does to individual clients through put. This is a key variable since at any one time you could have 100+ clients connecting.

Consumer grade "proxy as a service" provider is not the same as a commercial MPLS vpn provider.

For gigabit transfer rates, consider using enterprise grade equipment connected to your own private proxy in a data center.

Yes sir, I have tried with AES-NI enabled, Intel "RD RAND", etc... Really no difference in speed/CPU usage.Thanks, I was taking a look at this as well. I think I need to test linux -> linux to see how big a factor M$ TCP factor plays in.PIA says they don't restrict bandwidth and have sent me various KB articles on how to change ports and setup the windows client. Not very helpful at all.

---------------------------------------------------

So where am I at now? Thanks again for all the responses, I appreciate it.
I understand the speeds I am getting now are pretty good and I'm not complaining.
This has been a great learning experience and I'm hoping to continue to play with this to better get an understanding of how PFSense, OpenVPN, and networking work in general.

I'd still like to figure out why on my LAN using the PFSense as an OpenVPN Server and local LAN clients I'm getting slower speeds than from PIA through the WAN.

Thanks again! I'll update this post as I make progress

If they don't manage bandwidth, you may never see gigabit transfer rates over a single PIA proxy, because their network is over subscribed.

All this time and money on an elaborate setup so you don't have to spend money on content?