Virtualized pfsense, now AES is having no effect on OpenVPN performance

[eroji]

My transfers across the tunnel are performant now.

I have Hyper-V (2012 R2) running on an E5-2620 and a E3-1230v3 across a 1GbE link. I was seeing around 30MB/s, and I'm hitting 100MB/s now.

I'll go shove in my 10GbE switch sometime, and attach SFP+ DACs, but that won't be a few months before I get back to this DC.

What did you have to do to gain the speed?

 

[j_h_o]

Wait... I'm still running tests... something is weird

 

[j_h_o]

Yup, I see the performance I said above, 100MB/s (maxxing out 1GbE) across OpenVPN now. Confirmed again with a Veeam backup across the tunnel, in addition to SMB traffic and SCP traffic.

I twiddled the System>Advanced>Misc>AESNI, then in the OpenVPN server/client, enabled BSD cryptodev engine, with AES-256-CBC. I'm running 2.2.5 on both VMs on the E5-2620 and E3-1230v3 as I said. Both boxes are running 2012 R2.

(I'm positive I twiddled these before, but on an earlier version of pfSense.)

 

[eroji]

So not really any different in pfsense other than you are using 256...

 

[eroji]

Well, I'm leaning towards Server 2 isn't behaving properly. I was planning to replace the USB boot drive in it and add a X520-DA2 anyway, so I guess I'll just go ahead and do a fresh reinstall along with reinstall of pfsense (perhaps back on a dedicated box) this weekend when I am over there so see how it goes.

 

[sthsep]

Is this when you select cryptodev in the OpenVPN configuration or when you turn on AES-NI in Advanced > Misc?

I'm not seeing any new entries in /var/log/openvpn.log, but this is interesting... (on Server 2)

Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)
Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)
Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)
Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)
Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)
Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)
Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)
Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)
Feb 29 12:00:11 pfsense2 openvpn[10534]: write UDPv4: No buffer space available (code=55)

BTW, you guys are awesome. Thanks for taking the time to reply to this.

I also have this on my pfsense VPN box if I do some traffic ~100Mbit. Found also not a solution for this but maybe someone other here. Maybe we can just make this buffer bigger? Or maybe it is because my ping gets very high when I use about 100Mbit (Nearly 10times more RTT) and it can't so fast send the packages?

 

[eroji]

I am not sure what it is still. The errors may just be bogus. I tried converting both pfsense back to physical and the speed did not change. So it's either something in the config, which I don't think is the case. Or one of the ISP is throttling the traffic.

 

[JimPhreak]

I am not sure what it is still. The errors may just be bogus. I tried converting both pfsense back to physical and the speed did not change. So it's either something in the config, which I don't think is the case. Or one of the ISP is throttling the traffic.

Have you tried testing an OpenVPN client connection to a VPN provider such as AirVPN/PIA? I believe they offer free trials so you could try setting up a connection to one of their servers and see if you're still having speed issues. Just another troubleshooting option.

 

[eroji]

No, I have not. That is a good idea. I am going to be building both pfsense again with C2558 so I will give it a shot after that is done.

 

[JimPhreak]

No, I have not. That is a good idea. I am going to be building both pfsense again with C2558 so I will give it a shot after that is done.

That's the exact CPU I'm running in my pfSense box that acts as a server for a 100Mbps site-to-site connection to another pfSense box running on a Celeron J1900. I get full speed and the CPU never goes above 15-20% on the C2558 and not beyond 25% on the J1900.

 

[eroji]

That's the exact CPU I'm running in my pfSense box that acts as a server for a 100Mbps site-to-site connection to another pfSense box running on a Celeron J1900. I get full speed and the CPU never goes above 15-20% on the C2558 and not beyond 25% on the J1900.

Yea, seems like that's the golden setup for pfsense with quickassist support upcoming. I found 2 boards used and pretty cheap. So I figured it's better sell off some other parts I had been using for this purpose which were just too overpowered and not efficiently utilized.

 

[kroem]

Do not know on esxi in detail...

on proxmox ( or linux KVM), you need to pass real cpu to VM since hardware acceleration not supported in Virtual CPU.
I change processor to real processor. AES kicks in on openvpn

you should see a big differences on cpu processing when AES disabled or enabled by assuming your openvpn is using AES encryption.

the other to consider, openvpn is running single thread, so highest processor has better performance on through put....

Hey there! Do you mean you changed the cpu typ to whatever is actually on baremetal?

I'm having issues not getting OPNSense seeing AES-NI inside a Proxmox VM....

 

[Evaristo]

Unless you have VT-d capable hardware, there is a virtualized device penalty, including the lack of ability to use advanced hardware crypto and acceleration such as aes-ni.

As I read at:

Virtualization on pfSense.... in reverse! • r/PFSENSE

 

[ruffy91]

In Proxmox just choose "host" as CPU, not any of the virtualized architectures. pfsense/OPNSense will then be able to use AES-NI.

 

[canta]

In Proxmox just choose "host" as CPU, not any of the virtualized architectures. pfsense/OPNSense will then be able to use AES-NI.

indeed