To explain why this is an good thing: One of the problems here is that while the AES-CBC (actual crypto) can be accelerated via AES-NI, the HMAC isn’t (very new Intel parts have SHA instructions, but no support in OpenSSL in any version of FreeBSD or pfSense as yet).
So, at the end of the day, your speed will be throttled by the speed of SHA-256 on <= ~1450 byte packets, as well as the overhead of making two “crypto” passes (one enc/dec, one hmac) over the stream of data. AES-GCM is a AEAD algorithm, so you get the HMAC as a “side effect”. OpenVPN recommends AES-GCM for OpenVPN >= 2.4. https://community.openvpn.net/openvpn/wiki/SWEET32 The other thing you can do, as indicated, is to run the “MTU” up such that the (OpenVPN) packet size increases, which reduces the overhead of both the TUN/TAP interface, as well as some of the overhead of handing relatively short packets to OpenSSL for encryption/decryption. Jim > On Nov 25, 2017, at 2:51 PM, Eero Volotinen <[email protected]> wrote: > > Well, > > cipher AES-256-CBC > auth SHA256 > > thinking to upgrade this to AES-256-GCM > > Eero > > 2017-11-25 21:30 GMT+02:00 Jim Thompson <[email protected]>: > >> What crypto transform and authentication are you running? Maybe try >> AES-GCM (which is AES-NI accelerated) at both ends if both devices support >> it. Might need pfSense 2.4 for this. >> >> Try setting the (OpenVPN) MTU to a larger number. >> >> More hints: https://forum.pfsense.org/index.php?topic=123915.0 >> >>> On Nov 25, 2017, at 11:37 AM, Lyle <[email protected]> wrote: >>> >>> There is a lot of information missing here. >>> >>> >>> You have a better Netgate unit, but if the internet port on it is >> connected to a 100Mbps switch, performance will suck. Same on the LAN >> side. And if the ports are mismatched(half vs full duplex for instance), >> performance will suffer. >>> >>> >>> What percentage of the gigabit link and/or LAN link on Netgate are you >> utilizing before adding in OpenVPN ? Your ISP may be over subscribed and >> it's uplinks are saturated. >>> >>> >>> You may be pushing too much traffic through the NetGate and it can not >> handle the load. >>> >>> >>> In other words, based on the limited info you provided, you have not >> provided proof that it's a problem with the NetGate. >>> >>> >>> Lyle Giese >>> >>>> On 11/25/17 06:34, Eero Volotinen wrote: >>>> Hi list, >>>> >>>> We are running pfsense 2.3 on netgate sg-8860. >>>> >>>> Device is connected to internet with gigabit link, but openvpn speed is >>>> very slow (about 50Mbit/s). Any idea how to get more speed to vpn >> clients? >>>> >>>> Eero >>>> _______________________________________________ >>>> pfSense mailing list >>>> https://lists.pfsense.org/mailman/listinfo/list >>>> Support the project with Gold! https://pfsense.org/gold >>> >>> _______________________________________________ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> _______________________________________________ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
