Is that real line "mtu" or just virtual parameter? Eero
2017-11-26 6:04 GMT+02:00 Jim Thompson <[email protected]>: > > To explain why this is an good thing: > > One of the problems here is that while the AES-CBC (actual crypto) can be > accelerated via AES-NI, the HMAC isn’t (very new Intel parts have SHA > instructions, but no support in OpenSSL in any version of FreeBSD or > pfSense as yet). > > So, at the end of the day, your speed will be throttled by the speed of > SHA-256 on <= ~1450 byte packets, as well as the overhead of making two > “crypto” passes (one enc/dec, one hmac) over the stream of data. > > AES-GCM is a AEAD algorithm, so you get the HMAC as a “side effect”. > > OpenVPN recommends AES-GCM for OpenVPN >= 2.4. > https://community.openvpn.net/openvpn/wiki/SWEET32 > > The other thing you can do, as indicated, is to run the “MTU” up such that > the (OpenVPN) packet size increases, which reduces the overhead of both the > TUN/TAP interface, as well as some of the overhead of handing relatively > short packets to OpenSSL for encryption/decryption. > > Jim > > > On Nov 25, 2017, at 2:51 PM, Eero Volotinen <[email protected]> > wrote: > > > > Well, > > > > cipher AES-256-CBC > > auth SHA256 > > > > thinking to upgrade this to AES-256-GCM > > > > Eero > > > > 2017-11-25 21:30 GMT+02:00 Jim Thompson <[email protected]>: > > > >> What crypto transform and authentication are you running? Maybe try > >> AES-GCM (which is AES-NI accelerated) at both ends if both devices > support > >> it. Might need pfSense 2.4 for this. > >> > >> Try setting the (OpenVPN) MTU to a larger number. > >> > >> More hints: https://forum.pfsense.org/index.php?topic=123915.0 > >> > >>> On Nov 25, 2017, at 11:37 AM, Lyle <[email protected]> wrote: > >>> > >>> There is a lot of information missing here. > >>> > >>> > >>> You have a better Netgate unit, but if the internet port on it is > >> connected to a 100Mbps switch, performance will suck. Same on the LAN > >> side. And if the ports are mismatched(half vs full duplex for > instance), > >> performance will suffer. > >>> > >>> > >>> What percentage of the gigabit link and/or LAN link on Netgate are you > >> utilizing before adding in OpenVPN ? Your ISP may be over subscribed > and > >> it's uplinks are saturated. > >>> > >>> > >>> You may be pushing too much traffic through the NetGate and it can not > >> handle the load. > >>> > >>> > >>> In other words, based on the limited info you provided, you have not > >> provided proof that it's a problem with the NetGate. > >>> > >>> > >>> Lyle Giese > >>> > >>>> On 11/25/17 06:34, Eero Volotinen wrote: > >>>> Hi list, > >>>> > >>>> We are running pfsense 2.3 on netgate sg-8860. > >>>> > >>>> Device is connected to internet with gigabit link, but openvpn speed > is > >>>> very slow (about 50Mbit/s). Any idea how to get more speed to vpn > >> clients? > >>>> > >>>> Eero > >>>> _______________________________________________ > >>>> pfSense mailing list > >>>> https://lists.pfsense.org/mailman/listinfo/list > >>>> Support the project with Gold! https://pfsense.org/gold > >>> > >>> _______________________________________________ > >>> pfSense mailing list > >>> https://lists.pfsense.org/mailman/listinfo/list > >>> Support the project with Gold! https://pfsense.org/gold > >> _______________________________________________ > >> pfSense mailing list > >> https://lists.pfsense.org/mailman/listinfo/list > >> Support the project with Gold! https://pfsense.org/gold > >> > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
