Hardware For OpenVPN Connection > 100mb?

B

BfA

Limp Gawd
Joined
May 21, 2007
Messages
184
I'm trying to figure out if there's any hardware routers out there that may be able to handle an OpenVPN connection that's symmetrical for over 100mb? I know that it would be quite CPU intensive, but as there would be only that one connection running 24/7 I was wondering if there might be a higher end Asus router or lower end Cisco device that might be able to handle this load? I would prefer something reliable and low power. It would be a bonus if it had wifi but is not required.

I'm currently planning on building a box to run pfsense on that would have a i3 or greater CPU. But if there's something simple that would be a reliable option I would definitely be interested.

Alternatively, if IPsec or something else may be better for this setup I'd love to hear about it.
 
The i3 should do it, but i don't think you will easily find any Openvpn solution on any of the home routers that will do the 100Mbit.
 
One of OpenVPN's strengths is that it runs in user mode and not in the kernel. This increases security and flexibility.

It's also the reason you need beefier hardware to achieve speeds of in-kernel solutions. And if your packets are small enough, the overhead of going from user mode to kernel mode might create an artificial barrier you can never overcome by throwing more hardware at it.

If you need performance, you might have to switch to kernel VPN implementations. It's just the way things work.

If it's a static link that doesn't serve dozens of roadwarriors, IPsec might indeed be the better tool.
 
You won't find an off the shelf router that will do OpenVPN at 100mbps+. That being said, OpenVPN uses openssl which supports CPU based aes-ni nativly. That means that any CPU that supports aes-ni running pfsense will push 100mbps+.

If you can't use ipsec (and therefore use the edgerouter-lite) building a decent pfsense box might be your best solution.

I also use several HP t5745 thin clients running pfsense to do some OpenVPN site to site connections and they easily support 50mbps. They do not support aes-ni.
 
@ TCM2
That's a design choice for portability, not security concerns.

@ All

Just do clear up a few things...

1. OpenVPN uses one thread, meaning that multi core wont help unless you have several instances of it running.

@ bds1904

2. Due to the fact how OpenVPN is designed and also being a userland application hardware acceleration doesn't help in fact it might even slow things down due to the latency of context switching and waiting on the hardware encryption unit. Please stop claiming this, feel free to test this on the ERL or any other MIPS/ARM unit that has a crypto engine (Kirkwood ARM platform comes to mind)

So, in short... AES-NI won't help, since most CPUs are i3's or better utilizing it'll work due to the processing power of the CPU itself, not because to the encryption unit.

http://hardforum.com/showthread.php?t=1851541
Having these numbers in mind you'd probably need at least a Pentium class CPU (i3 preferred) if you want to achieve 100/100 (both ways). If you want something neat the Intel NUCs are a great choice and they'll do fine with one NIC if you use VLANs to filter WAN and LAN traffic.

The Fitlet series might be of interest too,,,
http://www.fit-pc.com/web/products/specifications/fitlet-models-specifications/?model[]=FITLET-GB-C62-W&model[]=fit-PC4-CA1067-WACB-FM4U-BFLT&model[]=FITLET-GI-C64-WACB

//Danne
 
Last edited:
diizzy said:
@ TCM2
That's a design choice for portability, not security concerns.
Click to expand...

Running in user mode with the ability to drop privileges and using chroot() - plus any other mechanism the OS has available to restrict user mode processes - is inherently good for security, whether you designed it for that purpose or not. And I think it would be stupid to claim a VPN wasn't designed for security.

They might not stress the security benefits of this as much as the benefits they get from implementing the crypto right, etc. but any admin knows that user mode > kernel mode security-wise, which is all I said.
 
diizzy said:
@ TCM2
That's a design choice for portability, not security concerns.

@ All

Just do clear up a few things...

1. OpenVPN uses one thread, meaning that multi core wont help unless you have several instances of it running.

@ bds1904

2. Due to the fact how OpenVPN is designed and also being a userland application hardware acceleration doesn't help in fact it might even slow things down due to the latency of context switching and waiting on the hardware encryption unit. Please stop claiming this, feel free to test this on the ERL or any other MIPS/ARM unit that has a crypto engine (Kirkwood ARM platform comes to mind)

So, in short... AES-NI won't help, since most CPUs are i3's or better utilizing it'll work due to the processing power of the CPU itself, not because to the encryption unit.

http://hardforum.com/showthread.php?t=1851541
Having these numbers in mind you'd probably need at least a Pentium class CPU (i3 preferred) if you want to achieve 100/100 (both ways). If you want something neat the Intel NUCs are a great choice and they'll do fine with one NIC if you use VLANs to filter WAN and LAN traffic.

The Fitlet series might be of interest too,,,
http://www.fit-pc.com/web/products/specifications/fitlet-models-specifications/?model[]=FITLET-GB-C62-W&model[]=fit-PC4-CA1067-WACB-FM4U-BFLT&model[]=FITLET-GI-C64-WACB

//Danne
Click to expand...

I would disagree with the statement of "it won't help". At the very least aes-ni will reduce the overall CPU usage; even if tunnel speed is not affected. Even the pfsense docs say that openvpn openssl aes-ni support is enabled natively and you don't need to " enable" it in the acceleration menu.
 
You must log in or register to reply here.
Back
Top