OpenVPN hardware for pfSense

I know these kind of questions get posted too often, but after spending the past month or so looking, I have found everything I need to know except for the following: what CPU would be strong enough to support a 250 Mb/s down 20 Mb/s up connection, if I was to encrypt ALL of the traffic?

Going through the pfSense documentation and through there forums, you only find(in the same format I'm stuck asking) very specific questions/answers, or very vague generalizations if you don't know enough about networking. For example the documentation simply mentioned multiple cores and higher clock speed if doing higher Bandwidth through a VPN, as well as one or two features that the CPU should have. But there is a vast difference between an FX-8350 and an 8 core Xeon, so I really feel like I made no mental progress reading that. There must be something I'm missing, any help would be awesome!

You should be okay on almost anything half decent. Maybe not an atom or something like that. Especially if your CPU has the aes extensions.

1 Like

Yeah as said any reasonable le CPU will do. I have a passivly cooled celeron and it does the job fine, you absolutely don't need a 8 core cpu unless your doing multiple dozen of VPN connections its overkill.

Look for good single core performance as pfsense seems to do better on that.

2 Likes

Check out the table here: http://www.firewallhardware.it/en/pfsense_selection_and_sizing.html
A core i3 with AES-NI probably has you covered, even a Atom SOC from 2014 (like the Jetway, read on) will probably go far. Keep in mind the guidelines there are for enterprise use with healthy margins, so for a home user it is probably overkill unless you have plenty of users.

Current pfSense 2.2 is multi-threaded so it can use all cores. Upcoming 2.3 release is based on FreeBSD 10.3. I've seen claims of ~hundred megabits of throughtput on j1900 SOC's. And any relative modern CPU that has AES-NI will do even better. An AMD 8350 would be massive overkill, you could probably have dozens of VMs of pfSense on that no problem, the problem would be to have enough NICs, but hey, quad port Intel PCIe cards are kinda cheap on ebay :)
There are NUC form factor things with dual NICs like this thing: http://www.jetwaycomputer.com/JBC311U93.html Would probably be just okay for low bandwith like a couple of hundred Mb.

Or you could just buy the things off the pfSense store and get support and stuff too.

If you're in the EU, Voleatech is the official pfSense partner.

2 Likes

OpenVPN is single threaded so whatever has the highest single-thread performance will serve you best. Assuming you only have one VPN client connecting to the server, having a single core @ 3.5ghz is better than sixteen @ 2.0ghz.

3 Likes

Thanks for the replies! Lol @Eden , @Pholostan I only meant to use those two as examples, I definitely have no intention of using either for a router that would be insane. I figured a low end i3 would be fine as long as it had AES-NI. How far back could I go in terms of generation? I would like to have this be powerful, but if my current router can be an old dumpy arm chipset I'm sure I really don't need to go too state of the art.

Also a 1037u would do 600Mbit even tho it does not have aes-ni according to the vpn provider I have (they provide a pfsense vpn box) and claim to do so based on openssl benchmarks.

1 Like

Oh wow, that gives me a much better idea as to how much "horsepower" I really need for this. Thanks!

Yea so after reading some device performance analysis on that link there is no way a 1037u would push 600Mbit openvpn 256bit encrypted data.. Good info!

I was intrigued by the idea, but was a tiny bit sceptical haha

Yea I have no idea how they managed that, they claim the box with a 1037u encrypts up to 600Mbit. Can't be :D

Yeah, you really don't need much. The hard part for your setup will probably be the bandwidth, 250mbps is a little more than most WAN connections lol. That said, I've got a 25mbps up/5mbps down connection here, and I can use the VPN just fine via my Ugly Biege Ghetto Router™. It's rocking a 1.24GHz single core, but I did luck out and it has some kind of VIA Crypto acceleration extension. It did fine even before I enabled that, though.

1 Like

That's what I'm worried about! All the info online has been for lesser speeds by a significant margin. I think if I grab any recent 4 core CPU I should be good.

UPDATE: I would also be interested in general network monitoring plugins (intermediate monitoring and analytical to get a bit more control of the network), Would this drastically change my hardware requirements? Thank you guys for all the input so far, I love how helpful this forum is.

Probably not, it's just logging, so as long as you're not doing a ton of stuff with disks all at once you should be okay. BandwidthD is a nice option for this.

Edit: If you're really interested in logging for everything on the network, plus notifications when things explode, custom graphs, and that sort of thing, you could also try setting up a Zabbix server. There's a Zabbix agent thatll run on pfSense, so just find a junk old PC to run the server. I run mine on a 3.0GHz single core Pentium 4, never had any performance issues.

Make sure you're using the good Intel NICs. Don't go with the cheapy TP-LINK or Realtek NICs for this, because IIRC a good NIC will take load off the CPU, while a cheaper one doesn't handle as much so it dumps more on your CPU.

Even a good dual-core would probably do fine. You have to remember that LANs regularly transfer @ 1Gbps+, and if you're doing cross-VLAN routing all that is going through your pfSense machine, so the fact that most pfSense boxes can handle that fine leaves only encryption for yours as the questionable area. I'd definitely get a CPU with crypto extensions.

1 Like

Local traffic isn't so bad, but NAT will add a lot of overhead. Still for 250mbps, even with a VPN you're not going to need anything too crazy. If you're buying new then any modern dual or quad core is going to be okay.

On my pfsense box I'm using a Phenom II X4 945, I don't have a fast internet connection (only 20mbps) but I do run four VPN interfaces and four snort interfaces and i rarely see the CPU usage go above 10%, mostly it sits around 2 or 3% at 1800mhz (rather than running at it's full speed of 3ghz)

The phenom doesn't have any aes extensions either, so any i3 or AMD equivalent with those should be plenty fast.

I agree, 600Mbit OpenVPN throughput sounds optimistic on a Celeron 1037u. It's an Ivy Bridge laptop CPU from back in 2013. Sure it is full cores, not an Atom, but only 2 MB of cache and max freq of 1.8 GHz (no AES-NI). That CPU sounded kinda familiar though, and after checking some stuff I realize that's what in the OVPNbox thing that ovpn.se sells. They also tout that "up to 600 Mbit" number. Probably the ideal OpenSSL bench.

There are some tests though, Jim Salter has an article on Ars. He's running Ubuntu on of those chinese boxes that surfaced a couple of years back (OVPNbox looks very similar), and it is actually tested with OpenVPN. Gets about 200 Mbit over it, probably what a 1037u can do. This is on Linux though, not pfSense (FreeBSD).

I remember there was a long thread on the pfSense forum about those chinese boxes... yes here:
https://forum.pfsense.org/index.php?topic=75415.0
18 pages long, somebody ought to do some real world testing there, I haven't read it all.

That chinese 1037u-box seems out of stock on aliexpress, claim it's not made anymore. They tout some Braswell (Atom) thing instead. A i3 4010u or 5005u are probably a lot better, full cores at low clocks instead of Atom cores.

I also noticed that many of the desktop Skylake Celerons and Pentiums have AES-NI, maybe they all do, I haven't made a spreadsheet out of Intel ARC yet. Lol :)

STATUS UPDATE: they may actually have gigabit internet when I get back to my university city after this summer, in which case I can't NOT get that, as it would make my home server setup so much more godlike (and its only 20 bucks more than the 250MB/s plan I had!) If that happens, I would be looking for gigabit in, and some ten gig equipment in the house. What would pfSense hardware need to be for that then? At that point I feel like a Xeon may be necessary, or something equivalent if I want to do some traffic analytics + VPN on a full gigabit connection.

For 10GBe you'll probably need some pretty beefy stuff. I haven't used it but I know just from looking that it's a money pit. Even the Netgear switch @wendell reviewed, which is considered cheap, is over $1000. So you may be better off sticking with 1Gbps...unless you really need 10Gbps locally?

@wendell and/or @DeusQain any advice for 10 gigabit Ethernet with pfSense? I'm clueless here.