OpenVPN Performance on The Vault

You are here:

Overview

Depending on individual use cases, different hardware firewalls may be useful for different types of network applications and as such, Protectli offers different hardware with varying capabilities.  Frequently, it is useful for a customer to know the performance characteristics of specific hardware before making a decision to purchase.  This article aims to provide a baseline of performance for several different Vaults, as tested in a lab environment, so the customer can make an informed decision as to what products best suit their needs.

Basic Performance

In a basic setup, The Vault is capable of routing/switching packets at wire speed on all ports for all models. For a 1 Gbps ethernet interface, the actual throughput is ~940 Mbps due to overhead in an IP packet. The test network consists of 2 computers running Ubuntu 18.04 version of Linux and 2 Vaults running pfSense® CE version 2.4.3. One of the Ubuntu computers is running iperf3 as a server, the other is running iperf3 as a client.

 

IP LAN

OpenVPN

OpenVPN is a set of protocols that is used to authenticate and encrypt/decrypt packets to provide secure transport of packets through the network. An OpenVPN “tunnel” encrypts the entire packet, not just the payload, and is commonly used to create Virtual Private Networks (VPN).

Configuring OpenVPN

When configuring OpenVPN tunnels (and other secure connections) multiple parameters must be configured. The set of parameters is known as a “cipher suite”. The main parameters for OpenVPN consist of an Encryption method and a Message Authentication method. The configuration must be identical at each end of the tunnel in order to make a connection. With OpenVPN, one side of the tunnel is the “server” and the other end is the “client”. Multiple clients can be connected to a single server for a hub and spoke type of architecture.

The diagram below shows an OpenVPN tunnel. The difference between the LAN example above and the OpenVPN tunnel is that the entire packet is encrypted “end-to-end” between the Vault/Firewalls and the data can travel through the network securely.

 

OpenVPN Tunnel

OpenVPN Performance

Adding an OpenVPN tunnel introduces “overhead” which is added when a packet enters a tunnel and stripped off when a packet leaves the tunnel. This process adds additional data to each packet, but is not part of the payload. Therefore, when running performance measurement tests, the indicated traffic throughput will be less than throughput achieved without an OpenVPN encrypted tunnel.

In addition to the pure impact on the payload due to additional overhead, the device that adds the overhead must also encrypt the data. Similarly, the device at the other end of the tunnel receiving the packet must decrypt the data before sending it onward. Encryption and decryption of the packet requires significant processing power and affects the throughput of the devices. The latest versions of The Vault include Intel’s AES-NI hardware support which facilitates faster encryption/decryption with less impact on CPU performance.

The performance varies depending on the parameters of the many different cipher suites. For example, a cipher suite that uses AES128 may perform better than AES256 due to easier encryption/decryption. It would be difficult if not impossible to test all possible cipher suites.

In order to test performance, pfSense® CE 2.4.3 was installed on the Vaults and OpenVPN tunnels were configured with the following cipher suite:

  • AES256 bit encryption algorithm with 128 bit blocks using the Cipher Block Chaining mode (CBC) operation
  • Secure Hash Algorithm (SHA) 256 bit Message Authentication

The main configuration page for VPN->OpenVPN->Servers is shown below.

OpenVPN Server

The main configuration page for VPN->OpenVPN->Clients is shown below.

OpenVPN Client

In this example, data from LAN network 192.168.10.0 is “tunneled” to LAN network 192.168.20.0 over the WAN interface. In the reverse direction, data from LAN network 192.168.20.0 is “tunneled” to LAN network 192.168.10.0 over the WAN interface. The results of performance tests  run on the Vaults that contain AES-NI hardware support are shown in the table below.

Vault ModelUnencrypted LAN (Mbps)Encrypted IPsec AES-256-GCM/SHA256 (Mbps)Encrypted OpenVPN AES-256-CBC/SHA256 (Mbps)
FW2B940240110
FW4B940250115
FW4A940280120
FW6A940880380
FW6B940880550
FW6C940880580

Conclusions

OpenVPN is a critical set of protocols used to provide secure communication through the Internet.  There are many different cipher suites that can be used depending on the requirements of the user. The configuration used may impact the performance and therefore the throughput of the devices in the network. This tutorial is an aid to selecting the best Vault for your application.

As always, if there are any question, feel free to reach out to us at:

support@protectli.com