APU2 - VPN Performance

Posted by Pawel Suwala on 

APU2 boards have a solid VPN performance due to the native support for AES-NI instructions in the CPU. Encryption happens on the CPU level instead of the software level. 

APU2 boards achieve about 100 Mbit/s continuous throughput on OpenVPN on pfSense 2.4. Hardware should be able to achieve much more, but OpenVPN isn't multithreading and the throughput is limited to single core per connection.

 Here's the screenshot showing 100 Mbit throughput with 38% CPU usage. One out of 4 cores is hard at work.

 

WireGuard VPN throughput

Wireguard is the next generation, modern VPN that performs way better than OpenVPN or IPSec.

Here's a simple test we ran between two APU3 routers running on debian. 

root@debian:~/wg# iperf3 -c 10.0.0.1
Connecting to host 10.0.0.1, port 5201
[ 4] local 10.0.0.2 port 36568 connected to 10.0.0.1 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 68.5 MBytes 574 Mbits/sec 66 1.41 MBytes 
[ 4] 1.00-2.00 sec 79.5 MBytes 667 Mbits/sec 0 1.55 MBytes 
[ 4] 2.00-3.00 sec 74.9 MBytes 628 Mbits/sec 36 1.17 MBytes 
[ 4] 3.00-4.00 sec 74.1 MBytes 623 Mbits/sec 0 1.24 MBytes 
[ 4] 4.00-5.00 sec 76.2 MBytes 640 Mbits/sec 0 1.28 MBytes 
[ 4] 5.00-6.00 sec 81.2 MBytes 680 Mbits/sec 0 1.31 MBytes 
[ 4] 6.00-7.00 sec 76.2 MBytes 640 Mbits/sec 20 1003 KBytes 
[ 4] 7.00-8.00 sec 78.5 MBytes 658 Mbits/sec 0 1.04 MBytes 
[ 4] 8.00-9.00 sec 77.5 MBytes 651 Mbits/sec 0 1.07 MBytes 
[ 4] 9.00-10.00 sec 73.3 MBytes 614 Mbits/sec 0 1.10 MBytes 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 760 MBytes 638 Mbits/sec 122 sender
[ 4] 0.00-10.00 sec 757 MBytes 635 Mbits/sec receiver
- - - - - - - - - - - - - - - - - - - - - - - - -

Wireguard uses all 4 CPU cores, and beats OpenVPN over 6x times! More than 600Mbit/s is trully amazing! 

Hopefully we will see Wireguard included in pfSense and other popular router OSes soon.

OpenWRT already ships with WoreGuard!


TekLager sells routers based on PC Engines hardware with pfSense and IPFire in Sweden, Denmark, Finland and Norway.