APU2 - VPN Performance

APU2 boards have a solid VPN performance due to the native support for AES-NI instructions in the CPU. Encryption happens on the CPU level instead of the software level. 

APU2 boards achieve about 100 Mbit/s continuous throughput on OpenVPN on pfSense 2.4. Hardware should be able to achieve much more, but OpenVPN isn't multithreading and the throughput is limited to single core per connection.

Throughput shown on the screenshot below is about 112Mbit/s, but the acutal VPN throughput will be a bit lower (100Mbit/s) because of VPN tunnel overhead.  

The CPU load during this test was 34%. One out of 4 cores is hard at work.

 

Here's a session from iperf3 showing the actual VPN throughput.

sniku@homedesktop:~$ iperf3 -c 192.168.5.50 
Connecting to host 192.168.5.50, port 5201
[  5] local 10.0.8.2 port 36574 connected to 192.168.5.50 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  12.9 MBytes   108 Mbits/sec   37   48.6 KBytes       
[  5]   1.00-2.00   sec  12.5 MBytes   105 Mbits/sec   19   41.1 KBytes       
[  5]   2.00-3.00   sec  11.7 MBytes  98.4 Mbits/sec   23   38.6 KBytes       
[  5]   3.00-4.00   sec  11.9 MBytes   100 Mbits/sec   28   49.8 KBytes       
[  5]   4.00-5.00   sec  12.5 MBytes   105 Mbits/sec   28   53.6 KBytes       
[  5]   5.00-6.00   sec  12.5 MBytes   105 Mbits/sec   35   47.4 KBytes       
[  5]   6.00-7.00   sec  12.5 MBytes   105 Mbits/sec   27   36.1 KBytes       
[  5]   7.00-8.00   sec  11.4 MBytes  95.3 Mbits/sec   30   46.1 KBytes       
[  5]   8.00-9.00   sec  12.1 MBytes   102 Mbits/sec   22   52.3 KBytes       
[  5]   9.00-10.00  sec  12.3 MBytes   103 Mbits/sec   32   46.1 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   122 MBytes   103 Mbits/sec  281             sender
[  5]   0.00-10.00  sec   122 MBytes   102 Mbits/sec                  receiver

iperf Done.

This test was performed on pfSense 2.4.4, on APU2 with BIOS v4.9.0.3. We expect that OpenVPN throughput will be higher on linux-based Operating systems, but we haven't tested it. 

Note, throughput will be heavily dependant on the cipher you use. We strongly suggest AES-GCM because it's more secure AND more performant. See comparison below

 Cipher  Throughput
 AES-128-GCM / SHA-1  ~103 Mbit/s
 AES-128-GCM / SHA256   ~ 96 Mbit/s
 AES-256-GCM / SHA256   ~ 96 Mbit/s
 AES-128-CBC / SHA256  ~ 69 Mbit/s
 AES-256-CBC / SHA256  ~ 62 Mbit/s

 

WireGuard VPN throughput

Wireguard is the next generation, modern VPN that performs way better than OpenVPN or IPSec.

Here's a simple test we ran between two APU3 routers running on debian. 

root@debian:~/wg# iperf3 -c 10.0.0.1
Connecting to host 10.0.0.1, port 5201
[ 4] local 10.0.0.2 port 36568 connected to 10.0.0.1 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 68.5 MBytes 574 Mbits/sec 66 1.41 MBytes 
[ 4] 1.00-2.00 sec 79.5 MBytes 667 Mbits/sec 0 1.55 MBytes 
[ 4] 2.00-3.00 sec 74.9 MBytes 628 Mbits/sec 36 1.17 MBytes 
[ 4] 3.00-4.00 sec 74.1 MBytes 623 Mbits/sec 0 1.24 MBytes 
[ 4] 4.00-5.00 sec 76.2 MBytes 640 Mbits/sec 0 1.28 MBytes 
[ 4] 5.00-6.00 sec 81.2 MBytes 680 Mbits/sec 0 1.31 MBytes 
[ 4] 6.00-7.00 sec 76.2 MBytes 640 Mbits/sec 20 1003 KBytes 
[ 4] 7.00-8.00 sec 78.5 MBytes 658 Mbits/sec 0 1.04 MBytes 
[ 4] 8.00-9.00 sec 77.5 MBytes 651 Mbits/sec 0 1.07 MBytes 
[ 4] 9.00-10.00 sec 73.3 MBytes 614 Mbits/sec 0 1.10 MBytes 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 760 MBytes 638 Mbits/sec 122 sender
[ 4] 0.00-10.00 sec 757 MBytes 635 Mbits/sec receiver
- - - - - - - - - - - - - - - - - - - - - - - - -

Wireguard uses all 4 CPU cores, and beats OpenVPN over 6x times! More than 600Mbit/s is trully amazing! 

Hopefully we will see Wireguard included in pfSense and other popular router OSes soon.

OpenWRT already ships with WireGuard!

 

TLSense OpenVPN throughput

See the router comparison table for TLSense OpenVPN throughput.


TekLager sells routers based on PC Engines hardware with pfSense and IPFire in Sweden, Denmark, Finland and Norway.