APU2 - VPN Performance

This article has been last updated on May 2, 2019

APU2 boards have a solid VPN performance due to the native support for AES-NI instructions in the CPU. Encryption happens on the CPU level instead of the software level. 

APU2 boards achieve about 100 Mbit/s continuous throughput on OpenVPN on pfSense 2.4. Hardware should be able to achieve much more, but OpenVPN isn't multithreading and the throughput is limited to single core per connection.

Throughput shown on the screenshot below is about 112Mbit/s, but the acutal VPN throughput will be a bit lower (100Mbit/s) because of VPN tunnel overhead.  

The CPU load during this test was 34%. One out of 4 cores is hard at work.

 

Here's a session from iperf3 showing the actual VPN throughput.

sniku@homedesktop:~$ iperf3 -c 192.168.5.50 
Connecting to host 192.168.5.50, port 5201
[  5] local 10.0.8.2 port 36574 connected to 192.168.5.50 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  12.9 MBytes   108 Mbits/sec   37   48.6 KBytes       
[  5]   1.00-2.00   sec  12.5 MBytes   105 Mbits/sec   19   41.1 KBytes       
[  5]   2.00-3.00   sec  11.7 MBytes  98.4 Mbits/sec   23   38.6 KBytes       
[  5]   3.00-4.00   sec  11.9 MBytes   100 Mbits/sec   28   49.8 KBytes       
[  5]   4.00-5.00   sec  12.5 MBytes   105 Mbits/sec   28   53.6 KBytes       
[  5]   5.00-6.00   sec  12.5 MBytes   105 Mbits/sec   35   47.4 KBytes       
[  5]   6.00-7.00   sec  12.5 MBytes   105 Mbits/sec   27   36.1 KBytes       
[  5]   7.00-8.00   sec  11.4 MBytes  95.3 Mbits/sec   30   46.1 KBytes       
[  5]   8.00-9.00   sec  12.1 MBytes   102 Mbits/sec   22   52.3 KBytes       
[  5]   9.00-10.00  sec  12.3 MBytes   103 Mbits/sec   32   46.1 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   122 MBytes   103 Mbits/sec  281             sender
[  5]   0.00-10.00  sec   122 MBytes   102 Mbits/sec                  receiver

iperf Done.

This test was performed on pfSense 2.4.4, on APU2 with BIOS v4.9.0.3. We expect that OpenVPN throughput will be higher on linux-based Operating systems, but we haven't tested it. 

Note, throughput will be heavily dependant on the cipher you use. We strongly suggest AES-GCM because it's more secure AND more performant. See comparison below

 Cipher  Throughput
 AES-128-GCM / SHA-1  ~103 Mbit/s
 AES-128-GCM / SHA256   ~ 96 Mbit/s
 AES-256-GCM / SHA256   ~ 96 Mbit/s
 AES-128-CBC / SHA256  ~ 69 Mbit/s
 AES-256-CBC / SHA256  ~ 62 Mbit/s

 

WireGuard VPN throughput

Wireguard is the next generation, modern VPN that performs way better than OpenVPN or IPSec.

Here's a simple test we ran between two APU3 routers running on debian. 

root@debian:~/wg# iperf3 -c 10.0.0.1
Connecting to host 10.0.0.1, port 5201
[ 4] local 10.0.0.2 port 36568 connected to 10.0.0.1 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 68.5 MBytes 574 Mbits/sec 66 1.41 MBytes 
[ 4] 1.00-2.00 sec 79.5 MBytes 667 Mbits/sec 0 1.55 MBytes 
[ 4] 2.00-3.00 sec 74.9 MBytes 628 Mbits/sec 36 1.17 MBytes 
[ 4] 3.00-4.00 sec 74.1 MBytes 623 Mbits/sec 0 1.24 MBytes 
[ 4] 4.00-5.00 sec 76.2 MBytes 640 Mbits/sec 0 1.28 MBytes 
[ 4] 5.00-6.00 sec 81.2 MBytes 680 Mbits/sec 0 1.31 MBytes 
[ 4] 6.00-7.00 sec 76.2 MBytes 640 Mbits/sec 20 1003 KBytes 
[ 4] 7.00-8.00 sec 78.5 MBytes 658 Mbits/sec 0 1.04 MBytes 
[ 4] 8.00-9.00 sec 77.5 MBytes 651 Mbits/sec 0 1.07 MBytes 
[ 4] 9.00-10.00 sec 73.3 MBytes 614 Mbits/sec 0 1.10 MBytes 
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 760 MBytes 638 Mbits/sec 122 sender
[ 4] 0.00-10.00 sec 757 MBytes 635 Mbits/sec receiver
- - - - - - - - - - - - - - - - - - - - - - - - -

Wireguard uses all 4 CPU cores, and beats OpenVPN over 6x times! More than 600Mbit/s is trully amazing! 

Hopefully we will see Wireguard included in pfSense and other popular router OSes soon.

OpenWRT already ships with WireGuard!

 

TLSense OpenVPN throughput

See the router comparison table for TLSense OpenVPN throughput.


Tip: check out many similar articles in our Knowledge Base.


TekLager specializes in selling open source hardware for building routers, firewalls and other network appliances.

Wle200nx_WiFi_Kit

wle200nx wireless WiFi kit

TekLager Compex wle200nx wireless WiFi kit for routers. Qualcomm Atheros AR9280. Works well with pfSense
356 SEK 2099-01-01 356 SEK
445.00 SEK incl. vat
APU2D0_ACCESS_POINT

APU2D0 Router and 802.11ac 3×3 MIMO Access Point

TekLager OpenWRT router, 5 Ghz access point
2,273 SEK 2099-01-01 2,273 SEK
2841.25 SEK incl. vat
PC_ENGINES_APU4C4_ROUTER

APU4C4: 4x Gigabit LAN, Quad Core CPU, 16GB SSD, 4GB RAM

TekLager APU4C4 Router/Firewall. 4x Gigabit NIC, Quad Core CPU, 16GB SSD, 4GB RAM. Compatible with pfSense, IPFire, OPNSEnse and others.
2,383 SEK 2099-01-01 2,383 SEK
2978.75 SEK incl. vat
TLSENSE_I7_6LAN

TLSense i7 6P: 6x Gigabit LAN, Intel i7 CPU, 128GB SSD, 16GB RAM

TekLager TLSense Intel i7, 6LAN pfSense Router. 1 Gigabit throughput speed. 700+ Mbits/sec encrypted OpenVPN throughput. Compatible with pfSense, OPNSense, OpenWRT and others
6,618 SEK 2099-01-01 6,618 SEK
8272.50 SEK incl. vat