APU2 / APU3 / APU4 - OpenVPN and Wireguard Performance benchmark
This article has been last updated on July 28, 2019
APU2/3/4 boards have a solid VPN performance due to the native support for AES-NI instructions in the CPU. Encryption happens on the CPU level instead of the software level.
pfSense OpenVPN performance
APU routers achieve about 100 Mbit/s continuous throughput on OpenVPN on pfSense 2.4.4. Hardware should be able to achieve much more, but OpenVPN isn't multithreading and the throughput is limited to single core per connection.
Throughput shown on the screenshot below is about 112Mbit/s, but the acutal VPN throughput will be a bit lower (100Mbit/s) because of VPN tunnel overhead.
The CPU load during this test was 34%. One out of 4 cores is hard at work.
We have tested APU2C2 with NordVPN client and pfSense. It achieved about 100Mbit up, 100Mbit/s down.
See screenshot from http://www.bredbandskollen.se/en/ below.
Here's a session from iperf3 showing the actual VPN throughput.
sniku@homedesktop:~$ iperf3 -c 192.168.5.50 Connecting to host 192.168.5.50, port 5201 [ 5] local 10.0.8.2 port 36574 connected to 192.168.5.50 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 12.9 MBytes 108 Mbits/sec 37 48.6 KBytes [ 5] 1.00-2.00 sec 12.5 MBytes 105 Mbits/sec 19 41.1 KBytes [ 5] 2.00-3.00 sec 11.7 MBytes 98.4 Mbits/sec 23 38.6 KBytes [ 5] 3.00-4.00 sec 11.9 MBytes 100 Mbits/sec 28 49.8 KBytes [ 5] 4.00-5.00 sec 12.5 MBytes 105 Mbits/sec 28 53.6 KBytes [ 5] 5.00-6.00 sec 12.5 MBytes 105 Mbits/sec 35 47.4 KBytes [ 5] 6.00-7.00 sec 12.5 MBytes 105 Mbits/sec 27 36.1 KBytes [ 5] 7.00-8.00 sec 11.4 MBytes 95.3 Mbits/sec 30 46.1 KBytes [ 5] 8.00-9.00 sec 12.1 MBytes 102 Mbits/sec 22 52.3 KBytes [ 5] 9.00-10.00 sec 12.3 MBytes 103 Mbits/sec 32 46.1 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 122 MBytes 103 Mbits/sec 281 sender [ 5] 0.00-10.00 sec 122 MBytes 102 Mbits/sec receiver iperf Done.
This test was performed on pfSense 2.4.4, on APU2 with BIOS v4.9.0.3.
Note, throughput will be heavily dependant on the cipher you use. We strongly suggest AES-GCM because it's more secure AND more performant. See comparison below
Cipher | Throughput |
AES-128-GCM / SHA-1 | ~103 Mbit/s |
AES-128-GCM / SHA256 | ~ 99 Mbit/s |
AES-256-GCM / SHA256 | ~ 99 Mbit/s |
AES-128-CBC / SHA256 | ~ 70 Mbit/s |
AES-256-CBC / SHA256 | ~ 68 Mbit/s |
OpenWRT OpenVPN performance
OpenWRT is based on Linux (while pfSense is based on OpenBSD). Linux has much better OpenVPN performance.
In our tests OpenWRT outperforms pfSense by about 40%. We have performed the same throughput benchmark on OpenWrt 18.06.4. And the result can be seen on a screenshot below.
OpenWrt delivers about 145 Mbit/s on OpenVPN.
WireGuard VPN throughput
Wireguard is the next generation, modern VPN that performs way better than OpenVPN or IPSec.
Here's a simple test we ran between two APU3 routers running on debian.
root@debian:~/wg# iperf3 -c 10.0.0.1 Connecting to host 10.0.0.1, port 5201 [ 4] local 10.0.0.2 port 36568 connected to 10.0.0.1 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 68.5 MBytes 574 Mbits/sec 66 1.41 MBytes [ 4] 1.00-2.00 sec 79.5 MBytes 667 Mbits/sec 0 1.55 MBytes [ 4] 2.00-3.00 sec 74.9 MBytes 628 Mbits/sec 36 1.17 MBytes [ 4] 3.00-4.00 sec 74.1 MBytes 623 Mbits/sec 0 1.24 MBytes [ 4] 4.00-5.00 sec 76.2 MBytes 640 Mbits/sec 0 1.28 MBytes [ 4] 5.00-6.00 sec 81.2 MBytes 680 Mbits/sec 0 1.31 MBytes [ 4] 6.00-7.00 sec 76.2 MBytes 640 Mbits/sec 20 1003 KBytes [ 4] 7.00-8.00 sec 78.5 MBytes 658 Mbits/sec 0 1.04 MBytes [ 4] 8.00-9.00 sec 77.5 MBytes 651 Mbits/sec 0 1.07 MBytes [ 4] 9.00-10.00 sec 73.3 MBytes 614 Mbits/sec 0 1.10 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 760 MBytes 638 Mbits/sec 122 sender [ 4] 0.00-10.00 sec 757 MBytes 635 Mbits/sec receiver - - - - - - - - - - - - - - - - - - - - - - - - -
Wireguard uses all 4 CPU cores, and beats OpenVPN over 6x times! More than 600Mbit/s is trully amazing!
Hopefully we will see Wireguard included in pfSense and other popular router OSes soon.
OpenWRT already ships with WireGuard!
TLSense OpenVPN throughput
See the router comparison table for TLSense OpenVPN throughput.