G.fast, FTTP(OD) and higher speed VM users, how are you dealing with near line speed VPN?

Avalon · 27 Nov 2018 at 13:26

Currently on 80/20 running pfsense with OpenVPN (UDP) on a PC engines APU2C at near line speed. G.fast install takes place later this week and OpenVPN won’t scale up beyond 100Mbit as far as I can see on my current hardware (possibly a little higher on IKEv2 etc.).

So far (and until I can actually test i’m stuck speculating or running synthetic benchmarks), i’ve gone through a range of ideas from multiple OpenVPN interfaces on my APU2 (yep, I know), using existing OpenVPN/Binhex docker images with Privoxy enabled and routing everything via that on my R1700 Unraid box, to virtualising or a dedicated pfsense build, but something about using an i5 6500 to route traffic feels a little like overkill. Virtualisation has implications in terms of upgrades/reboots etc. taking everything down. Per client set-up isn’t going to work in my case, I would rather VPN everything and then make exceptions as I have now.

So, given i’m far from the first to do this, what’s everyone else done?

Caged · 27 Nov 2018 at 19:24

Presumably you have no control over the VPN protocol in use

Avalon · 27 Nov 2018 at 20:21

Caged said:
Presumably you have no control over the VPN protocol in use

Limited - I’m at the mercy of each providers whim, PIA for example let me specify OpenVPN/IPSec/PPTP and I can specify AES-128/256 CBC or Blowfish for example depending on what i’m using.

Caged · 27 Nov 2018 at 20:26

IPsec is offloaded in things like the EdgeRouter line as long as you use the compatible ciphers, which is going to be a ton quicker than doing it all in software.

Avalon · 28 Nov 2018 at 12:59

Caged said:
IPsec is offloaded in things like the EdgeRouter line as long as you use the compatible ciphers, which is going to be a ton quicker than doing it all in software.

Appreciate the suggestion, I have a Mikrotik Hex that’s theoretically capable of 470Mbit using IPSec with AES-128-CBC + SHA1, i’ll have a look at a suitable Edgerouter as it’ll simplify AP management and truth be told i’m a router whore.

I’m just interested to see what others have done or how they would approach it.

Other interesting areas include StrongSwan which should yield similar multi core results to IPSec hopefully (possible via DDWRT which I have a long standing respect for), or just using the APU to route via an OpenVPN docker on a suitable host. I was hoping for a few more examples of what others are using/have working or indeed the things they found didn’t work at this kind of speed, but tomorrow I can test

Caged · 28 Nov 2018 at 15:04

If you have a Hex then try swapping to IPsec with that - hardware offloading is always going to better than running everything in software.

Avalon · 28 Nov 2018 at 15:39

I suspect the ~~eye candy~~ singular management interface may be sufficient justification to add an ER-X to the collection in the not too distant future, i’ll see what the APU can do (hardware AES-NI) and have a play with the Hex tomorrow.

*edit* Just noticed only USG gets the option of unified management.