OpenVPN, WireGuard, L2TP/IPSec, SSTP, IKEv2, PPTP, or others. If you had the luxury of choosing, which VPN protocols would you use? Therein lies my problem. In my current use case, I must find a way to improve OpenVPN performance and throughput. You may have been following my Linux home lab build. One of the most… continue reading.
OpenVPN, WireGuard, L2TP/IPSec, SSTP, IKEv2, PPTP, or others. If you had the luxury of choosing, which VPN protocols would you use? Therein lies my problem. In my current use case, I must find a way to improve OpenVPN performance and throughput. You may have been following my Linux home lab build. One of the most… continue reading.
Great post, really nice to read.
Ubiquity hardware/software is to be reckoned with, but one might not want to dismiss core Unix/Linux open-source software on bare-metal as well.
I’m running OPNsense on a mini PC (not wanting to advertise so I won’t link anything unless asked for) and I’m near line-rate performance on a Gigabit fiber connection, on my home network, with lots of vlan, firewalling, QoS, etc…
Sure, VPN eats a lot of resources and I need to do some more thorough testing, and it’s very true that ovpn, though quick and easy to setup, is not really shinning in the performance department, but If I recall correctly, I could get around 40 to 50 percent bandwidth depending on endpoint and parameters with my hardware (which is an ‘affordable’ 150$ box btw.)
So as a *nix and open-source advocate, you might want to consider these alternatives as well, and give them a fair trial in your testing.
Kind Regards
Agreed with Ubiquiti. Also, the value isn’t there anymore, especially now with price gouging, so many items out of stock.
Have a look at this TP-Link lineup (hard to beat the value for a home lab type rack setup):
Router: VPN Router - Gigabit Routers for Business - TP-Link (+ OpenVPN client)
Switch: TL-SG2210MP | JetStream 10-Port Gigabit Smart Switch with 8-Port PoE+ | TP-Link
Controller: OC200 | Omada Hardware Controller | TP-Link
Access points: Access Points | TP-Link
If you want to use Wiregaurd, then can add or replace the router with https://www.pivpn.io/ on an RPi 4.
Or use a https://store.gl-inet.com/products/brumegl-mv1000-edge-computing-vpn-router router. (supports Wireguard client up to 250 Mbps ISP speed)
Just one example, And there are a bunch of other Ubiquiti alternatives out there.
Thank you for your post.
Background:
I have an OpenVPN server running on my Windows 10 VPS. The Internet connection of VPS is ~750 Mbps for Download and ~450 Mbps for upload (Obtained by multiple speedtest.net tests). The VPS has 2 vCPU and 8 GB RAM. The VPS serves only two clients of OpenVPN. However, the speedtest for clients normally shows 30 Mbps of the test while VPN is enabled.
What I have tried:
- Please see the config
Config:
- Server
;local a.b.c.d
--duplicate-cn
port 443
;proto tcp
proto udp
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
txqueuelen 4000
tun-mtu 9000
mssfix 0
fragment 0
;dev tap
dev tun
ca "ca.crt"
cert "ERVER.crt"
key "C:\\SE.key" # This file should be kept secret
dh "dh.pem"
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth "tls-auth.key" 0 # This file is secret
cipher AES-128-CBC
persist-key
persist-tun
;mute 20
explicit-exit-notify 1
- Client
dev tun
proto udp
remote IP 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-128-CBC
verb 3
<ca>
-----BEGIN CERTIFICATE-----
</ca>
<cert>
</cert>
<key>
-----BEGIN PRIVATE KEY-----
</key>
<tls-auth>
</tls-auth>