Pfsense OpenVPN aes-256-cbc

I was planing on upgrading my home pfsense box now that i have 1GBit/s from my ISP.
I did some testing on 6 PCs and non of them where able to get over 250 MBit/s when connected to an openvpn server using aes-256-cbc like NordVPN, PIA, PP …
I’m not an expert on this, but after some googleling i found out that the OpenVPN client only uses 1 cpu core and highly favors newer CPUs.
Also intel quickassist help apparently.
My question:
I want to get somewhat close to 1 GBit/s VPN performance (aes-256-cbc, not wireguard or ipsec) and also have some cpu performance left for suricata.

Does anybody have expirience what cpu would be sutable for this, or if it is even possible?
What do you recommend?

Thanks in advance for helping me out.

Tested PC Specs please.

Keep in mind also, VPN providers typically aren’t a “take what you want” bandwidth wise, they will have limits.

yes i’m aware that the speed of these providers vary drastically. for example on nordvpn.
But on PP VPN speed of 600 MBit should be possible.
And sorry if the folloing info is a bit vague. (Quick testing on university/friends pcs. Only i7 and i3 below are my pc)
Also i’m still a noob. sorry ^^

My plan 1000 Mbit/s down 50Mbit Up. coax

Basic speedtests i did:
i7-3770k 240 Mbit/s DL 50 Mbit/s UL (main PC)
i3-2100 150-160 MBit/s to 50 Mbit/s (current pfsense)

I also did openssl benchmark. That’s why i think that is the bottleneck.

i7-3770k @ 4,7 Ghz (openssl speed aes-256-cbc)
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-256 cbc 118256.07k 127475.62k 130125.40k 130932.05k 131525.29k 131650.90k

i7-3770k @ 4,7 Ghz (openssl speed -elapsed -evp aes-256-cbc)
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-256-cbc 529820.04k 613229.81k 638665.81k 644954.45k 647785.13k 643072.00k

Ryzen 5 2400G @ 3,6 Mhz
openssl speed -elapsed -evp aes-256-cbc
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-256-cbc 823086.98k 931999.94k 1009308.62k 1004315.65k 997220.35k 985705.13k
speedtest however was about 300 Mbit/s if i remember correctly.

I did a speedtest at a friends place. He had an 4770k. About 300 Mbit/s
I did one on my R710 with 2x X5650. Don’t remember, but it also was below 200 Mbit/s

If that doesn’t help i can try to come back later with more results.
But the ryzen office pc from university that is the newest seems to be the most suited. I don’t know if the openssl uses all cores. If so, my openvpn performence would be 1/4 of that.
But also maby a ryzen pc is not the best/most efficient router cpu anyway.

I don’t know. That’s why i’m asking.

I’m not sure how tight the correlation is with this benchmark and openvpn performance, but here is a chart of single thread performance.

I believe there is a way to split multiple openvpn “streams” onto different cores, i.e. one core per user. Not sure if that is helpful for your use case or not.

Getting speed through a VPN provider is difficult for numerous reasons. But as mentioned already, most providers aren’t going to give any one single user all the speed and bandwidth they want. The VPN providers have to service many people and their service pipe is only so big.

Have a look here at this VPN comparison site. Sort and filter your services in it and scroll over until you find the speed section and then make some determinations on what you want and can accomplish.

Seems your Ryzen 5 gets close to the target. I’d suggest changing your AES down to 128 and use GCM if supported vs CBC. Or at least re-run your benchmarks with those options.

On my (soon to be upgraded) A6-6400K rig, testing CBC vs GCM yielded over twice the values for everything above 256 bytes.

With all the overhead, and if the providers allowed it, you’d still never get your 1GBit speed through it though.

faust’s comment made me remember that PIA switched from CBC to GCM a while back. In reading this post, it sounds like GCM can utilize multiple threads. Not sure if that will make an openvpn pipe any faster or not vs CBC.