Slow OpenVPN on pfSense on Proxmox

I have the following scenario:

Hardware: Protectli VP4630, Intel i3-10110U Dual Core / 4 Thread at 2.1 GHz, 64GB RAM, 6 x 2.5 gbps ports

pfSense 2.7.2 guest VM config:
boot: order=virtio0
cores: 4
cpu: host
cpuunits: 500
memory: 16384
meta: creation-qemu=8.1.2,ctime=1707968085
net0: virtio=xx:xx:11:F2:21:A5,bridge=vmbr0
net1: virtio=xx:xx:11:A4:39:11,bridge=vmbr1
numa: 0
onboot: 1
ostype: other
scsihw: virtio-scsi-single
sockets: 1
startup: order=1
virtio0: local-zfs:vm-100-disk-0,iothread=1,size=16G

On pfSense, I have an OpenVPN client that connects to Private Internet Access using standard encryption over UDP.

I also have these crypto settings on pfSense

slow-vpn-speeds-on-guest-pfsense-on-proxmox-v0-eu6erewh5toc11153×244 39.6 KB

My issue is that speedtests are showing download and upload speeds of around 350mbps. I run these tests either through the browser version of speedtest and separately I have also tested downloading large games from Steam and it reaches around 35MB/s which is around the 350mbps ballpark.

On the SAME proxmox host, I have a debian VM with 2 cores, 1GB RAM that also has speedtest (the command line version) and the same OpenVPN connection to PIA as pfSense (when I say the same, I mean this debian VM connects to the exact same PIA IP address on the exact same port, with the exact same UDP / standard encryption settings). When performing speedtest using the command line inside the VM, I get around 600mbps down, 500mbps up

This tells me a few things:
1 - that the PIA server I’m using can handle 600 down, 500 up speeds;
2 - that the proxmox virtual NICs can process at least that much traffic, so this rules out any virtual nic-related issues;
3 - that my WAN (1gbps down/up) can handle the traffic (I’ve also done speedtests without the OpenVPN connected in the debian VM and I can get the full 1gbps down/up of unencrypted traffic)

So there’s something either on proxmox OR on my pfSense guest VM that’s causing the speeds to be in the 350mbps range as opposed to reaching the 600/500 down/up that the debian VM can do.

Any ideas what settings on proxmox or pfSense I can try to tweak?

Welcome!

Here are the bare metal pfSense OpenVPN performance tests claimed by Protectli.

https://kb.protectli.com/kb/openvpn-performance-on-the-vault/

PIA is likely throttling or the additional encryption overhead is reducing bandwidth.

Anytime you virtualize pfsense or any firewall there is bound to be oddities. There is a reason it’s called the forbidden router when running it this way.

It will always be best to have a physical firewall over virtual and the benefits are far outweighed. My hope is you don’t go off the deep end trying to figure this and save yourself the heartache and time.

But if you must, here is a guide on setting up pfsense on proxmox

https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

From my experience, this is just a pfsense thing not a “all FWs” issue. Which obviously point to freebsd. As the OP noted, linux is perfectly fine running in a VM. A linux based FW works better in a VM. I bumped into this throughput issue with pfsense years ago too.

I just gave up on trying to debug OpenVPN to PIA on pfSense.

I switched to WireGuard and connecting to the same PIA IP address I’m now getting 850mbps down, 900mbps up, so it’s clearly something related to the OpenVPN/pfSense/BSD/proxmox combination that’s causing the speed degradation. The PIA server side seems to support high throughput just fine, it’s the virtualized client side that’s messing it up somehow

@elvisimprsntr
More like the latter, otherwise the Debian VM wouldn’t be getting higher speeds. Thanks for the link, I saw that before purchasing my protectli so I knew bare metal OpenVPN could go almost 1200gbps if the server side could handle it

@xMAXIMUSx thanks, I originally followed the pfSense guide to configure a guest vm on proxmox and “it works” except for the slow speeds

Was the cipher suite the same or was it using lower encryption ciphers?