I’m about to get a Chinese branded protectli liked appliance from taobao for my first pfsense build. However, I’m struggling on which cpu should I pick as I do not want to underutilise the machine.
Options (all barebone):
J4125 - around $150//
i3-8130u - around $250//
i5-8250u - around $300//
i3-10110u - around $280//
The J4125 looks enough for gigabit. However, I would like to set up VPN client and keep it up to gigabit speed. Probably also a VPN server on either OpenVPN or Wireguard. I also want to try out different add-on packages on pfsense like snort.
Which of the option would be the lost cost effective? At least to have VPN speed at almost gigabit.
Much appreciated!
Gigabit on VPN as others have said is probably not going to happen. It’ll probably do pretty well on Wireguard, but OpenVPN usually caps out at 30-60 mbps on most hardware like that.
My box is an i5-4590 CPU and it gets around 40 mbps on OpenVPN.
Your chances of having VPN at full gigabit are slim. Your best chance will be with wireguard but no matter what, speeds will be limited to the slowest link in the chain, so any router’s that are on the 'net in the way that can’t do that speed at the time will limit you.
The 10110u may do gigabit VPN while snort is enabled. It will really depend on if your traffic is at max MTU or mixed over that VPN tunnel. Fragmentation over the VPN tunnel is likely and snort is resource intensive so your going to want the best single threaded performing cpu that fits in your budget.
OpenVPN can’t hit gigabit speeds, or at least it’s very hard to. (I can only hit ~200mbps with a 4790s quad vCPU VM with AES-NI HW acceleration) You’re going to need Wireguard to hit gigabit.
I hit “gigabit” on OpenVPN. Single stream, no aggregates. When I say gigabit, my Internet connection tops at 930 on Speedtest. I’ve seen as high as 900 on OpenVPN. But it really really depends on both ends. I’ve found finding a server that does over 600 consistently to be a case of pot luck. i7 7500
You’re correct. In my experience each client tops out at 150-200M. But in aggregate of a multi-client scheme, any of the solutions listed can hit gigabit.
I have an older 4-core Atom Protectli. With five clients, the CPU will max load at 92% and ~750M. So anything with more beef than an Atom should probably be capable of gigabit OpenVPN.
I’m still on 2.4.5 so I haven’t tried wireguard yet for metrics, but interested at some point.
In this case I think I would be better off with Wireguard, in case my VPN provider supports it. If Im using wireguard, is the J4125 capable of keeping at least 800mbps?
Thanks!
Much appreciated. I think the cpus i listed should all support AES-NI. I was just doubting if the J4125 or i3 would be more than enough for VPN and maybe trying out suricata.
You have enough in that CPU to surely hit gigabit OpenVPN with multiple clients in aggregate. I can get ~750M on a dinky Atom.
There is a 34 hour delay fetching comments.
I will be messaging you in 2 days on 2021-08-08 10:41:57 UTC to remind you of this link
CLICK THIS LINK to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) ^(delete this message to hide from others.)
Don’t use snort, just use suricata it’s multithreaded…
Yeah, I get about 300/300 when I OpenVPN into my network on my Protectli Celeron J1900 without AES-NI. I would hope more modern processors with acceleration could do better.
Strange, I’ve never been able to get more than that.
Are you’re sure you are running in AES-NI mode?
Such computer shouldn’t be so slow…
AES-NI should be automatic when a CPU supports it, so… probably?
It’s a setting you need to enable in the OpenVPN client config. Might be a drop down selection.
Even without though, I think you have enough horsepower to be able to do AES in software an churn out more throughput than that. But give it a try.
I dropped openvpn after that test so I don’t have it around to try, but I’ll keep it in mind if I ever need it again.
Reach out if you ever need assistance to get it running 
