In this article I will provide a short speed comparison on speed test for 2 vpn options that come within opnsense.
First is the openvpn, a built in vpn client that is provided with opnsense.
The second is shadowsocks socks proxy that is provided as a plugin for opnsense.
A few words about connection settings:
- encryption was set to aes 256 gcm for both the open vpn and shadowsocks
- this was a virtual machine in the cloud with no hardware acceleration for encryption or anything
- openvpn uses an internal network adapter called tun/tap while the shadowsocks uses default wan adapter
- both setups were configured on the same opnsense machine and the speed test was run against the same provider
In regards with the speed, the winner is shadowsocks.
Below are the speeds that were reached for both setups.
The speed for the shadowsocks was almost 10 times higher then the openvpn.
Download speed for shadowsocks was 327mb while on openvpn was 32mb.
Upload speed for shadowsocks was to 395mb while on openvpn was 17mb.
It is worth saying that the openvpn was maxing up the cpu on the server, while shadowsocks proxy did not.
root@vpn1:~ # w
8:36AM up 31 days, 23:09, 2 users, load averages: 0.82, 0.66, 0.66
USER TTY FROM LOGIN@ IDLE WHAT
I suspect that the difference comes from how the traffic is routed internally.
In openvpn the traffic is nated from one interface (Openvpn interface) to the wan while shadowsocks uses only one interface.
So if you are trying to watch netflix or use the vpn for torrents you need to configure the shadowsocks plugin to benefit the maximum speed of your server.
Also if you are trying to bypass the great firewall of China, you may need to use shadowsocks as well. The traffic through this proxy is scrambled and it is not detected by the firewall, while the openvpn traffic is very common nowdays and it can be detected.
In regard with opnsense optimization, the following needs to be setup in order to max out speed.
The last 2 settings are optional, but for the first one, it's mandatory to maximize speed.
Disable hardware checksum offload
Disable hardware TCP segmentation offload
Disable hardware large receive offload