Surprising OpenVPN and WireGuard result on Intel Alder Lake N100 pfSense Router

Introduction

I have been using OpenVPN on my home router for the last 10 years or so, and I finally got around to trying WireGuard tunneling. From what I heard, I was expecting WireGuard to be much faster, as I have seen a huge performance increase when I switched from OpenVPN to WireGuard on my Private Internet Access VPN.

To my surprise, as it turns out OpenVPN is still significantly faster (and better) on my Intel Alder Lake N100 router.

Benchmark

Here are the specs used for the benchmark:

• Intel N100 mini-PC with 8GB RAM 128GB NVMe Intel i226 Dual 2.5G LAN
• pfSense 2.7.2 amd64 (FreeBSD 14.0)
• AES-NI enabled, no QAT, Kernel PTI and MDS Mitigation disabled
• OpenVPN using AES-256-CGM
• pfSense-pkg-WireGuard 0.2.1
• 1Gbps symmetric fiber internet connection
• speedtest.net

and here's the result:

	Un-encrypted	OpenVPN	WireGuard
Ping	1ms	1ms	1ms
Latency (Down)	16ms	29ms	15ms
Latency (Up)	22ms	38ms	26ms
Download Speed	912.40Mbps	914.35Mbps	636.50Mbps
Download CPU usage	10%	10%	21%
Upload Speed	945.48Mbps	944.01Mbps	658.27Mbps
Upload CPU usage	63%	69%	89%

Explanation

OpenVPN relies on the underlying OpenSSL library, which provides hardware acceleration for AES instructions. Intel Alder Lake N100 processor is AES-NI enabled, and my pfSense dashboard showed that it's enabled. WireGuard on the other hand, uses ChaCha20-Poly1305 algorithm, which takes advantage of SIMD instructions, which exists on virtually all non-embedded CPUs.

So it appears that the AES hardware acceleration provides significant boost over using SIMD instructions, at least in Intel N100 processor.

Conclusion

For Intel N100 processor based pfSense routers, OpenVPN provides over 43% VPN throughput performance over WireGuard. In fact, the AES-NI acceleration is so effective such that it achieves near 100% ISP throughput with no additional CPU overhead (for 1Gbps connection).

What is really interesting, is that the WireGuard connection works at 50 to 68% lower latency than OpenVPN. As such, WireGuard may be better suited for activities such as gaming and remote desktop access.

In conclusion, for those using Intel Alder Lake N100 for a pfSense router, OpenVPN should be used if your primary goal is to obtain highest throughput with the clients. If your client application is more sensitive to network latency, WireGuard should be used instead.

New Outlook does not work with Basic Microsoft 365 Business plan due to licensing restrictions

 I ran into a really odd error on a PC today. Basically you get an error from Outlook:

This account is not supported in Outlook for Windows due to the license provided by your work or school

when trying to set up an email hosted by Microsoft (custom domain).

As it turns out, the issue is that new Outlook does not allow Basic Microsoft 365 Business plan accounts to be added, due to licensing restrictions! So when I disabled the "New Look" and went back to the "old" version of Outlook, it worked just fine.

A nice summary of the issue is found here, by a detailed user feedback to Microsoft:

https://feedbackportal.microsoft.com/feedback/idea/2f7925cb-3a80-ee11-a81c-000d3ae46fcb

All Pi-Hole servers should be updated to enable DNS over HTTPS

Hide your DNS queries from your ISP!

https://docs.pi-hole.net/guides/dns/cloudflared/

Disable IPv6 on Debian

Append the following in the /etc/sysctl.conf file:




net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1

and run:

sudo sysctl -p

and reboot

Remove rate limit on pi-hole

Edit /etc/pihole/pihole-FTL.conf

Change RATE_LIMIT line to:

RATE_LIMIT=0/0

then restart pi-hole:

sudo service pihole-FTL restart

You won't see random DNS resolution issues again!

Resizing video using FFMPEG and Nvidia GPU

Recently I had to resize a rather large 4k H.265 video file to 1080p H.265 file. This is what I used. SO much faster than using the CPU for decoding!

ffmpeg.exe -vsync 0 -hwaccel cuda -hwaccel_output_format cuda -i <input file> -resize 1920x1080 -c:v hevc_nvenc -preset fast -rc vbr -acodec copy <output file>

Enable direct P2P ethernet connection between 2 computers (Windows)

I recently had to add a secondary ethernet connection between two PCs, in order to quickly transfer lots of data between them. I ended up using two USB 2.5Gbps network adapters; those computers were already on a Gigabit LAN.

 In order to prioritize the transfer over the 2.5Gbps connection, I had to make a manual entry in each computer's routing table. Let's assume the static IP address of each machine are 192.168.200.1 and 192.168.200.2.

Step 1: You need to run ROUTE PRINT and find the network interface (IF) number of the device. e.g. 49 for our example below

Step 2: Then in an elevated Command prompt, execute the following:

route -p add <destination network> MASK <net mask> <gateway> METRIC <interface metric> IF <interface number>

e.g. On 192.168.200.1 computer: route -p add 192.168.200.0 MASK 255.255.255.0 192.168.200.2 METRIC 1 IF 49

e.g. On 192.168.200.2 computer: route -p add 192.168.200.0 MASK 255.255.255.0 192.168.200.1 METRIC 1 IF 49

Now whenever you initiate network traffic between the two, it will use the direct connection (192.168.200.0 network) you setup, instead of their usual LAN (say 192.168.x.0).