 Tom here from Orange Systems and I want to talk about VPN scaling with PF Sense. The advice on this page intend to help firewall administrators handle increased VPN volume both in terms of throughput and number of connected users. If you want to learn more about me or my company head over to laurancesystems.com. If you like to hire short project there's a hires button up at the top. If you want to support this channel out in other ways there's some affiliate links down below that give you deals and discounts on products and services that we talk about on this channel. VPN scaling. I've got plenty of videos on PF Sense, plenty of videos on VPNs of PF Sense and the documentation that folks at NetGate provide is outstanding if you weren't aware. This is right from their website so you're hearing it from the people who make the software and they also sell appliances that run PF Sense. They have an entire hangout that breaks down a lot of videos on their YouTube channel as well covering all kinds of details about it. But I wanted to cover some finer details with the high demand here in March of 2020 on VPNs and people working from home that a couple things that you can do to tune to get the most out of your VPN. First is no PF Sense limits. This seems to be a popular question when I've done videos is PF Sense does it have a limit? How fast can it go? Well, your only limitation is the hardware environment. There are no artificial limits to limit the number of connections that you have number, the amount of speeds you can get. It's all really limited to how fast is your internet provider and how fast is the hardware that you have running it. And they do have a list of specs one, like I said with the NetGate appliances and what to expect on there. Second, IPsec is faster. I talk a lot more about open VPN because most of the time we're dealing with users who need to remote in to get to work and we ourselves use open VPN here at Lawrence Systems. So my remote workers can get into our local network here. It's an excellent product, but IPsec is so faster. So for now in March of 2020, this is still going to be the case, you know, just FYI. So everything has a date on it because, you know, if they have a new version of any one of them that things could change or different VPN services that come out. But IPsec does not cut through net very well. So there are challenges if the user is behind the net IPsec may be less than ideal, which is why we use open VPN many times for remote users. So for site to sites, pretty much IPsec is the general way to do it when we're connecting to remote offices together. External authentication, user based authentication is great when you have a few users, when you have a thousand users, suddenly now you're loading up the hardware on PF Sense to handle the authentication as well as a VPN. This can be very taxing on the system. Therefore, using an external authentication server when you're talking about that many users is going to be important. Now I have videos breaking down how to use radius inside of PF Sense, the radius server for authentication. So you can add some more real specific things like for IP address, but that radius server running on PF Sense is also going to tax the hardware that's running the VPN. So yeah, 20 users, no problem, 100 users, 300 users, well, yeah, maybe you're having a little bit more of some scaling issues. So things to keep in mind on there when you're asking, can I get the better VPN speeds? How many users do you have is going to be a little bit of a factor in there for limitations? Hardware acceleration, I'll show you where to turn this on really simple to do. This hardware I'm using, this is my virtualized lab one, does have AES and I crypto support and yes, it's active. So this can get a little bit more speed because for quite a number of years, processors have had this built in. So if we go here to advanced miscellaneous, and we can turn on AES and I BSD crypto and away we go, that will turn on that feature and you'll be able to take advantage of it. This I have not done any testing and even they admit it's kind of a one off thing, but this is the kernel PTI and MDS mode can potentially degrade total performance. This is the specter meltdown mitigations that have been built into BSD and PF Sense. And if they detect a processor, an Intel processor with those potential flaws, they will automatically enable the mitigation. Those mitigations may cost you a little bit of speed, but if you're trying to squeeze every ounce of speed out of the system, well, turning it off will definitely, you know, possibly help you a little bit more. I mean, we're talking about fine tuning, so this is worth mentioning in here. Side note, what about this being less secure as I know this obviously was headlines a couple of years ago and more recently when different flaws have been found in Intel CPUs. In order for someone to exploit this, they need to be running on the same hardware and the only thing if you're running a firewall should be your firewall software. In this case, PF Sense, therefore, someone would have to have high levels of privileges on the same hardware. It's not like you're running a virtualization stack from a general hardware firewall. Obviously running it in virtualization, that's a different issue. But if you're running it on your hardware, someone would have to have high levels of privileges to even attempt the breaking the boundaries between the processors and the cores like the specter meltdown does and extracting data. If they were having that level of privileges, they would probably go the easy route and extracting data because it takes such a high level of privilege. So this is not something I think it's going to be at right now that we know of any real huge risk but may get you a little bit more performance. So I'll throw that one out there as kind of a maybe when it comes on there and probably doesn't make a big difference with one user. But obviously with a large scale VPN with maybe a thousand users. Yes. Now all of a sudden those little things might make a big difference. Make sure your tunnel network address size pool is big enough to handle the volume users may seem obvious but sometimes that can be overlooked and you configure the VPN but now all of a sudden it's time where many users are using it at the same time and you can't figure out why some of them can't connect. You may not have a pool size big enough. You can gain a little bit of performance going from a 256 bit key to a 128 bit key. A 128 bit, 128 bit key is still very strong cipher but you know you can still limit this because it's going to tax the processor more if you have it 256. So make an informed decision and understand that I then I get a little bit more speed by doing it that way. Consider split tunneling. This is huge. This is probably the one of all the links in this list in here. This one can be a really big deal. What split tunneling is is do you want to force all the traffic and let's go over here to the open VPN setting so go open VPN edit scroll down here force all client generated traffic through the tunnel. Well this can be a problem for you redirected IB for gateway traffic so if you force all the traffic as in if the user connects and they're not just getting local resources you want all the traffic redirected. This is great if you want a VPN from a coffee house and have 100% of the traffic you know tunneled in and locked into your network and things like that. But especially in the current situation we're in where people may have a lot of other browser tabs open or watching a video they have a couple news tabs open and they want to access local resources. If you're not splitting it and letting them use their standard non VPN connection their standard internet connection or all the other things they have going on and the other one that accesses local resources what split tunneling means. So by doing it this way where you say all right we're going to only say push local network resources and if they need something local network that goes over the VPN but that Facebook page or whatever other pages they have for video streaming news etc. are not going over the VPN that alone can save you quite a bit with your users because now they're not taxing you're only going to pull what local resources they need which leaves more resources in more bandwidth and more processing power available for local resources versus them trying to tunnel everything. Now this is obviously as much as the ideal thing is have your users only VPN in force all traffic and they're only going to go to 100% work related sites that's a wonderful idea but we live in a real world and sometimes users don't do it so that was a that's one of them I'm going to say it may help you quite a bit. Now they have a lot of other little details about all the different phases you can do in the IPsec a little bit of how you can set the cryptography up and how you can do split tunneling in there how you can scale open VPN and find other fine tuning they can change. The one thing I will mention anytime you make a change in here whether to the cipher or some of the other settings you may if you run the problems if you change something make sure you reexport to the client so ideally this is going to be something you would have done before you've deployed it but even after deployed you may be running to scale problems please note when making these changes there may be differences a couple easy things you could do is download before you make the changes then download the client again after and do a diff to see what may have changed in here but some of these things like you can see all the settings right here if you change the ciphers there's where it says it there if you change the off digest TLS client whether or not you're using it just as a client or any of those this will get changed inside this and that will break existing users so just something else to keep in mind is you may have to redeploy the VPN if you make any of these major changes so keep all that in mind stay safe out there and hopefully this helps get you the most out of the VPN gets you the best performance you can get out of there and so you can have more users and scale up so go through look at the settings i'm i've covered this before and so has netgate and several other videos and there's a lay of a few at the bottom here if you want to get to that really fine tuning thing of increasing some buffers use udp fastio and like they said this is experimental options but you can if you're really trying to fine tune it just don't do it during while all the other users because any of these settings you change could disrupt current users using it so keep that in mind as well i'll leave a link to this so you can read this all and dive into the details alright and thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you'd like to help the channel out in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time