1Gbps on OpenVPN

Hello!, I would like to use openWISP2, meaning the remote transport of networks requires openVPN.

Does anybody know of a magic configuration that can achieve 1Gbps on openVPN?, maybe a mini PC with AES-NI and good WiFi card?

An Intel i3-7100T is only capable of 500 Mbps over OpenVPN. You’re unlikely to get 1 Gbps over a single OpenVPN link with consumer-grade hardware.

Edit: An Intel i7-8700B (3.2 GHz) with the same AMD Ryzen 5 2600 (3.6 GHz) OpenVPN/OpenSSL server topped out around 430 Mbps.

Edit 2: Getting 1 Gbps over 802.11 is also something of a feat outside of the laboratory.

Edit 3: See also the somewhat dated and untested-by-me https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

I'm worried about the aggregated traffic, not actually looking to achieve 1Gbps on a single client connection.

Maybe using something else as transport then?

Transport, meaning to your ISP or the encryption?

For transport to your ISP, if you're running a single 802.11 link, MCS 9 and an 80 MHz channel is 433 Mbps modulation rate per stream. You'd need at least three streams, more likely four, to get 1 Gbps throughput for a single direction. Unless you've got high-gain antennas or the ISP is in your living room, I think that is a major challenge.

For encryption, WireGuard has significantly lower CPU costs. My testing suggests that a Celeron J4105 can get close to wire-limited rates on a GigE connection.

The ISP is in my living room , the thing is, if needed, 1GbE or 2Gbe of uplink is almost guaranteed (copper). And we have a lot of roamers, so a limit imposed by the encryption is undesirable.

I was talking about the OpenVPN based transport of the networks. The other "solution" would be to require an MPLS service for each new subnets at multiple locations, that's way too much work if it's not a one time only setup.

I'll take a look at what's needed to implement Wireguard as transport. Would other solutions like Zerotier be more on the OpenVPN or Wireguard' side of the performance spectrum?.

VXLAN would be an option, but I'm not sure about the CPU dependency or ability to protect the information that travels the underlaying infrastructure (or the feasibility to integrate that to OpenWISP2).

Edit: I expect an average of 60 devices per AP.

I think you should summarize a bit and reveal a bit more what do you want to achieve; you started from 1Gbps throughput over OpenVPN and it turns out that you are a Wisp.

This is way too much. Anything above 25 hosts per AP will most likely not make customers happy.

Well, we don't run a WISP (not public at least ). Under my responsability are offices and branch offices for the company I work for.

Currently we have a Cisco Aironet based (and insanely expensive) solution, which uses LWAPP/CAPWAP tunneling to deliver remote networks to different branch offices. The WLC has lot of bells and whistles we don't use, and some limitations. The idea is to get creative and find alternatives to a full renewal with the same vendor.

We did quick tests and even consumer APs have good performance for basic forwarding, no NAT. We'll run proper tests, hopefully with better hardware, just want to understand in which direction we should put our efforts, I assume this would be a two months exercise and it's exploratory.

The 60 devices figure is from a work area and uplink traffic seems to be pretty low (to be fair, don't know if LWAPP/CAPWAP can achieve linerate, it's something to check). We have a leisure zone with no SLA with around 100 devices (mostly smartphones)

Not that Cisco gear is inherently more robust than consumer all-in-ones, I'd consider reliability and ease of a "quick fix". One attractive thing about x86_64/AMD64 hardware is that should one go down, a desktop potentially could be quickly pressed into service with minimal changes to the image's configuration, if you didn't have a spare available.

Well, hanging a full sized PC from the ceiling would be certainly my last resort.

I've reviewed Lanner appliances, but seems difficult to find in the wild. They seem to sell in big batches only (thousands?). Don't want to overengineer this, Zyxel has something they call SDN based, and even TP-Link has an "enterprise" familiy.

We'll keep looking into this. Still missing a promising platform to focus effort on.

I am not sure you can find anything for controlling multiple OpenWrt routers or APs the way that enterprise solutions do.
If you want to reduce the excesive cost of the Cisco/Meraki gear and licensing, I suggest you take a look at the Ubiquity Unifi. Lower prices, no licensing, and free controller running on a mere Raspberry.

From the documentation, Unifi seems to lack the feature of remote transport of the networks, you can define multiple SSID, but must match them to a regular VLAN.

Am I missing something?

Could you explain what do you mean by that?

Security Gateway supports VPNs, if that is connected to the question of the title.

L2 transport with some kind of overlay in L3

That way, I can have the same L2 network in different building/cities with a few clicks. It's not practical to match a SG to each AP.

That maybe could be achieved (more or less) with an semi-dumbAP running an OpenVPN L2 tunnel back to the head office. But then again you are loosing the ability to manage them remotely by controller.