Talkabout Posted December 14, 2019 Share Posted December 14, 2019 Hi guys, I have recently bought a Rock64 to improve the performance of my VPN gateway. First tests look very promising as you can see here: root@rock64:~# openssl speed -evp aes-128-cbc -elapsed You have chosen to measure elapsed time instead of user CPU time. Doing aes-128-cbc for 3s on 16 size blocks: 15394610 aes-128-cbc's in 2.99s Doing aes-128-cbc for 3s on 64 size blocks: 12591175 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 6719021 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 2448108 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 352617 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 16384 size blocks: 177668 aes-128-cbc's in 3.00s OpenSSL 1.1.1d 10 Sep 2019 built on: Sat Oct 12 19:56:43 2019 UTC options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-cbc 82379.18k 268611.73k 573356.46k 835620.86k 962879.49k 970304.17k root@rock64:~# openvpn --genkey --secret /tmp/secret root@rock64:~# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc Sat Dec 14 10:26:40 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode real 0m4.978s user 0m4.945s sys 0m0.032s Unfortunately when executing a simple curl, the throughput is very low: root@rock64:~# curl -L https://speed.hetzner.de/1GB.bin > /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 2 1000M 2 29.9M 0 0 2090k 0 0:08:09 0:00:14 0:07:55 3106k When using Ubuntu 18.04 Bionic I am reaching speeds of 8,4MByte/s. I have checked the openvpn process and it seems that it is only using 25% of CPU, whereas when using in Ubuntu it is using 50-60%. What are the differences here and why is Armbian limiting the process to 25%? Thanks! Bye Link to comment Share on other sites More sharing options...
dolphs Posted December 15, 2019 Share Posted December 15, 2019 check 1/ kernel settings, eg: net.core.default_qdisc = fq net.ipv4.tcp_congestion_control = bbr net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 87380 16777216 net.ipv4.tcp_fastopen = 3 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_timestamps = 0 2/ openvpn settings, eg; sndbuf 393216 rcvbuf 393216 push "sndbuf 393216" push "rcvbuf 393216" comp-lzo no #No need for streaming fast-io #Optimize I/O writes tls-version-min 1.2 remote-cert-tls client cipher AES-128-CBC ncp-disable auth SHA256 auth-nocache both ends have h5 (neo2 lts) currently and get upload/download of >100Mbit over VPN tunnel BTW kernel 5.3.9 shows on this board lower values so you should easily get 100Mbit openssl speed -evp aes-128-cbc -elapsed :~# openssl speed -evp aes-128-cbc -elapsed You have chosen to measure elapsed time instead of user CPU time. Doing aes-128-cbc for 3s on 16 size blocks: 12715522 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 64 size blocks: 10201155 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 5342908 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 1919464 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 274635 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 16384 size blocks: 138772 aes-128-cbc's in 3.00s OpenSSL 1.1.1a 20 Nov 2018 built on: Thu Nov 22 18:40:54 2018 UTC options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-d3BJKw/openssl-1.1.1a=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-cbc 67816.12k 217624.64k 455928.15k 655177.05k 749936.64k 757880.15k Link to comment Share on other sites More sharing options...
Talkabout Posted December 24, 2019 Author Share Posted December 24, 2019 Thank you very much, pointing to the "sndbuf/rcvbuf" values was the key. After changing those the throughput showed "normal" values again. Bye 1 Link to comment Share on other sites More sharing options...
Recommended Posts