Jump to content

OpenVPN throughput


Talkabout

Recommended Posts

Hi guys,

 

I have recently bought a Rock64 to improve the performance of my VPN gateway. First tests look very promising as you can see here:

 

root@rock64:~# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 15394610 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 12591175 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 6719021 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2448108 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 352617 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 177668 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d  10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      82379.18k   268611.73k   573356.46k   835620.86k   962879.49k   970304.17k
root@rock64:~# openvpn --genkey --secret /tmp/secret
root@rock64:~# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
Sat Dec 14 10:26:40 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode

real    0m4.978s
user    0m4.945s
sys     0m0.032s

Unfortunately when executing a simple curl, the throughput is very low:

 

root@rock64:~# curl -L https://speed.hetzner.de/1GB.bin > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  2 1000M    2 29.9M    0     0  2090k      0  0:08:09  0:00:14  0:07:55 3106k

When using Ubuntu 18.04 Bionic I am reaching speeds of 8,4MByte/s. I have checked the openvpn process and it seems that it is only using 25% of CPU, whereas when using in Ubuntu it is using 50-60%. What are the differences here and why is Armbian limiting the process to 25%?

 

Thanks!

 

Bye

Link to comment
Share on other sites

check 

1/ kernel settings, eg:

net.core.default_qdisc = fq

net.ipv4.tcp_congestion_control = bbr


net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 87380 16777216



net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_timestamps = 0

 

2/ openvpn settings, eg;

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"



comp-lzo no     #No need for streaming
fast-io         #Optimize I/O writes



tls-version-min 1.2
remote-cert-tls client
cipher AES-128-CBC
ncp-disable
auth SHA256
auth-nocache

 

 

both ends have h5 (neo2 lts) currently and get upload/download of >100Mbit over VPN tunnel

BTW kernel 5.3.9 shows on this board lower values so you should easily get 100Mbit

openssl speed -evp aes-128-cbc -elapsed

:~# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 12715522 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 10201155 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 5342908 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1919464 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 274635 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 138772 aes-128-cbc's in 3.00s
OpenSSL 1.1.1a  20 Nov 2018
built on: Thu Nov 22 18:40:54 2018 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-d3BJKw/openssl-1.1.1a=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      67816.12k   217624.64k   455928.15k   655177.05k   749936.64k   757880.15k

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines