0
Talkabout

OpenVPN throughput

Recommended Posts

Hi guys,

 

I have recently bought a Rock64 to improve the performance of my VPN gateway. First tests look very promising as you can see here:

 

root@rock64:~# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 15394610 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 12591175 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 6719021 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 2448108 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 352617 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 177668 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d  10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-H2OJIf/openssl-1.1.1d=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      82379.18k   268611.73k   573356.46k   835620.86k   962879.49k   970304.17k
root@rock64:~# openvpn --genkey --secret /tmp/secret
root@rock64:~# time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
Sat Dec 14 10:26:40 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode

real    0m4.978s
user    0m4.945s
sys     0m0.032s

Unfortunately when executing a simple curl, the throughput is very low:

 

root@rock64:~# curl -L https://speed.hetzner.de/1GB.bin > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  2 1000M    2 29.9M    0     0  2090k      0  0:08:09  0:00:14  0:07:55 3106k

When using Ubuntu 18.04 Bionic I am reaching speeds of 8,4MByte/s. I have checked the openvpn process and it seems that it is only using 25% of CPU, whereas when using in Ubuntu it is using 50-60%. What are the differences here and why is Armbian limiting the process to 25%?

 

Thanks!

 

Bye

Share this post


Link to post
Share on other sites

check 

1/ kernel settings, eg:

net.core.default_qdisc = fq

net.ipv4.tcp_congestion_control = bbr


net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 87380 16777216



net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_timestamps = 0

 

2/ openvpn settings, eg;

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"



comp-lzo no     #No need for streaming
fast-io         #Optimize I/O writes



tls-version-min 1.2
remote-cert-tls client
cipher AES-128-CBC
ncp-disable
auth SHA256
auth-nocache

 

 

both ends have h5 (neo2 lts) currently and get upload/download of >100Mbit over VPN tunnel

BTW kernel 5.3.9 shows on this board lower values so you should easily get 100Mbit

openssl speed -evp aes-128-cbc -elapsed

:~# openssl speed -evp aes-128-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 12715522 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 10201155 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 5342908 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1919464 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 274635 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 138772 aes-128-cbc's in 3.00s
OpenSSL 1.1.1a  20 Nov 2018
built on: Thu Nov 22 18:40:54 2018 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-d3BJKw/openssl-1.1.1a=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      67816.12k   217624.64k   455928.15k   655177.05k   749936.64k   757880.15k

 

Share this post


Link to post
Share on other sites

Thank you very much, pointing to the "sndbuf/rcvbuf" values was the key. After changing those the throughput showed "normal" values again.

 

Bye

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
0