OpenVPN Slow - local network test
-
Ok I just set this up...
With default everything on open seeing..
$ iperf3 -c 192.168.9.10 warning: Ignoring nonsense TCP MSS 334848 Connecting to host 192.168.9.10, port 5201 [ 5] local 10.0.100.2 port 52251 connected to 192.168.9.10 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 25.5 MBytes 214 Mbits/sec [ 5] 1.00-2.00 sec 29.5 MBytes 248 Mbits/sec [ 5] 2.00-3.00 sec 32.4 MBytes 272 Mbits/sec [ 5] 3.00-4.00 sec 31.1 MBytes 261 Mbits/sec [ 5] 4.00-5.00 sec 29.5 MBytes 247 Mbits/sec [ 5] 5.00-6.00 sec 30.8 MBytes 258 Mbits/sec [ 5] 6.00-7.00 sec 30.6 MBytes 257 Mbits/sec [ 5] 7.00-8.00 sec 31.6 MBytes 265 Mbits/sec [ 5] 8.00-9.00 sec 31.0 MBytes 260 Mbits/sec [ 5] 9.00-10.00 sec 32.0 MBytes 268 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 304 MBytes 255 Mbits/sec sender [ 5] 0.00-10.01 sec 304 MBytes 255 Mbits/sec receiver
Let me see if can tweak that a bit..
win10 pc (192.168.200.10) --- switch - 192.168.200.1 (test igb4) pfsense (sg4860) ( igb0 lan) 192.168.9.253 -- switch -- 192.168.9.10 (NAS)
Tweaking didn't make much difference to be honest, but using aes-128-gcm vs cbc was huge difference.. When changed to cbc vs gcm when to 130 vs mid 200's
-
@johnpoz
Thanks for doing the testing.
I am surprised to see that the best we can get on a full 1Gb/s link is ~250 Mb/s
So I guess my ~150Mb/s on the first crack is not horrible?I know there is overhead to deal with...just surprised it is so much. This is looking like a 70% loss of speed using OpenVpn.
Is this what others are seeing as well? -
openvpn is single threaded.. its easy to use - its never been "speedy" ;)
Keep in mind my sg4860, not a rocketship vpn endpoint concentrater either..
It has enough umph to get the job done with lower power requirements.. But prob not what I would use for my vpn endpoint if what I wanted to as much throughput as possible.. Nor would openvpn be my first choice in that area - ipsec is better geared for throughput..
Openvpn advantage is ease of use, and deployment, etc.
But overall your sort of test with everything on the same vm host is not really a valid sort of testing.. It works for poc, etc. But its not going to be a good indicator of what sort of bandwidth you could expect when using in the real world..
-
But overall your sort of test with everything on the same vm host is not really a valid sort of testing
Yes I think so too.
Looking at the hardware it should be capable of more.
.Nor would openvpn be my first choice in that area
Wait a bit, who knows ;)
-
@Pippin said in OpenVPN Slow - local network test:
Wait a bit, who knows ;)
If the goal was pure throughput, openvpn would not be on the top of the list of choices.. It has many other attributes it shines at.. But if what I am looking for is closest to line speed using least amount of horsepower.. Then no its not on the top of really any list ;)
-
@johnpoz
That is what I am concluding.
OpenVPN = easy to deploy and flexible....just not that speedy.I am in the process of setting up another test to use IPSEC and compare. I will post my results for those that are interested.
For this initial issue, I am calling it closed as it seems we have beaten the heck out of it. Thank you all for the fantastic support on this. So very much appreciated.
-
If the goal was pure throughput, openvpn would not be on the top of the list of choices
Sure, but maybe it will get to that top some time in the future.
-
^ we can hope yeah ;)
-
@johnpoz said in OpenVPN Slow - local network test:
^ we can hope yeah ;)
Although for Linux but here it is:
https://github.com/OpenVPN/ovpn-dco -
Nice:
https://reviews.freebsd.org/D34340
-
I get even worse results ...
Machine A (pfSense 2.6.0):
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm 2022-02-26 19:22:27 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled 0.192u 0.000s 0:00.19 100.0% 601+171k 1+0io 0pf+0w
Machine B (pfSense 2.6.0):
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm 2022-02-26 19:22:35 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled 0.587u 0.023s 0:00.61 98.3% 618+176k 0+0io 0pf+0w
I spent most of the day trying to reach reasonable speeds, and this is the result:
iperf3 -c 172.16.16.1 -R Connecting to host 172.16.16.1, port 5201 Reverse mode, remote host 172.16.16.1 is sending [ 5] local 172.16.16.2 port 53032 connected to 172.16.16.1 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 6.10 MBytes 51.2 Mbits/sec [ 5] 1.00-2.00 sec 8.03 MBytes 67.4 Mbits/sec [ 5] 2.00-3.00 sec 7.28 MBytes 61.1 Mbits/sec [ 5] 3.00-4.00 sec 7.60 MBytes 63.8 Mbits/sec [ 5] 4.00-5.00 sec 6.77 MBytes 56.8 Mbits/sec [ 5] 5.00-6.00 sec 7.17 MBytes 60.1 Mbits/sec [ 5] 6.00-7.00 sec 8.87 MBytes 74.4 Mbits/sec [ 5] 7.00-8.00 sec 7.41 MBytes 62.2 Mbits/sec [ 5] 8.00-9.01 sec 7.54 MBytes 62.9 Mbits/sec [ 5] 9.01-10.00 sec 6.44 MBytes 54.3 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.14 sec 73.4 MBytes 60.7 Mbits/sec 91 sender [ 5] 0.00-10.00 sec 73.2 MBytes 61.4 Mbits/sec receiver
-
-