Improve OpenVPN throughput
-
Have you tried to remove engine cryptodev ?
Sometimes it make things slower not faster.
-Rico
-
Just tried it, lost about 8-10 Mbps. I also tried removing the AES-256-GCM (only AES-128-GCM now) from the negotiable's, made no change.
-
I'd play around with the compression in the next step, disable it completely or try lz4 to check for any impact.
-Rico
-
Didn't seem to make much difference. LZ4 v2 gave ~1-2 Mbps increase over several tests, but nothing quite like what I was hoping for.
Turning off compression didn't seem to make any difference at all, was still between 78-84 Mbps. -
@drkrieger said in Improve OpenVPN throughput:
Didn't seem to make much difference. LZ4 v2 gave ~1-2 Mbps increase over several tests, but nothing quite like what I was hoping for.
Turning off compression didn't seem to make any difference at all, was still between 78-84 Mbps.Using an SG-3100 here so low power device. I am using 128-GCM, SHA1, DH-2048. If you want to know anymore about my config I can share. I would export your profile again and test. GCM should use multiple cores. On gigabit I have topped out at 110Mbps but that is about it with this setup. IPSec on the other hand would likely provide the speeds you're looking for but I prefer to stay with OpenVPN and the lower overall throughput.
-
Weird stuff, my 11 old Xeon 3000 can easy make around 160 MBit/s OpenVPN AES-256-GCM.
Please try this test from the commandline/SSH.openvpn --genkey --secret /tmp/secret time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm( 3200 / execution_time_seconds ) = Projected Maximum OpenVPN Performance in Mbps
-Rico
-
@gsmornot
I don't think GCM use multiple cores...
With my SG-3100 the max in real world tests is around 83 MBit/s OpenVPN AES-256-GCM.
But you can share your config if you want. :-)-Rico
-
@rico Thanks for that tip, good to know!
This was my output:Thu Sep 27 12:33:53 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.288u 0.007s 0:10.30 99.8% 814+178k 0+0io 0pf+0wSo with ~10 seconds, I'm guessing my peak would be theoretical 320 Mbps which is the maximum of the pipe on the remote site. I'm wondering how I can tune to get closer to that number.
I noticed in the test that MTU's are set to 20k. I'm guessing that I can't do that with OpenVPN's tunnel settings? -
@drkrieger said in Improve OpenVPN throughput:
I noticed in the test that MTU's are set to 20k. I'm guessing that I can't do that with OpenVPN's tunnel settings?
https://forum.netgate.com/post/619858
-Rico
-
I'm finding something interesting about this whole situation: iperf single thread only hits ~85 Mbps, yet a SMB file transfer (Windows Share) is able to hit 38.5 MB/s. Flaw with iperf, or just protocol differences?
-
@rico said in Improve OpenVPN throughput:
@gsmornot
I don't think GCM use multiple cores...
With my SG-3100 the max in real world tests is around 83 MBit/s OpenVPN AES-256-GCM.
But you can share your config if you want. :-)-Rico
Nothing special in the config, just offering to reply with any detail asked for in my current settings.
Looking, I thought it was multicore but I think what I want to say is capable of parallel processing. I am a bit more basic in my understanding. I tested the performance versus CBC and found it to be much better, maybe double, so I stuck with it. IPSec was much faster but I kept reading people say they would always pick OpenVPN first so I stuck with it. So far no issues. My main use is access through my firewall while mobile so I can make use of public wifi at times and even bigger for me block ad's with pfBlocker.
