Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Improve OpenVPN throughput

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 3 Posters 6.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      drkrieger
      last edited by

      Just tried it, lost about 8-10 Mbps. I also tried removing the AES-256-GCM (only AES-128-GCM now) from the negotiable's, made no change.

      1 Reply Last reply Reply Quote 0
      • RicoR Offline
        Rico LAYER 8 Rebel Alliance
        last edited by

        I'd play around with the compression in the next step, disable it completely or try lz4 to check for any impact.

        -Rico

        1 Reply Last reply Reply Quote 1
        • D Offline
          drkrieger
          last edited by drkrieger

          Didn't seem to make much difference. LZ4 v2 gave ~1-2 Mbps increase over several tests, but nothing quite like what I was hoping for.
          Turning off compression didn't seem to make any difference at all, was still between 78-84 Mbps.

          G 1 Reply Last reply Reply Quote 0
          • G Offline
            gsmornot @drkrieger
            last edited by

            @drkrieger said in Improve OpenVPN throughput:

            Didn't seem to make much difference. LZ4 v2 gave ~1-2 Mbps increase over several tests, but nothing quite like what I was hoping for.
            Turning off compression didn't seem to make any difference at all, was still between 78-84 Mbps.

            Using an SG-3100 here so low power device. I am using 128-GCM, SHA1, DH-2048. If you want to know anymore about my config I can share. I would export your profile again and test. GCM should use multiple cores. On gigabit I have topped out at 110Mbps but that is about it with this setup. IPSec on the other hand would likely provide the speeds you're looking for but I prefer to stay with OpenVPN and the lower overall throughput.

            1 Reply Last reply Reply Quote 0
            • RicoR Offline
              Rico LAYER 8 Rebel Alliance
              last edited by

              Weird stuff, my 11 old Xeon 3000 can easy make around 160 MBit/s OpenVPN AES-256-GCM.
              Please try this test from the commandline/SSH.

              openvpn --genkey --secret /tmp/secret
              time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
              

              ( 3200 / execution_time_seconds ) = Projected Maximum OpenVPN Performance in Mbps

              -Rico

              D 1 Reply Last reply Reply Quote 0
              • RicoR Offline
                Rico LAYER 8 Rebel Alliance
                last edited by Rico

                @gsmornot
                I don't think GCM use multiple cores...
                With my SG-3100 the max in real world tests is around 83 MBit/s OpenVPN AES-256-GCM.
                But you can share your config if you want. :-)

                -Rico

                G 1 Reply Last reply Reply Quote 0
                • D Offline
                  drkrieger @Rico
                  last edited by

                  @rico Thanks for that tip, good to know!
                  This was my output:

                  Thu Sep 27 12:33:53 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
                  10.288u 0.007s 0:10.30 99.8%    814+178k 0+0io 0pf+0w
                  

                  So with ~10 seconds, I'm guessing my peak would be theoretical 320 Mbps which is the maximum of the pipe on the remote site. I'm wondering how I can tune to get closer to that number.
                  I noticed in the test that MTU's are set to 20k. I'm guessing that I can't do that with OpenVPN's tunnel settings?

                  RicoR 1 Reply Last reply Reply Quote 0
                  • RicoR Offline
                    Rico LAYER 8 Rebel Alliance @drkrieger
                    last edited by

                    @drkrieger said in Improve OpenVPN throughput:

                    I noticed in the test that MTU's are set to 20k. I'm guessing that I can't do that with OpenVPN's tunnel settings?

                    https://forum.netgate.com/post/619858

                    -Rico

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      drkrieger
                      last edited by

                      I'm finding something interesting about this whole situation: iperf single thread only hits ~85 Mbps, yet a SMB file transfer (Windows Share) is able to hit 38.5 MB/s. Flaw with iperf, or just protocol differences?

                      1 Reply Last reply Reply Quote 0
                      • G Offline
                        gsmornot @Rico
                        last edited by

                        @rico said in Improve OpenVPN throughput:

                        @gsmornot
                        I don't think GCM use multiple cores...
                        With my SG-3100 the max in real world tests is around 83 MBit/s OpenVPN AES-256-GCM.
                        But you can share your config if you want. :-)

                        -Rico

                        Nothing special in the config, just offering to reply with any detail asked for in my current settings.

                        Looking, I thought it was multicore but I think what I want to say is capable of parallel processing. I am a bit more basic in my understanding. I tested the performance versus CBC and found it to be much better, maybe double, so I stuck with it. IPSec was much faster but I kept reading people say they would always pick OpenVPN first so I stuck with it. So far no issues. My main use is access through my firewall while mobile so I can make use of public wifi at times and even bigger for me block ad's with pfBlocker.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.