Multiple OpenVPN tunnels multicore CPU

  • I have been trying to find info on this subject for days via google. Since I do not what the technical term of this is it’s hard to to find  ::)

    Multi-core CPU, multiple OpenVPN tunnels (4 tunnels to same provider) 1 tunnel to each Core for maximum speed in decrytpion. Is that possible and will it increase speed?

    I see statements a Celeron Quadcore J1900 can do upto 600Mbit with 4 active tunnels. By ”balancing” load on all 4 cores.  :o

    Can someone please point me in the direction of a solution? Or if it’s even possible and what ”the name” of it is called.  ;D

  • I don't think you can assign a tunnel to a core.  The operating system balances the load around the cores as needed.  You can even use CPU monitors to see that.

  • @JKnott:

    I don't think you can assign a tunnel to a core.  The operating system balances the load around the cores as needed.  You can even use CPU monitors to see that.

    no but ovpn is single threaded. so on a quad-core you can't use more then 1/4 of its potential when using a single ovpn-instance.

    more instances can theoretically improve throughput…. but that'll depend much on the protocols that are used. (torrents could possibly benefit, a http-session to a single website won't)

  • LAYER 8 Netgate

    Each client will be its own openvpn process. The kernel scheduler will do whatever it thinks is appropriate there.

  • So if I understand this…  :o setting up 4 OPT interfaces configuring them a interface group?

  • LAYER 8 Netgate

    Why an interface group? What are you trying to accomplish?

  • My goal is to saturate my WAN as much as possible (500Mbit) with my current 4core router.

    I am connecting to a VPN provider which allow 4 simultaneous tunnels with
    OpenVPN AES-256-GCM encryption.

    Goal is to have OpenVPN to use all 4 cores of the CPU to decrypt the traffic. This to increase the total speed and utilize all processor-power over the cores.

    My reasoning of this statement is founded from the info that 1 OpenVPN tunnel can only utilize 1 core in the CPU. This is not a multi wan, rather a multi tunnel solution.

    Current setup using 1 tunnel and 1 core giving me about 120Mbit.

    Is this possible?  :)

  • LAYER 8 Netgate

    Depends on the traffic. It sounds like you want a load balancing gateway group, not an interface group.

    In that case it WILL NOT bond all the connections into one large pipe. It will, however, distribute outgoing connections among the various tunnels on a per-state basis according to the gateway weights.

  • So basically if I understand this right. Several tunnels will not increase download speed due to more CPU power at it disposal?

  • LAYER 8 Netgate

    Load balancing does not bond multiple connections into one large pipe.

    The benefit you gain depends on the traffic in your environment.

  • Gateway load balancing seems to work well. I have two PIA VPN tunnels configured on an SG-3100. I have them both as part of a gateway group in tier 1, and my test machine matches a firewall rule that sends all traffic to that gateway group by default.

    When running a Speedtest, the download test uses both tunnels - one openvpn process on each CPU. During the upload test, it only uses one of the tunnels. If I have the gateway group prefer one tunnel over the other, the download test only uses that tunnel and not the other, and the upload behavior doesn't change. I was able to confirm that by watching top from a console and looking at the bandwidth monitor.

    I managed to pull down 60 mbit over OpenVPN doing it this way a few times, but on average it was about 50 mbit. I know there's more throughput available here given the hardware specs, so I need to figure out the best encryption algorithm to use. I want to try a real bench test to take the intertubes variable out of the equation to see how this really works.

Log in to reply