4. Improve OpenVPN throughput

Improve OpenVPN throughput

  • D

    Hello Folks,

    I'm trying to find a way to improve the throughput on a single threaded connections across our OpenVPN links. We're running 500Mbps sequential fiber at out data center, and 300/20 on a remote site. The highest I was able to tune my OpenVPN settings was ~85 Mbps on a single thread iperf3 test. With "-P 4" on the iperf, I can hit 300, but that's not my goal. I'd like to try and improve the single thread to get at least 150Mb or better.
    The client router is an old Dell PC with an i5-2400 and 4GB of DDR3 ram, Intel Pro 1000 PT Quad Port NIC.
    The server router is an old Lenovo server, Xeon E3-1230, 16GB Ram, Intel Pro 1000 PT Quad port NIC.
    Both routers running pfSense 2.4.3, checksum and TCP seg offloading enabled.

    Here's my OpenVPN Client config:

    [2.4.3-RELEASE][admin@XXXXXXXXXXXX.com]/var/etc/openvpn: cat client2.conf
dev ovpnc2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local XXX.XXX.XXX.XXX
engine cryptodev
lport 0
management /var/etc/openvpn/client2.sock unix
remote XXX.XXX.XXX.XXX
ifconfig 10.XXX.XXX.X 10.XXX.XXX.X
route 192.XXX.XXX.0 255.XXX.XXX.X
route 10.0.XXX.X 255.XXX.XXX.X
secret /var/etc/openvpn/client2.secret
compress lzo
resolv-retry infinite
fast-io
sndbuf 2097152
rcvbuf 2097152

    Here's my Server config:

    dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local XXX.XXX.XXX.XXX
engine cryptodev
ifconfig XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
lport 1195
management /var/etc/openvpn/server2.sock unix
push "route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX"
route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
route XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX 
secret /var/etc/openvpn/server2.secret
compress lzo
fast-io
sndbuf 2097152
rcvbuf 2097152

    Here's some 'tunables' that I've tweaked to improve my throughput (started at ~55Mbps, settled at 84 after tuning)
    net.inet.tcp.recvbuf_inc, increased to 131072
    net.inet.tcp.sendbuf_inc, increased to 131072 (these two settings gave the most increase, higher numbers made no change)

    net.inet.tcp.recvspace , 262144 (no change in speed)
    net.inet.tcp.sendspace, 262144 (no change in speed)
    kern.bufcachepercent (Percent of System RAM kernel can use for Cache) 50 (no change in speed)
    kern.ipc.nmbclusters (Network Mbufs available to system) 32786 (no change in speed)
    kern.ipc.maxsockbuf (Maximum socket buffer size) 16777216 (no change in speed)

    I did try 'tun-mtu 9000', but this didn't change the numbers at all.

    Does anyone have any more suggestions I can try to improve the performance?
    Thanks in advance!

    0
  • LAYER 8 Rebel Alliance

    Have you tried to remove engine cryptodev ?
    Sometimes it make things slower not faster. 😬

    -Rico

    1
  • D

    Just tried it, lost about 8-10 Mbps. I also tried removing the AES-256-GCM (only AES-128-GCM now) from the negotiable's, made no change.

    0
  • LAYER 8 Rebel Alliance

    I'd play around with the compression in the next step, disable it completely or try lz4 to check for any impact.

    -Rico

    1
  • D

    Didn't seem to make much difference. LZ4 v2 gave ~1-2 Mbps increase over several tests, but nothing quite like what I was hoping for.
    Turning off compression didn't seem to make any difference at all, was still between 78-84 Mbps.

    0
    G
     1 Reply
  • G

    @drkrieger said in Improve OpenVPN throughput:

    Didn't seem to make much difference. LZ4 v2 gave ~1-2 Mbps increase over several tests, but nothing quite like what I was hoping for.
    Turning off compression didn't seem to make any difference at all, was still between 78-84 Mbps.

    Using an SG-3100 here so low power device. I am using 128-GCM, SHA1, DH-2048. If you want to know anymore about my config I can share. I would export your profile again and test. GCM should use multiple cores. On gigabit I have topped out at 110Mbps but that is about it with this setup. IPSec on the other hand would likely provide the speeds you're looking for but I prefer to stay with OpenVPN and the lower overall throughput.

    0
  • LAYER 8 Rebel Alliance

    Weird stuff, my 11 old Xeon 3000 can easy make around 160 MBit/s OpenVPN AES-256-GCM.
    Please try this test from the commandline/SSH.

    openvpn --genkey --secret /tmp/secret
time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm

    ( 3200 / execution_time_seconds ) = Projected Maximum OpenVPN Performance in Mbps

    -Rico

    0
    D
     1 Reply
  • LAYER 8 Rebel Alliance

    @gsmornot
    I don't think GCM use multiple cores...
    With my SG-3100 the max in real world tests is around 83 MBit/s OpenVPN AES-256-GCM.
    But you can share your config if you want. :-)

    -Rico

    0
    G
     1 Reply
  • D

    @rico Thanks for that tip, good to know!
    This was my output:

    Thu Sep 27 12:33:53 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
10.288u 0.007s 0:10.30 99.8%    814+178k 0+0io 0pf+0w

    So with ~10 seconds, I'm guessing my peak would be theoretical 320 Mbps which is the maximum of the pipe on the remote site. I'm wondering how I can tune to get closer to that number.
    I noticed in the test that MTU's are set to 20k. I'm guessing that I can't do that with OpenVPN's tunnel settings?

    0 1 Reply
  • LAYER 8 Rebel Alliance

    @drkrieger said in Improve OpenVPN throughput:

    I noticed in the test that MTU's are set to 20k. I'm guessing that I can't do that with OpenVPN's tunnel settings?

    https://forum.netgate.com/post/619858

    -Rico

    0
  • D

    I'm finding something interesting about this whole situation: iperf single thread only hits ~85 Mbps, yet a SMB file transfer (Windows Share) is able to hit 38.5 MB/s. Flaw with iperf, or just protocol differences?

    0
  • G

    @rico said in Improve OpenVPN throughput:

    @gsmornot
    I don't think GCM use multiple cores...
    With my SG-3100 the max in real world tests is around 83 MBit/s OpenVPN AES-256-GCM.
    But you can share your config if you want. :-)

    -Rico

    Nothing special in the config, just offering to reply with any detail asked for in my current settings.

    Looking, I thought it was multicore but I think what I want to say is capable of parallel processing. I am a bit more basic in my understanding. I tested the performance versus CBC and found it to be much better, maybe double, so I stuck with it. IPSec was much faster but I kept reading people say they would always pick OpenVPN first so I stuck with it. So far no issues. My main use is access through my firewall while mobile so I can make use of public wifi at times and even bigger for me block ad's with pfBlocker.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy