[CentOS] OpenVPN throughput

[Bowie Bailey]

 On 8/19/2010 10:29 AM, Boris Epstein wrote:
> Hello listmates,
>
> We are working on setting up two private networks linked by a public
> network which is fast (1 Gbit/s) but potentially insecure. Since the
> hosts on our two networks need to talk to each other, and do so
> securely, we have decided to use OpenVPN to connect them, making one
> gateway a server and the other a client. The connectivity part was
> easy to establish and worked like a charm. The only problem was, and
> is, performance.
>
> We have two old PIII-class machines that are being tested for the role
> of the gateways. We have put new 1 Gbit NIC's in them and they work
> find for everything (data transmission, DHCP, DNS, routing) except the
> VPN. When traffic goes through the VPN the OpenVPN process goes to 99%
> CPU on the server, about 70% CPU on the client and the effective
> transmission rate goes down to about 6 MB/s whereas in non-VPN mode it
> can be as high as 50+ MB/s (the top for the 1 Gbit/s is, obviously,
> 125 MB/s hence with the VPN we are down to about 5% of the capacity).
>
> While this may be usable we would like to hope we can do better. Hence
> the following questions:
>
> 1) Have you used OpenVPN in a similar setup?
>
> 2) If so what sort of performance did you see?
>
> 3) What kind of equipment did you use?
>
> Personally, I'd like to hope that if we find VPN-enabled gateways with
> more processing power we'd get drastically better performance. So if
> you have data to confirm or deny that please share it.

I have an OpenVPN gateway running on an old PII-400 machine with 256M
RAM.  It works fine for what we need.  I have never measured throughput
or CPU usage.

I would say that if your CPU is going to 99% when you use the VPN, you
would definitely benefit from a faster system.  I would suspect that any
P4 or higher system would work fine, but maybe someone else that
actually uses a high-speed VPN connection could give you a more accurate
spec.

-- 
Bowie