[CentOS] OpenVPN throughput
John R Pierce
pierce at hogranch.com
Mon Aug 30 17:35:49 UTC 2010
On 08/30/10 6:10 AM, drew einhorn wrote:
> On Mon, Aug 30, 2010 at 4:20 AM,<J.Witvliet at mindef.nl> wrote:
>
>> Last year i've been doing some experiments with openvpn.
>> Just as the O.P. I was curious about sustainable throughput, and was disapointed about the results
>>
>> To obtain maximum resulst, i did:
>> - use two rather heavy machines (HP DL380-G6, dual quad core)
>> - two dedicated 10Gb-nic's
>> - cross-connect both nics
>> - DISABLE openvpn-debug (as it is VERY cpu expensive)
>> - raise MTU to 4K
>>
>> Bottleneck was (in my case) the openvpn-process, that was running 100% on a single core,
>> While network was not saturated.
>>
>> So for max throughput, it is probably strongswan (ipsec) or hw-encryption [or both]
>>
> What was the bandwidth when the cpu bottlenecked?
> Were you running a single tcp connection transferring a single file?
> Or, a mix of traffic with multiple tcp connections, udp traffic, etc?
> I'm wondering if a more complex traffic mix would get the other cpus working,
> and increase the total throughput.
I'm pretty sure one SSL-VPN tunnel == one process. its not going to
fork different packets to different threads, as its really paying no
attention to sockets and connections within that tunnel.
did you try forcing the blowfish cipher? I've heard that's lower in CPU
overhead than most others, although I've not tested this.
More information about the CentOS
mailing list