On 08/30/10 6:10 AM, drew einhorn wrote:
On Mon, Aug 30, 2010 at 4:20 AM,J.Witvliet@mindef.nl wrote:
Last year i've been doing some experiments with openvpn. Just as the O.P. I was curious about sustainable throughput, and was disapointed about the results
To obtain maximum resulst, i did:
- use two rather heavy machines (HP DL380-G6, dual quad core)
- two dedicated 10Gb-nic's
- cross-connect both nics
- DISABLE openvpn-debug (as it is VERY cpu expensive)
- raise MTU to 4K
Bottleneck was (in my case) the openvpn-process, that was running 100% on a single core, While network was not saturated.
So for max throughput, it is probably strongswan (ipsec) or hw-encryption [or both]
What was the bandwidth when the cpu bottlenecked? Were you running a single tcp connection transferring a single file? Or, a mix of traffic with multiple tcp connections, udp traffic, etc? I'm wondering if a more complex traffic mix would get the other cpus working, and increase the total throughput.
I'm pretty sure one SSL-VPN tunnel == one process. its not going to fork different packets to different threads, as its really paying no attention to sockets and connections within that tunnel.
did you try forcing the blowfish cipher? I've heard that's lower in CPU overhead than most others, although I've not tested this.