On Thu, Aug 19, 2010, Boris Epstein wrote:
Hello listmates,
We are working on setting up two private networks linked by a public network which is fast (1 Gbit/s) but potentially insecure. Since the hosts on our two networks need to talk to each other, and do so securely, we have decided to use OpenVPN to connect them, making one gateway a server and the other a client. The connectivity part was easy to establish and worked like a charm. The only problem was, and is, performance.
We have two old PIII-class machines that are being tested for the role of the gateways. We have put new 1 Gbit NIC's in them and they work find for everything (data transmission, DHCP, DNS, routing) except the VPN. When traffic goes through the VPN the OpenVPN process goes to 99% CPU on the server, about 70% CPU on the client and the effective transmission rate goes down to about 6 MB/s whereas in non-VPN mode it can be as high as 50+ MB/s (the top for the 1 Gbit/s is, obviously, 125 MB/s hence with the VPN we are down to about 5% of the capacity).
While this may be usable we would like to hope we can do better. Hence the following questions:
- Have you used OpenVPN in a similar setup?
We have a client with offices in 4 cities using a Windows application with remote access (which performs horribly compared to their previous *nix applictioan :-). The main site is in Kansas City, the other three in Texas, and the performance is good enough that people aren't complaining -- much as many prefer the old app.
- If so what sort of performance did you see?
The client is happy, particularly since their software vendor wanted them to get $2,500 Cisco routers for each office, and the Linux boxes cost a lot less including setup and configuration.
Frankly I was amazed that this was adequate for use with Window remote access over relatively slow links with the T1 in KC probably being the potential bottleneck with 3 offices connecting to it.
- What kind of equipment did you use?
Each office has a T1 connection. The KC Linux machine is a general purpose machine doing e-mail, user storage, etc. NAT gateway for the LAN, as well as the OpenVPN with a single Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz and 2GB RAM.
The remote office machines are also NAT gateways for each office's LAN are are running single processor Intel(R) Atom(TM) CPU 330 @ 1.60GHz with 2GB of RAM. These are in small chassis, are very quiet, and seem to work very well. These systems with 80GB SATA drives cost us just under $500 each a couple of years ago, and a bit less today.
All are running CentOS 5.x.
Bill