[CentOS] OpenVPN throughput

Thu Aug 19 19:00:14 UTC 2010
Bill Campbell <centos at celestial.com>

On Thu, Aug 19, 2010, Boris Epstein wrote:
>Hello listmates,
>
>We are working on setting up two private networks linked by a public
>network which is fast (1 Gbit/s) but potentially insecure. Since the
>hosts on our two networks need to talk to each other, and do so
>securely, we have decided to use OpenVPN to connect them, making one
>gateway a server and the other a client. The connectivity part was
>easy to establish and worked like a charm. The only problem was, and
>is, performance.
>
>We have two old PIII-class machines that are being tested for the role
>of the gateways. We have put new 1 Gbit NIC's in them and they work
>find for everything (data transmission, DHCP, DNS, routing) except the
>VPN. When traffic goes through the VPN the OpenVPN process goes to 99%
>CPU on the server, about 70% CPU on the client and the effective
>transmission rate goes down to about 6 MB/s whereas in non-VPN mode it
>can be as high as 50+ MB/s (the top for the 1 Gbit/s is, obviously,
>125 MB/s hence with the VPN we are down to about 5% of the capacity).
>
>While this may be usable we would like to hope we can do better. Hence
>the following questions:
>
>1) Have you used OpenVPN in a similar setup?

We have a client with offices in 4 cities using a Windows
application with remote access (which performs horribly compared
to their previous *nix applictioan :-).  The main site is in
Kansas City, the other three in Texas, and the performance is
good enough that people aren't complaining -- much as many prefer
the old app.

>2) If so what sort of performance did you see?

The client is happy, particularly since their software vendor
wanted them to get $2,500 Cisco routers for each office, and the
Linux boxes cost a lot less including setup and configuration.

Frankly I was amazed that this was adequate for use with Window
remote access over relatively slow links with the T1 in KC
probably being the potential bottleneck with 3 offices connecting
to it.

>3) What kind of equipment did you use?

Each office has a T1 connection.  The KC Linux machine is a
general purpose machine doing e-mail, user storage, etc. NAT
gateway for the LAN, as well as the OpenVPN with a single
Intel(R) Core(TM)2 Duo CPU E4500  @ 2.20GHz and 2GB RAM.

The remote office machines are also NAT gateways for each
office's LAN are are running single processor Intel(R) Atom(TM)
CPU 330 @ 1.60GHz with 2GB of RAM.  These are in small chassis,
are very quiet, and seem to work very well.  These systems with
80GB SATA drives cost us just under $500 each a couple of years
ago, and a bit less today.

All are running CentOS 5.x.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

Our Foreign dealings are an Open Book, generally a Check Book.
    Will Rogers