On Thu, Aug 19, 2010, Boris Epstein wrote: >Hello listmates, > >We are working on setting up two private networks linked by a public >network which is fast (1 Gbit/s) but potentially insecure. Since the >hosts on our two networks need to talk to each other, and do so >securely, we have decided to use OpenVPN to connect them, making one >gateway a server and the other a client. The connectivity part was >easy to establish and worked like a charm. The only problem was, and >is, performance. > >We have two old PIII-class machines that are being tested for the role >of the gateways. We have put new 1 Gbit NIC's in them and they work >find for everything (data transmission, DHCP, DNS, routing) except the >VPN. When traffic goes through the VPN the OpenVPN process goes to 99% >CPU on the server, about 70% CPU on the client and the effective >transmission rate goes down to about 6 MB/s whereas in non-VPN mode it >can be as high as 50+ MB/s (the top for the 1 Gbit/s is, obviously, >125 MB/s hence with the VPN we are down to about 5% of the capacity). > >While this may be usable we would like to hope we can do better. Hence >the following questions: > >1) Have you used OpenVPN in a similar setup? We have a client with offices in 4 cities using a Windows application with remote access (which performs horribly compared to their previous *nix applictioan :-). The main site is in Kansas City, the other three in Texas, and the performance is good enough that people aren't complaining -- much as many prefer the old app. >2) If so what sort of performance did you see? The client is happy, particularly since their software vendor wanted them to get $2,500 Cisco routers for each office, and the Linux boxes cost a lot less including setup and configuration. Frankly I was amazed that this was adequate for use with Window remote access over relatively slow links with the T1 in KC probably being the potential bottleneck with 3 offices connecting to it. >3) What kind of equipment did you use? Each office has a T1 connection. The KC Linux machine is a general purpose machine doing e-mail, user storage, etc. NAT gateway for the LAN, as well as the OpenVPN with a single Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz and 2GB RAM. The remote office machines are also NAT gateways for each office's LAN are are running single processor Intel(R) Atom(TM) CPU 330 @ 1.60GHz with 2GB of RAM. These are in small chassis, are very quiet, and seem to work very well. These systems with 80GB SATA drives cost us just under $500 each a couple of years ago, and a bit less today. All are running CentOS 5.x. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 Our Foreign dealings are an Open Book, generally a Check Book. Will Rogers