Opened 7 years ago

Closed 11 days ago

#294 closed Bug / Defect (worksforme)

OpenVPN 2.3.1 consuming tremendous CPU resources on OpenBSD

Reported by: mattison Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: openbsd


After having been tasked with setting up a few VPNs for evaluation purposes I noticed that on OpenBSD 5.2 and 5.3, OpenVPN 2.3.1 (running as server) consumes disproportional amounts of CPU resources compared to f.e. FreeBSD and OS X. I have tried multiple ciphers and key lengths, with and without LZO, as well as compiling against both OpenSSL and PolarSSL, but the problem is identical in all scenarios.

Running on one and the same computer with identical server config and cipher + key length etc., OpenVPN consumes around 85-90% of CPU resources on OpenBSD when transiting a mere 15-20 mbit/s worth of data, while on FreeBSD it consumes just around 15% for the same amount of traffic.

Screenshot of top(1) included. If server config file or build configuration is required, please let me know.

Change History (10)

comment:1 Changed 7 years ago by JoshC

From your top output, most of your CPU is used in system (or kernel) processing time, followed by interrupt processing. Only 15% of the CPU is running userland tasks, which is where openvpn does its work.

So the real question is why your OpenBSD box is doing so much kernel processing compared to your other systems. OpenVPN receives and transmits packets to/from the IP stack both for the tun and physical NICs, so that and firewall processing would be occurring in kernel-space. I'd start hunting there for your CPU issues. Note that the 'CPU' column in top is showing aggregate usage for all types of processing (user + nice + system + interrupt.)

Offhand I'd speculate that checksum offloading, interrupt speed (kernel timer frequency), or firewall processing might be suspect places to look for differences.

comment:2 Changed 7 years ago by JoshC

Priority: majorminor

comment:3 Changed 7 years ago by JoshC

Resolution: notabug
Status: newclosed

Without any follow-up in 4 weeks, this bug is being marked closed. If you wish to follow-up or re-open the bug, feel free to supply additional relevant details.

comment:4 Changed 7 years ago by mattison

Resolution: notabug
Status: closedreopened

Work has been keeping me away. Meanwhile, however, I have been trying the same openvpn config/setup on a different machine running FreeBSD 9.1-release, with no change in behavior. Different OS and different config of the OS, but OpenVPN 2.3.2 is still keeping the machine heavily stalled in terms of system/interrupt in the exact same way as on OpenBSD 5.2/5.3.

OpenVPN config, for what it's worth:


port 5555
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh3072.pem

client-config-dir /etc/openvpn/clientcfg/

push "dhcp-option DNS"
push "redirect-gateway def1"

cipher BF-CBC
keysize 256
max-clients 5
connect-freq 3 3
user nobody
group nobody

tun-mtu 1500
fragment 1390
mssfix 1390
keepalive 3 60

log /dev/null
status /dev/null
verb 3
mute 4


Last edited 7 years ago by mattison (previous) (diff)

comment:5 Changed 7 years ago by Samuli Seppänen

If somebody else is having this issue on OpenBSD/FreeBSD, please add a comment.

comment:6 Changed 6 years ago by Gert Döring

I've not seen any unduly performance issues on our FreeBSD systems, but I admit that we're only lightly using it - like 20 users, and a few mbit/s throughput.

I think I'll try to get some performance numbers out of these machines, and then see whether this is better or worse than on Linux etc.

Still, significant amounts of CPU spent on "system" hints at "something is going on inside the kernel", and there is not so much OpenVPN could do differently there.

comment:7 Changed 5 years ago by Samuli Seppänen

So does this issue appear with latest OpenVPN (Git master) and latest OpenBSD?

comment:8 Changed 3 years ago by filippobistaffa

I know this is a very old ticket, but this issue is still present on the latest OpenWrt and Armbian.

comment:9 in reply to:  8 Changed 3 years ago by Gert Döring

Replying to filippobistaffa:

I know this is a very old ticket, but this issue is still present on the latest OpenWrt and Armbian.

Could you be a bit more specific what "this issue" is? What is "Armbian"? Sounds like a Linux variant - while this ticket is about OpenBSD.

Generally speaking, depending on CPU availability and throughput, of course OpenVPN will use all the CPU that's there - that is normal and to be expected Exceptionally high CPU usage with little throughput is what would warrant a ticket... so, numbers please :)

comment:10 Changed 11 days ago by Gert Döring

Resolution: worksforme
Status: reopenedclosed

I am closing this ticket now, since it's impossible to deal with "I have the same problem!! (just on a totally different environment)" with no feedback whatsoever.

I have done recent testing with our corp VPN server, which is a FreeBSD 11.3 machine running on a somewhat recent Supermicro hardware, with OpenVPN 2.4.9.

According to prometheus exporter, it will do about 250 Mbit/s with a single OpenVPN process (= using only a single CPU core), and the load on that core will go to about 70-80% then. I consider this "good enough", for better scaling you need a kernel module or multiple parallel OpenVPN processes.

If you see systems with "100% CPU load" at 15-20 Mbit/s, you need to check used ciphers (AES-GCM produces much lower load on systems with AESNI support) - or possibly the system is just not able to do faster (like, a rPI gen 1, with no crypto hw support).

I have no idea why OpenVPN would burn extra CPU on kernel level - what was originally reported - it does not do so on my OpenVPN buildslaves. Maybe something with pf(4) firewalling rules? Or anything unusual on kernel/network level?

Note: See TracTickets for help on using tickets.