Opened 7 years ago

Last modified 2 years ago

#294 reopened Bug / Defect

OpenVPN 2.3.1 consuming tremendous CPU resources on OpenBSD

Reported by: mattison Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: openbsd
Cc:

Description

After having been tasked with setting up a few VPNs for evaluation purposes I noticed that on OpenBSD 5.2 and 5.3, OpenVPN 2.3.1 (running as server) consumes disproportional amounts of CPU resources compared to f.e. FreeBSD and OS X. I have tried multiple ciphers and key lengths, with and without LZO, as well as compiling against both OpenSSL and PolarSSL, but the problem is identical in all scenarios.

Running on one and the same computer with identical server config and cipher + key length etc., OpenVPN consumes around 85-90% of CPU resources on OpenBSD when transiting a mere 15-20 mbit/s worth of data, while on FreeBSD it consumes just around 15% for the same amount of traffic.

Screenshot of top(1) included. If server config file or build configuration is required, please let me know.

http://i.imgur.com/SlvBxOG.jpg

Change History (9)

comment:1 Changed 7 years ago by JoshC

From your top output, most of your CPU is used in system (or kernel) processing time, followed by interrupt processing. Only 15% of the CPU is running userland tasks, which is where openvpn does its work.

So the real question is why your OpenBSD box is doing so much kernel processing compared to your other systems. OpenVPN receives and transmits packets to/from the IP stack both for the tun and physical NICs, so that and firewall processing would be occurring in kernel-space. I'd start hunting there for your CPU issues. Note that the 'CPU' column in top is showing aggregate usage for all types of processing (user + nice + system + interrupt.)

Offhand I'd speculate that checksum offloading, interrupt speed (kernel timer frequency), or firewall processing might be suspect places to look for differences.

comment:2 Changed 7 years ago by JoshC

Priority: majorminor

comment:3 Changed 7 years ago by JoshC

Resolution: notabug
Status: newclosed

Without any follow-up in 4 weeks, this bug is being marked closed. If you wish to follow-up or re-open the bug, feel free to supply additional relevant details.

comment:4 Changed 7 years ago by mattison

Resolution: notabug
Status: closedreopened

Work has been keeping me away. Meanwhile, however, I have been trying the same openvpn config/setup on a different machine running FreeBSD 9.1-release, with no change in behavior. Different OS and different config of the OS, but OpenVPN 2.3.2 is still keeping the machine heavily stalled in terms of system/interrupt in the exact same way as on OpenBSD 5.2/5.3.

OpenVPN config, for what it's worth:

---

daemon
server 192.168.128.0 255.255.255.0
port 5555
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh3072.pem

client-config-dir /etc/openvpn/clientcfg/

push "dhcp-option DNS 208.67.222.222"
push "redirect-gateway def1"

cipher BF-CBC
keysize 256
comp-lzo
max-clients 5
connect-freq 3 3
user nobody
group nobody
persist-key
persist-tun

tun-mtu 1500
fragment 1390
mssfix 1390
keepalive 3 60

log /dev/null
status /dev/null
verb 3
mute 4

---

Last edited 7 years ago by mattison (previous) (diff)

comment:5 Changed 6 years ago by Samuli Seppänen

If somebody else is having this issue on OpenBSD/FreeBSD, please add a comment.

comment:6 Changed 6 years ago by Gert Döring

I've not seen any unduly performance issues on our FreeBSD systems, but I admit that we're only lightly using it - like 20 users, and a few mbit/s throughput.

I think I'll try to get some performance numbers out of these machines, and then see whether this is better or worse than on Linux etc.

Still, significant amounts of CPU spent on "system" hints at "something is going on inside the kernel", and there is not so much OpenVPN could do differently there.

comment:7 Changed 5 years ago by Samuli Seppänen

So does this issue appear with latest OpenVPN (Git master) and latest OpenBSD?

comment:8 Changed 2 years ago by filippobistaffa

I know this is a very old ticket, but this issue is still present on the latest OpenWrt and Armbian.

comment:9 in reply to:  8 Changed 2 years ago by Gert Döring

Replying to filippobistaffa:

I know this is a very old ticket, but this issue is still present on the latest OpenWrt and Armbian.

Could you be a bit more specific what "this issue" is? What is "Armbian"? Sounds like a Linux variant - while this ticket is about OpenBSD.

Generally speaking, depending on CPU availability and throughput, of course OpenVPN will use all the CPU that's there - that is normal and to be expected Exceptionally high CPU usage with little throughput is what would warrant a ticket... so, numbers please :)

Note: See TracTickets for help on using tickets.