104 | | By increasing the MTU size of the tun adapter '''and''' by disabling OpenVPN's internal fragmentation routines the throughput can be increased quite dramatically. The reason behind this is that by feeding larger packets to the OpenSSL encryption and decryption routines the performance will go up. The second advantage of not internally fragmenting packets is that this is left to the operating system and to the kernel network device drivers. For a LAN-based setup this can work, but when handling various types of remote users (road warriors, cable modem users, etc) this is not always a possibility. |
| 108 | == Using OpenSSL 1.0.0 with AES-NI capable hardware == |
| 109 | The real performance gain is expected from the AES-NI capable hardware, such as the Intel Xeon X5660 i5-560M CPUs. |
| 110 | Using the exact same setup as above, but now using |
| 111 | {{{ |
| 112 | engine aesni |
| 113 | }}} |
| 114 | and by using |
| 115 | {{{ |
| 116 | ./openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.11 192.168.222.10 |
| 117 | --tun-mtu 9000 --fragment 0 --mssfix 0 --cipher aes-256-cbc --engine aesni |
| 118 | }}} |
| 119 | for the server and |
| 120 | {{{ |
| 121 | ./openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.10 192.168.222.11 --remote server |
| 122 | --tun-mtu 9000 --fragment 0 --mssfix 0 --cipher aes-256-cbc --engine aesni |
| 123 | }}} |
| 124 | for the client we obtain the following results: |
| 125 | || || AES128 || AES256 || |
| 126 | ||X5660 -> i5-560 || 885 || 878 || |
| 127 | ||i5-560 -> X5660 || 748 || 543 || |
| 131 | Some initial conclusions: |
| 132 | * the AES-NI capable server CPU clearly shows a huge performance gain: it is nearly capable of saturating the gigabit network. |
| 133 | * it was not possible to run this test with a more capable client CPU. The i5-560M is not capable of keeping up with the X5660, as can be seen from the performance difference between encryption an decryption. In the first entry in the table above the X5660 encrypted all traffic, and the i5-560M decrypted it. The second entry shows the results for the reverse. |
| 134 | |
| 135 | == For reference: using no encryption == |
| 136 | For reference, the above test was also run with encryption and signing disabled: |
| 137 | {{{ |
| 138 | openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.11 192.168.222.10 |
| 139 | --tun-mtu 9000 --fragment 0 --mssfix 0 --cipher none --auth none |
| 140 | }}} |
| 141 | and client |
| 142 | {{{ |
| 143 | openvpn --dev tun --proto udp --port 11000 --secret secret.key --ifconfig 192.168.222.10 192.168.222.11 --remote server |
| 144 | --tun-mtu 9000 --fragment 0 --mssfix 0 --cipher none --auth none |
| 145 | }}} |
| 146 | Now an '''iperf''' result of '''930 Mbps''' is obtained, which shows that performance is not so much limited by the division between kernel-space and user-space processes, but mostly by the encryption and decryption routines as found in the OpenSSL libraries. |
| 147 | |
| 148 | == 10 Gigabit networks == |
| 149 | The "plaintext" test (i.e. encryption and signing disabled) was repeated on two machines connected to a 10 Gbps switch. |
| 150 | |
| 151 | Again, all results were obtained using 'iperf'. |
| 152 | |
| 153 | || || speed || |
| 154 | ||"raw" || 8.8 Gbps || |
| 155 | ||via tun || 1.3 Gbps || |
| 156 | |
| 157 | This shows the limits of the kernel-space/user-space division that is present in Linux. The performance of OpenVPN over this network |
| 158 | |