wiki:PerformanceTestingOpenVPN

Performance testing OpenVPN

This document describes how performance testing OpenVPN can be done using a more static and predictable environment using EC2 hosts on Amazon Web Services (AWS).

Using AWS with an isolated Virtual Private Cloud (VPC) gives you a closed high performing network well suited for performance testing. All hosts within the same VPC will not be disturbed by random other hosts. This means the test results we get here are more like "laboratory results", which indicates the performance within optimal conditions. This does not mean you will get the same performance when setting up a connection over the Internet, but these test results should give an good idea what you can expect if you have no issues with your connection between your clients and the OpenVPN server.

In this document we use OpenVPN 2.4 on the server side. The Windows client is tested using both OpenVPN 2.4 and the OpenVPN 3 reference client.

TL;DR performance results

The test run we did following this guide gave us these results:

  • Direct TCP connection without VPN: close to 7Gbit/sec
  • OpenVPN 2 Windows client, using tap-windows6: 414 Mbit/sec
  • OpenVPN 3 reference client, using tap-windows6: 652 Mbit/sec

Preparations

AWS preparations

  1. Log in to AWS console
  2. Create VPC
    • in "VPC Dashboard" select "Your VPCs" -> "Create VPC"
    • name it "performance_test"
    • use "10.0.0.0/24" as IPv4 CIDR block
    • select "Tenancy: Dedicated"
  3. Create an Internet Gateway
    • in "VPC Dashboard" select "Internet Gateways" -> "Create internet gateway"
    • name it "performance_test_igw"
    • attach it to VPC - right click, "attach to VPC", select "performance_test"
  4. Create subnet
    • in "VPC Dashboard" select "Subnets" -> Create "subnet"
    • name it "performance_test_subnet"
    • select "performance_test" VPC
    • use "10.0.0.0/24" as IPv4 CIDR block
  5. Set up VPC routing
    • in "VPC Dashboard" select "Your VPCs"
    • select "performance_test"
    • click on value in "main route table" column
    • select "Routes" -> "Edit routes"
    • add route "0.0.0.0/0", target "Internet Gateway", select "performance_test_i gw"
  6. Create placement group
    • in "EC2 Dashboard" select "Placement Groups" -> "Create Placement Group"
    • name it "performance_test_pg"
    • select "Cluster" strategy

OpenVPN server setup

  1. Launch VPN server instance
    • EC2 Dashboard -> Launch Instance
    • select "Ubuntu Server 18.04 LTS (HVM), SSD Volume Type"
    • select "c5.xlarge" instance
    • in bottom right corner push "Next: Configure Instance Details"
      • select "performance_test" as a "Network"
      • you should have "performance_test_subnet" autoselected
      • select "Add instance to placement group"
      • select "Add to existing placement group"
      • select "performance_test_pg"
    • push "Review and Launch" in bottom right corner
  2. Assign IP address
    • in "EC2 Dashboard" select "Elastic IPs" -> "Allocate new address"
    • use default "Amazon pool" selection
    • push "Allocate", then "Close"
    • right click on newly allocated address -> select "Associate address"
    • select newly created VPN server instance and push "Associate"
  3. Name instance as "performance test server"

Configure OpenVPN server

  1. Use SSH to connect to the EC2 instance, and run the apt command as indicated
    $ ssh ubuntu@<vpc-ip-address-of-server>
    [.....]
    [ubuntu@....] $ sudo apt update && sudo apt install -y iperf3 openvpn
    
  2. create openvpn server config
    • switch to /etc/openvpn directory: cd /etc/openvpn
    • download dh2048.pem, ca.crt, server.crt, server.key from https://github.com/OpenVPN/openvpn/tree/master/sample/sample-keys
      $ sudo wget https://raw.githubusercontent.com/OpenVPN/openvpn/master/sample/sample-keys/dh2048.pem 
      
      and so on. You will need dh2048.pem, ca.crt, server.key, server.crt
  3. create /etc/openvpn/server.ovpn with content
    port 1194
    proto udp
    dev tun
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/server.crt
    key /etc/openvpn/server.key
    dh /etc/openvpn/dh2048.pem
    topology subnet
    server 10.8.0.0 255.255.255.0
    keepalive 5 30
    verb 4
    
  4. start the openvpn daemon
    $ sudo openvpn --config /etc/openvpn/server.ovpn --daemon
    

Windows OpenVPN client setup

  1. Launch a new VPN Windows client instance in AWS
    • EC2 Dashboard -> Launch Instance
    • select "Windows Server 2016 Base"
    • select "c5.xlarge" instance
    • edit instance details
      • select "performance_test" as a "Network"
      • you should have "performance_test_subnet" autoselected
      • select "Add instance to placement group"
      • select "Add to existing placement group"
      • select "performance_test_pg"
  2. Assign IP address
    • in "EC2 Dashboard" select "Elastic IPs" -> "Allocate new address"
    • select "associate address"
    • right click on address -> select newly created VPN windows client instance -> "Associate"
  3. Create Security Group
    • EC2 Dashboard -> Security Groups -> Create Security Group
    • use "performance_test_sg" as name
    • use "Allow all traffic inside VPC" as a description
    • select "peformance_test" as VPC
    • add inbound rule, "All Traffic" -> source Custom "10.0.0.0/16"
    • Go to EC2 Dashboard -> Instances
    • select server instance, right click -> networking -> change security groups -> add "performance_test_sg"
    • repeat for client instance

Configure Windows OpenVPN client

  1. Right click on instance -> Get Windows Password
  2. Specify private key from keypair you used when creating instance
  3. Save Administrator password
  4. Connect to machine via Remote Desktop
  5. download needed software packages
  6. create C:\Temp\client.ovpn with the following content:
    client
    dev tun
    proto udp
    remote <vpc-ip-address-of-server> 1194
    ca c:\\Temp\\ca.crt
    cert C:\\Temp\\client.crt
    key C:\\Temp\\client.key
    verb 3
    
  7. download ca.crt, client.crt and client.key from https://github.com/OpenVPN/openvpn/tree/master/sample/sample-keys to C:\Temp
  8. run OpenVPN GUI, right click on tray icon -> Import file, specify C:\Temp\client.ovpn
  9. download openvpn3 test client from https://ci.appveyor.com/project/openvpn/openvpn3/builds/25439762/artifacts to C:\Temp\openvpn3

Running Performance Tests

Bandwidth tests - no VPN

  1. on server machine, run iperf3 -s 0.0.0.0
  2. on client machine:
    c:\Temp>iperf3.exe -c <VPC (which is 10.0.0.x, NOT VPN!) IP address of server> -V -t 60
    iperf 3.1.3
    CYGWIN_NT-10.0 EC2AMAZ-FTIR7C4 2.5.1(0.297/5/3) 2016-04-21 22:14 x86_64
    Time: Thu, 20 Jun 2019 11:50:10 GMT
    Connecting to host 10.0.0.78, port 5201
          Cookie: EC2AMAZ-FTIR7C4.1561031410.179818.46
          TCP MSS: 0 (default)
    [  4] local 10.0.0.15 port 49719 connected to 10.0.0.78 port 5201
    Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 60 second test
    [ ID] Interval           Transfer     Bandwidth
    [  4]   0.00-1.00   sec   821 MBytes  6.88 Gbits/sec
    [  4]   1.00-2.00   sec   820 MBytes  6.88 Gbits/sec
    <skipped>
    [  4]  58.00-59.00  sec   831 MBytes  6.97 Gbits/sec
    [  4]  59.00-60.00  sec   832 MBytes  6.98 Gbits/sec
    - - - - - - - - - - - - - - - - - - - - - - - - -
    Test Complete. Summary Results:
    [ ID] Interval           Transfer     Bandwidth
    [  4]   0.00-60.00  sec  48.7 GBytes  6.97 Gbits/sec                  sender
    [  4]   0.00-60.00  sec  48.7 GBytes  6.97 Gbits/sec                  receiver
    CPU Utilization: local/sender 19.5% (5.6%u/13.9%s), remote/receiver 38.5% (1.1%u/37.4%s)
    iperf Done
    

Bandwith performance results indicates close to 7Gbit/sec

Performance test - OpenVPN 2 - Windows - tap-windows6

  1. on client machine, start OpenVPN 2 GUI, right click on tray icon -> Connect
  2. run iperf3
    c:\Temp\iperf3>iperf3.exe -c 10.8.0.1 -V -t 60
    iperf 3.1.3
    CYGWIN_NT-10.0 EC2AMAZ-FTIR7C4 2.5.1(0.297/5/3) 2016-04-21 22:14 x86_64
    Time: Fri, 21 Jun 2019 09:14:04 GMT
    Connecting to host 10.8.0.1, port 5201
          Cookie: EC2AMAZ-FTIR7C4.1561108444.929966.30
          TCP MSS: 0 (default)
    [  4] local 10.8.0.2 port 49715 connected to 10.8.0.1 port 5201
    Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 60 second test
    [ ID] Interval           Transfer     Bandwidth
    [  4]   0.00-1.00   sec  39.5 MBytes   331 Mbits/sec
    [  4]   1.00-2.00   sec  53.9 MBytes   453 Mbits/sec
    <skipped>
    [  4]  58.00-59.00  sec  47.4 MBytes   397 Mbits/sec
    [  4]  59.00-60.00  sec  39.4 MBytes   330 Mbits/sec
    - - - - - - - - - - - - - - - - - - - - - - - - -
    Test Complete. Summary Results:
    [ ID] Interval           Transfer     Bandwidth
    [  4]   0.00-60.00  sec  2.89 GBytes   414 Mbits/sec                  sender
    [  4]   0.00-60.00  sec  2.89 GBytes   414 Mbits/sec                  receiver
    CPU Utilization: local/sender 5.4% (0.5%u/4.9%s), remote/receiver 35.4% (4.9%u/30.6%s)
    iperf Done.
    
  3. Right click on tray icon -> Disconnect

Performance results indicates 414 Mbit/sec

Performance test - OpenVPN 3 - Windows - tap-windows6

  1. in administrative command prompt run OpenVPN3 test client:
    c:\Temp\openvpn3>cli.exe ..\client.ovpn
    
  2. in another command prompt run iperf3:
    c:\Temp\iperf3>iperf3.exe -c 10.8.0.1 -V -t 60
    iperf 3.1.3
    CYGWIN_NT-10.0 EC2AMAZ-FTIR7C4 2.5.1(0.297/5/3) 2016-04-21 22:14 x86_64
    Time: Fri, 21 Jun 2019 09:22:17 GMT
    Connecting to host 10.8.0.1, port 5201
          Cookie: EC2AMAZ-FTIR7C4.1561108937.562602.50
          TCP MSS: 0 (default)
    [  4] local 10.8.0.2 port 49723 connected to 10.8.0.1 port 5201
    Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 60 second test
    [ ID] Interval           Transfer     Bandwidth
    [  4]   0.00-1.00   sec  79.9 MBytes   669 Mbits/sec
    [  4]   1.00-2.00   sec  75.0 MBytes   629 Mbits/sec
    <skipped>
    [  4]  58.00-59.00  sec  80.6 MBytes   676 Mbits/sec
    [  4]  59.00-60.00  sec  78.2 MBytes   656 Mbits/sec
    - - - - - - - - - - - - - - - - - - - - - - - - -
    Test Complete. Summary Results:
    [ ID] Interval           Transfer     Bandwidth
    [  4]   0.00-60.00  sec  4.56 GBytes   652 Mbits/sec                  sender
    [  4]   0.00-60.00  sec  4.56 GBytes   652 Mbits/sec                  receiver
    CPU Utilization: local/sender 1.5% (0.3%u/1.2%s), remote/receiver 37.4% (4.7%u/32.7%s)
    iperf Done.
    
  3. press [F4] to stop test client

Performance results indicates 652 Mbit/sec

Last modified 4 weeks ago Last modified on 08/21/19 14:42:58