= Performance testing OpenVPN = This document describes how performance testing OpenVPN can be done using a more static and predictable environment using EC2 hosts on Amazon Web Services (AWS). Using AWS with an isolated Virtual Private Cloud (VPC) gives you a closed high performing network well suited for performance testing. All hosts within the same VPC will not be disturbed by random other hosts. This means the test results we get here are more like "laboratory results", which indicates the performance within optimal conditions. This does not mean you will get the same performance when setting up a connection over the Internet, but these test results should give an good idea what you can expect if you have no issues with your connection between your clients and the OpenVPN server. In this document we use OpenVPN 2.4 on the server side. The Windows client is tested using both OpenVPN 2.4 and the OpenVPN 3 reference client. == TL;DR performance results == The test run we did following this guide gave us these results: * Direct TCP connection without VPN: close to **7Gbit/sec** * OpenVPN 2 Windows client, using tap-windows6: **414 Mbit/sec** * OpenVPN 3 reference client, using tap-windows6: **652 Mbit/sec** = Preparations = == AWS preparations == 1. Log in to AWS console 1. Create VPC * in "VPC Dashboard" select "Your VPCs" -> "Create VPC" * name it "performance_test" * use "10.0.0.0/24" as IPv4 CIDR block * select "Tenancy: Dedicated" 1. Create an Internet Gateway * in "VPC Dashboard" select "Internet Gateways" -> "Create internet gateway" * name it "performance_test_igw" * attach it to VPC - right click, "attach to VPC", select "performance_test" 1. Create subnet * in "VPC Dashboard" select "Subnets" -> Create "subnet" * name it "performance_test_subnet" * select "performance_test" VPC * use "10.0.0.0/24" as IPv4 CIDR block 1. Set up VPC routing * in "VPC Dashboard" select "Your VPCs" * select "performance_test" * click on value in "main route table" column * select "Routes" -> "Edit routes" * add route "0.0.0.0/0", target "Internet Gateway", select "performance_test_i gw" 1. Create placement group * in "EC2 Dashboard" select "Placement Groups" -> "Create Placement Group" * name it "performance_test_pg" * select "Cluster" strategy == OpenVPN server setup == 1. Launch VPN server instance * EC2 Dashboard -> Launch Instance * select "Ubuntu Server 18.04 LTS (HVM), SSD Volume Type" * select "c5.xlarge" instance * in bottom right corner push "Next: Configure Instance Details" * select "performance_test" as a "Network" * you should have "performance_test_subnet" autoselected * select "Add instance to placement group" * select "Add to existing placement group" * select "performance_test_pg" * push "Review and Launch" in bottom right corner 1. Assign IP address * in "EC2 Dashboard" select "Elastic IPs" -> "Allocate new address" * use default "Amazon pool" selection * push "Allocate", then "Close" * right click on newly allocated address -> select "Associate address" * select newly created VPN server instance and push "Associate" 1. Name instance as "performance test server" === Configure OpenVPN server === 1. Use SSH to connect to the EC2 instance, and run the `apt` command as indicated {{{ $ ssh ubuntu@ [.....] [ubuntu@....] $ sudo apt update && sudo apt install -y iperf3 openvpn }}} 1. create openvpn server config * switch to /etc/openvpn directory: `cd /etc/openvpn` * download dh2048.pem, ca.crt, server.crt, server.key from https://github.com/OpenVPN/openvpn/tree/master/sample/sample-keys {{{ $ sudo wget https://raw.githubusercontent.com/OpenVPN/openvpn/master/sample/sample-keys/dh2048.pem }}} and so on. You will need dh2048.pem, ca.crt, server.key, server.crt 1. create /etc/openvpn/server.ovpn with content {{{ port 1194 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 keepalive 5 30 verb 4 }}} 1. start the openvpn daemon {{{ $ sudo openvpn --config /etc/openvpn/server.ovpn --daemon }}} == Windows OpenVPN client setup == 1. Launch a new VPN Windows client instance in AWS * EC2 Dashboard -> Launch Instance * select "Windows Server 2016 Base" * select "c5.xlarge" instance * edit instance details * select "performance_test" as a "Network" * you should have "performance_test_subnet" autoselected * select "Add instance to placement group" * select "Add to existing placement group" * select "performance_test_pg" 1. Assign IP address * in "EC2 Dashboard" select "Elastic IPs" -> "Allocate new address" * select "associate address" * right click on address -> select newly created VPN windows client instance -> "Associate" 1. Create Security Group * EC2 Dashboard -> Security Groups -> Create Security Group * use "performance_test_sg" as name * use "Allow all traffic inside VPC" as a description * select "peformance_test" as VPC * add inbound rule, "All Traffic" -> source Custom "10.0.0.0/16" * Go to EC2 Dashboard -> Instances * select server instance, right click -> networking -> change security groups -> add "performance_test_sg" * repeat for client instance === Configure Windows OpenVPN client === 1. Right click on instance -> Get Windows Password 1. Specify private key from keypair you used when creating instance 1. Save Administrator password 1. Connect to machine via Remote Desktop 1. download needed software packages * consider installing some normal browser (Chrome / FF) since Edge / IE has horrible user experience * download iPerf3 from https://iperf.fr/download/windows/iperf-3.1.3-win64.zip, extract to C:\Temp\iperf3 * download and install OpenVPN GUI client from https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.7-I607-Win10.exe * download and install Visual C++ Redistributable https://aka.ms/vs/16/release/vc_redist.x64.exe 1. create C:\Temp\client.ovpn with the following content: {{{ client dev tun proto udp remote 1194 ca c:\\Temp\\ca.crt cert C:\\Temp\\client.crt key C:\\Temp\\client.key verb 3 }}} 1. download ca.crt, client.crt and client.key from https://github.com/OpenVPN/openvpn/tree/master/sample/sample-keys to C:\Temp 1. run OpenVPN GUI, right click on tray icon -> Import file, specify C:\Temp\client.ovpn 1. download openvpn3 test client from https://ci.appveyor.com/project/openvpn/openvpn3/builds/25439762/artifacts to C:\Temp\openvpn3 = Running Performance Tests = == Bandwidth tests - no VPN == 1. on server machine, run `iperf3 -s 0.0.0.0` 1. on client machine: {{{ c:\Temp>iperf3.exe -c -V -t 60 iperf 3.1.3 CYGWIN_NT-10.0 EC2AMAZ-FTIR7C4 2.5.1(0.297/5/3) 2016-04-21 22:14 x86_64 Time: Thu, 20 Jun 2019 11:50:10 GMT Connecting to host 10.0.0.78, port 5201 Cookie: EC2AMAZ-FTIR7C4.1561031410.179818.46 TCP MSS: 0 (default) [ 4] local 10.0.0.15 port 49719 connected to 10.0.0.78 port 5201 Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 60 second test [ ID] Interval Transfer Bandwidth [ 4] 0.00-1.00 sec 821 MBytes 6.88 Gbits/sec [ 4] 1.00-2.00 sec 820 MBytes 6.88 Gbits/sec [ 4] 58.00-59.00 sec 831 MBytes 6.97 Gbits/sec [ 4] 59.00-60.00 sec 832 MBytes 6.98 Gbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bandwidth [ 4] 0.00-60.00 sec 48.7 GBytes 6.97 Gbits/sec sender [ 4] 0.00-60.00 sec 48.7 GBytes 6.97 Gbits/sec receiver CPU Utilization: local/sender 19.5% (5.6%u/13.9%s), remote/receiver 38.5% (1.1%u/37.4%s) iperf Done }}} Bandwith performance results indicates close to **7Gbit/sec** == Performance test - OpenVPN 2 - Windows - tap-windows6 == 1. on client machine, start OpenVPN 2 GUI, right click on tray icon -> Connect 1. run iperf3 {{{ c:\Temp\iperf3>iperf3.exe -c 10.8.0.1 -V -t 60 iperf 3.1.3 CYGWIN_NT-10.0 EC2AMAZ-FTIR7C4 2.5.1(0.297/5/3) 2016-04-21 22:14 x86_64 Time: Fri, 21 Jun 2019 09:14:04 GMT Connecting to host 10.8.0.1, port 5201 Cookie: EC2AMAZ-FTIR7C4.1561108444.929966.30 TCP MSS: 0 (default) [ 4] local 10.8.0.2 port 49715 connected to 10.8.0.1 port 5201 Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 60 second test [ ID] Interval Transfer Bandwidth [ 4] 0.00-1.00 sec 39.5 MBytes 331 Mbits/sec [ 4] 1.00-2.00 sec 53.9 MBytes 453 Mbits/sec [ 4] 58.00-59.00 sec 47.4 MBytes 397 Mbits/sec [ 4] 59.00-60.00 sec 39.4 MBytes 330 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bandwidth [ 4] 0.00-60.00 sec 2.89 GBytes 414 Mbits/sec sender [ 4] 0.00-60.00 sec 2.89 GBytes 414 Mbits/sec receiver CPU Utilization: local/sender 5.4% (0.5%u/4.9%s), remote/receiver 35.4% (4.9%u/30.6%s) iperf Done. }}} 1. Right click on tray icon -> Disconnect Performance results indicates **414 Mbit/sec** == Performance test - OpenVPN 3 - Windows - tap-windows6 == 1. in administrative command prompt run OpenVPN3 test client: {{{ c:\Temp\openvpn3>cli.exe ..\client.ovpn }}} 1. in another command prompt run iperf3: {{{ c:\Temp\iperf3>iperf3.exe -c 10.8.0.1 -V -t 60 iperf 3.1.3 CYGWIN_NT-10.0 EC2AMAZ-FTIR7C4 2.5.1(0.297/5/3) 2016-04-21 22:14 x86_64 Time: Fri, 21 Jun 2019 09:22:17 GMT Connecting to host 10.8.0.1, port 5201 Cookie: EC2AMAZ-FTIR7C4.1561108937.562602.50 TCP MSS: 0 (default) [ 4] local 10.8.0.2 port 49723 connected to 10.8.0.1 port 5201 Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 60 second test [ ID] Interval Transfer Bandwidth [ 4] 0.00-1.00 sec 79.9 MBytes 669 Mbits/sec [ 4] 1.00-2.00 sec 75.0 MBytes 629 Mbits/sec [ 4] 58.00-59.00 sec 80.6 MBytes 676 Mbits/sec [ 4] 59.00-60.00 sec 78.2 MBytes 656 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - Test Complete. Summary Results: [ ID] Interval Transfer Bandwidth [ 4] 0.00-60.00 sec 4.56 GBytes 652 Mbits/sec sender [ 4] 0.00-60.00 sec 4.56 GBytes 652 Mbits/sec receiver CPU Utilization: local/sender 1.5% (0.3%u/1.2%s), remote/receiver 37.4% (4.7%u/32.7%s) iperf Done. }}} 1. press [F4] to stop test client Performance results indicates **652 Mbit/sec**