With the advent of high-speed networks, the need for a high-speed VPN has also increased. OpenVPN is not particularly built for high speeds, but with modern hardware and the right encryption ciphers it is possible to achieve near-gigabit speeds with OpenVPN 2.4. This recipe will show you how to achieve these speeds.
We use the following network layout:
The client used in this recipe was a laptop with a Core i7-4810 processor with a maximum Turboboost speed of 3.8 GHz. The server was a server with an Xeon E5-2697A v4 processor with a maximum Turboboost speed of 3.6 GHz. Connect the client and the server both to a Gigabit Ethernet switch. Set up the client and server certificates using the Setting up the public and private keys recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.4.0.
The client was running Fedora 22 Linux and OpenVPN 2.4.0. Keep the configuration file basic-udp-server.conf
from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks, as well as the client configuration file basic-udp-client.conf
.
[root@server]# openvpn --config basic-udp-server.conf
[root@client]# openvpn --config basic-udp-client.conf ... ... Initialization Sequence Completed
iperf
on the server: [server]$ iperf -s
[client]$ iperf -c <openvpn-server-ip> [ 3] 0.0-10.0 sec 11 GBytes 900 Mbits/sec
For a Gigabit Ethernet network, this is close to the theoretical limit.
[client]$ iperf -l 1M -n 8M -c 10.200.0.1 [ 4] 0.0-10.2 sec 292 MBytes 233 Mbits/sec
This is the performance of a default OpenVPN tunnel.
[server]# openvpn --config basic-udp-server.conf --cipher aes-
256-cbc
And the client:
[client]# openvpn --config basic-udp-client.conf --cipher aes- 256-cbc ... ... Initialization Sequence Completed
[client]$ iperf -l 1M -n 8M -c 10.200.0.1 -r [ 4] 0.0-10.2 sec 762 MBytes 610 Mbits/sec [ 5] 0.0-10.2 sec 807 MBytes 646 Mbits/sec
This clearly shows that the AES-NI instructions make a difference.
[server]# openvpn --config basic-udp-server.conf --cipher aes-
256-gcm
And the client:
[client]# openvpn --config basic-udp-client.conf --cipher aes- 256-gcm ... ... Initialization Sequence Completed
[client]$ iperf -l 1M -n 8M -c 10.200.0.1 -r [ 4] 0.0-10.2 sec 1.07 GBytes 859 Mbits/sec [ 5] 0.0-10.2 sec 1.08 GBytes 865 Mbits/sec
The last performance numbers are actually quite close to the maximum speed that can be achieved over an OpenVPN tunnel on a Gigabit Ethernet network.
When processors are used that have a high clock speed and have support for the AES-NI instructions, OpenVPN and the operating system are capable of keeping up with the flood of packets that is coming in and needs to be sent out at Gigabit Ethernet speeds.
The new AES-256-GCM encryption cipher especially helps here, as the encryption and authentication (HMAC) are done in one step. This greatly improves performance, in part due to shorter computing time and in part due to the fact that this cipher has a smaller encryption overhead for each packet, leaving more bytes for the actual "payload".
Tuning network performance on Gigabit Ethernet depends heavily on the hardware and operating system used.
Another interesting test to run is to turn off all encryption and authentication (--cipher none --auth none
) and then run the iperf
tests once more. With the hardware used in this recipe the following numbers were achieved:
[ 4] 0.0-10.2 sec 1.09 GBytes 874 Mbits/sec [ 5] 0.0-10.2 sec 1.10 GBytes 879 Mbits/sec
These numbers are even closer to the actual line speed, mostly due to the fact that there is no encryption overhead, leaving optimal space for the "payload".
The iperf
tool is also available on Windows, so the above recipe can also be done using a Windows client and/or server. The results are very different compared to the Linux client or server. We can achieve similar "raw" Ethernet speeds by using [WinClient]> iperf -w 128K -c <openvpn-server-ip>
.
However, performance over the OpenVPN tunnel, with or without encryption, is well below 200 Mbps, even with the fastest processors used. Most likely, this is due to a design issue in the Windows TAP driver. This issue is currently under investigation.
3.142.119.8