OpenVPN in Gigabit networks

With the advent of high-speed networks, the need for a high-speed VPN has also increased. OpenVPN is not particularly built for high speeds, but with modern hardware and the right encryption ciphers it is possible to achieve near-gigabit speeds with OpenVPN 2.4. This recipe will show you how to achieve these speeds.

Getting ready

We use the following network layout:

Getting ready

The client used in this recipe was a laptop with a Core i7-4810 processor with a maximum Turboboost speed of 3.8 GHz. The server was a server with an Xeon E5-2697A v4 processor with a maximum Turboboost speed of 3.6 GHz. Connect the client and the server both to a Gigabit Ethernet switch. Set up the client and server certificates using the Setting up the public and private keys recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.4.0. The client was running Fedora 22 Linux and OpenVPN 2.4.0. Keep the configuration file basic-udp-server.conf from the Server-side routing recipe from Chapter 2Client-server IP-only Networks, as well as the client configuration file basic-udp-client.conf.

How to do it...

  1. Start the server:
    [root@server]# openvpn --config basic-udp-server.conf
    
  2. Next, start the client:
            [root@client]# openvpn --config basic-udp-client.conf
            ...
            ... Initialization Sequence Completed
    
  3. Next, we start iperf on the server:
            [server]$ iperf -s
    
  4. First, we measure the performance outside the tunnel:
            [client]$ iperf -c <openvpn-server-ip>
            [  3]  0.0-10.0 sec  11 GBytes  900 Mbits/sec
    

    For a Gigabit Ethernet network, this is close to the theoretical limit.

  5. Next, we measure the performance inside the tunnel:
            [client]$ iperf -l 1M -n 8M -c 10.200.0.1
            [  4]  0.0-10.2 sec  292 MBytes  233 Mbits/sec 
    

    This is the performance of a default OpenVPN tunnel.

  6. Stop both the client and server OpenVPN processes.
  7. Now, we switch to an AES-256 cipher to make use of the AES-NI instructions that both processors support:
            [server]# openvpn --config basic-udp-server.conf --cipher aes-
            256-cbc
    

    And the client:

            [client]# openvpn --config basic-udp-client.conf --cipher aes-
            256-cbc
            ...
            ... Initialization Sequence Completed
    
  8. Again, we measure the performance inside the tunnel, testing both directions:
            [client]$ iperf -l 1M -n 8M -c 10.200.0.1 -r
            [  4]  0.0-10.2 sec  762 MBytes  610 Mbits/sec 
            [  5]  0.0-10.2 sec  807 MBytes  646 Mbits/sec 
    

    This clearly shows that the AES-NI instructions make a difference.

  9. Stop both the client and server OpenVPN processes again.
  10. Now, we switch to AES-256-GCM, a new cipher algorithm supported by OpenVPN 2.4, which is more efficient compared to an AES-256 cipher and SHA2 HMAC function:
            [server]# openvpn --config basic-udp-server.conf --cipher aes-
            256-gcm
    

    And the client:

            [client]# openvpn --config basic-udp-client.conf --cipher aes-
            256-gcm
            ...
            ... Initialization Sequence Completed   
  11. Again, we measure the performance inside the tunnel, testing both directions:
            [client]$ iperf -l 1M -n 8M -c 10.200.0.1 -r
            [  4]  0.0-10.2 sec  1.07 GBytes  859 Mbits/sec 
            [  5]  0.0-10.2 sec  1.08 GBytes  865 Mbits/sec 
    

The last performance numbers are actually quite close to the maximum speed that can be achieved over an OpenVPN tunnel on a Gigabit Ethernet network.

How it works...

When processors are used that have a high clock speed and have support for the AES-NI instructions, OpenVPN and the operating system are capable of keeping up with the flood of packets that is coming in and needs to be sent out at Gigabit Ethernet speeds.

The new AES-256-GCM encryption cipher especially helps here, as the encryption and authentication (HMAC) are done in one step. This greatly improves performance, in part due to shorter computing time and in part due to the fact that this cipher has a smaller encryption overhead for each packet, leaving more bytes for the actual "payload".

There's more...

Tuning network performance on Gigabit Ethernet depends heavily on the hardware and operating system used.

Plain-text tunnel

Another interesting test to run is to turn off all encryption and authentication (--cipher none --auth none) and then run the iperf tests once more. With the hardware used in this recipe the following numbers were achieved:

[  4]  0.0-10.2 sec  1.09 GBytes  874 Mbits/sec  
[  5]  0.0-10.2 sec  1.10 GBytes  879 Mbits/sec  

These numbers are even closer to the actual line speed, mostly due to the fact that there is no encryption overhead, leaving optimal space for the "payload".

Windows performance

The iperf tool is also available on Windows, so the above recipe can also be done using a Windows client and/or server. The results are very different compared to the Linux client or server. We can achieve similar "raw" Ethernet speeds by using [WinClient]> iperf -w 128K -c <openvpn-server-ip>.

However, performance over the OpenVPN tunnel, with or without encryption, is well below 200 Mbps, even with the fastest processors used. Most likely, this is due to a design issue in the Windows TAP driver. This issue is currently under investigation.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.119.8