How much horsepower is needed to have 100Mbit/sec OpenVPN throughput?
Solution 1
Getting 100 Mbps throughput is easy, getting much more than 300 Mbps throughput is very hard (on Linux). This is due to the 'tun'/'tap' design in the Linux kernel.
Also, the blowfish algorithm is largely clockspeed bound, as I've found out when comparing hardware that ranged from brandnew to 8 yrs old.
AES128 and AES256 might benefit from Intel's AES-NI patch which seems to speed things up even on non-AES-NI capable hardware.
Anything running more than 800 MHz should be fine to get 100 Mbps throughput, with decent GigE cards (intel, broadcom, etc).
Solution 2
You need at least:
- decent GBit NICs. Cheap NICs generate too much interrupts per traffic, which hogs CPU.
- when the machine doesn't do anything else, a 800MHz to 1GHz x86 (Atom) should do
- look into a VIA CPU. They've integrated crypto, which lends itself very good to machines designated as VPN concentrator.
Related videos on Youtube
01 : 02
11 : 59
08 : 22
07 : 53
02 : 00
leto
Updated on September 17, 2022Comments
-
leto almost 2 years
My small ALIX machine is not coping with the new demand for OpenVPN throughput I have. So I'm looking to replace it. Problem is, I don't have any experience with hardware sizing for OpenVPN. I'm looking for something that satisfies this profile:
= 100Mbit/sec Througput
- Cipher either AES-128-CBC or AES-256-CBC or Blowfish
- Small power footprint
I've been looking into pairing a small Atom single-core with a PCI GigE nic, but have my doubts.
What works for you? What can you recommend?
Any answers like "I get x Mbit/sec with this rig" also very much appreciated to get a feeling for it.
Thanks in advance.
-
leto over 13 yearsThat's what I thought grin Bought a vpn1411 for my Alix 2D3, put "engine cryptodev" in OpenVPN config and "cipher AES-128-CBC" and ... 10 Mbit/sec. To be honest I think this hardware acceleration sucks on ALIX because of Interrupt latency. Some other folks confirmed that. But maybe we all miss something? EDIT: I'm on OpenBSD 4.6 i386
-
EEAA over 13 years@leto - from the FAQ: "If you are not comfortable with the idea of your questions and answers being edited by other trusted users, this may not be the site for you." My edits were for grammar, proper capitalization, and setting the proper form of "horsepower", which is supposed to be one word. As the FAQ said, if you're not comfortable with others editing your questions/answers, then you may want to go elsewhere. -
EEAA over 13 yearsNo problem, just making sure you were brought up to speed on how things go around here. Welcome!
-
gravyface over 13 yearsHow many concurrent VPN connections? These primarily road warriors? -
leto over 13 yearsThe Setup looks like this: (home network)<--GigE-->(openvpn router)<--100Mbit-->(Internet)<-->(dedicated server). It's to get a static IP at home, so we're talking about one connection, the router acting as a client. Maybe three connections maximum in the forseeable future, but that would be the worst case. The client is on a dynamic IP, so yes, a road warrior.
-
Philip over 13 years@Leto, I've had an Alix2C10 (2D3 w/o some pins) with the LX700, VPN1411, FreeBSD 8.1, IPSec AES 128 CBC did about 40Mbps (lightning got it). A friend has a similar setup and it does 60Mbps. I've heard of problems in the past with software not using the hardware, possibly the case here? Or Maybe the 2D3 has issues I'm not aware of, do you have any links to more info?
-
leto over 13 yearsThe basement junk yard says: Get a D510 Atom dual-core, I have the DDR2 memory, the Intel GbE desktop NIC (PCI) and some USB-Sticks for RAID1. It has interrupt moderation and TCP offload. The VIA mainboards are nice, no question. But after I've been burn't with interrupts and latency with the vpn1411 I guess I would like to try a software only solution. What do you think? Intel Atom + Intel 1000 GT? Greets
-
knitti over 13 yearsI've been burned by vpn1411 too, the VIA C7/Eden CPUs are different, because the crypto is builtin into the CPU. Works great and, at least with OpenBSD, out-of-the box.
-
leto over 13 yearsGood to hear, they have a very amicable power footprint, AFAIK. What are you using exactly? I've read there are differences concerning Padlock features. What would you opt for?
-
leto over 13 yearsI've come across the J7F4K1G5S with a VIA C7 CPU (jetwaycomputer.com/spec/J7F4K1G5S.pdf). Might it possibly push 100Mbit/sec AES-128-CBC? Thanks in advance
-
knitti over 13 yearsthis look almost like too much :-) I don't know, how efficient OpenVPN is, but with a liantec.com/product/emboard/EMB-5730.htm (C7 500MHz) we did about 50-60 MBit IPSec (AES+SHA) with CPU utilization <15%, so I think you will be fine.
