5

I am configuring OpenVPN to act as a SSL tunnel for a remote location. I have OpenVPN1 at our current location acting as a server then OpenVPN2 at the other location that is acting as a client but is also acting as a DHCP server to machines behind it so they are basically connected to the local LAN. Everything is set up fine and I can talk from location A to location B with no problems like everyone is local. I am however having some performance issues. OpenVPN1 CPU is pegged to 100% the entire time I am copying or doing any type of activity through the tunnel. I expect some CPU usage going up but nothing like this. It's really killing my performance. OpenVPN1 is running in ESX right now with 2 gig RAM and 4 procs with unlimited bursting capacity. I am using AES-192 encryption with a 1024 key. Any idea how I can get my CPU down on OpenVPN1 and my download/upload speeds higher between the tunnel? Thanks.

edit: Turning down the logging helped boost the throughput a little bit, but I am still fairly shy of where I believe I should be. Also I am still maxed out on the CPU. Does anyone have any ideas? I am really stuck on this.

user9517
  • 115,471
  • 20
  • 215
  • 297

2 Answers2

1

what's the speed of internet connection between both ends? openvpn on modern hardware can easily handle 100Mbit/s or more of traffic.

do you run tun or tap mode? tap tun/routed should give you better performance.

pQd
  • 29,981
  • 6
  • 66
  • 109
  • We have a gig connection between all of the links and we are using tun interfaces. I am only getting around a 5 meg download speed from a point A file server to a point B laptop. –  Nov 17 '09 at 22:24
  • @than there is something seriously wrong. check connectivity between vpn endpoints with iperf - first over the tunnel, than directly. compare speeds. you will not get hundrads of mbits, but 50-80 without any trouble. no chance that openvpn limits you down to 5mbit. – pQd Nov 17 '09 at 22:47
  • If I do a download of a file on a 100 meg connection on the LAN I get around 12 MB/sec. If I do that same copy through the VPN I get around 4.5 MB/sec. My CPU is still getting spiked out on my OpenVPN server which has to be the bottleneck of the data push. –  Nov 18 '09 at 21:39
  • @n00b what protocol to encapsulate the traffic do you use - tcp or udp? try with udp, although - if you have stable link between vpn endpoints that should not matter too much. what cpu do you have on the host system for virtualization? – pQd Nov 18 '09 at 22:08
  • I am using udp for encapsulation. For the OpenVPN server, I am running it on an IBM xSeries 346 2x 2.8 GHz Xeon with 4 gigs of RAM. For the virtualization I am giving it 4 procs and 2 gigs of RAM with an umlimited cap and it's peaking out the entire server. –  Nov 19 '09 at 14:14
  • is the gigabit connection end-to-end ? – Antoine Benkemoun Nov 23 '11 at 19:59
0

Are you using compression?

If so you would likely benefit from disabling comp-lzo.

Dan Carley
  • 25,617
  • 5
  • 53
  • 70