RE: [Openvpn-users] Re: OpenVPN Server Performance (real experience)

["Schultz, Dale C." <D.Schultz@xxxxxxxxxx>]

-----Original Message-----
> From: Jon Bendtsen [mailto:jon.bendtsen@xxxxxxxxxx] 
> Sent: Monday, March 06, 2006 3:16 AM
> To: Schultz, Dale C.
> Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] Re: OpenVPN Server Performance (real
experience)
>
> Den mandag 6.mar kl. 3:05 skrev Dale:
>
> > Dale wrote:
> >
> >> Dale <d.schultz <at> telesat.ca> writes:
> >>> Charles Duffy <cduffy <at> spamcop.net> writes:
> >>>
> >>>> I'd be interested to see what exactly your system is actually  
> >>>> doing that's throttling the CPU. Perhaps you could use oprofile  
> >>>> to find out if it's spending its time inside OpenSSL (which is  
> >>>> the only *legitimate* place for it to be) or somewhere else.
> >>>>
> >>>
> >>> I can look at tusing that tool, thanks.  I just want to be clear  
> >>> though, I'm only having CPU load issues when the network has to  
> >>> re-establish all the tunnels with the remotes.  I have no  
> >>> problems once the tunnels are up.  The CPU with 200+ tunnels  
> >>> running is very low in normal operating mode.  The highest I see  
> >>> it go is 10%, and that is when the reneg kicks in.  I need to  
> >>> look at the reneg option too, I'd like to get away from the 3600  
> >>> seconds thing.  Can I use both reneg on a packet count and on  
> >>> time together?  Such that if the packet limit is not reached  
> >>> before the time period then the time cause a reneg?
> >>>
> >>> Thanks
> >> Hi: Does anyone know the affect of using dh4096.pem on tunnel  
> >> establishment compared to n=1024 or n=2048?  I didn't create this  
> >> server but I did find out that we are using n=4096 and it took  
> >> three days to generate the DH parameters on this server (3GHz  
> >> Intel Xeon).
> > To answer my own question, here are a few stats from my server  
> > using different dh key sizes.
> > (All of these readings were seen via top and iftop while 275  
> > clients pounded away on the server trying to re-establish their  
> > tunnels.  connect-freq 2 1 was used)
> > dh1024.pem: CPU load between 5 to 20%	eth0 output data rate:
500kbps
> > dh2048.pem: CPU load between 10 to 35%	eth0 output data rate:
300kbps
> > dh4096.pem: CPU load between 75 to 100%	eth0 output data rate:
175kbps
> >
> > I hope this helps a few people when considering their client base,  
> > server size and Internet connection bandwidth.

> Did it make any change when the clients was authenticated?
> during normal use?
>

I would have to say no.  We have been running with dh4096.pem from the
beginning of this project and have never had a problem once the tunnels
to the clients were up.  CPU usage after the tunnels are up only seems
to peak again when the reneg timer expires and even then the CPU only
reaches about 20%.

Here is a brief oprofile report:
# opreport
CPU: P4 / Xeon with 2 hyper-threads, speed 2992.58 MHz (estimated)
Counted GLOBAL_POWER_EVENTS events (time during which processor is not
stopped) with a unit mask of 0x01 (mandatory) count 100000
GLOBAL_POWER_E...|
  samples|      %|
------------------
759260679 80.2939 libcrypto.so.0.9.8
163709768 17.3128 no-vmlinux
  5442129  0.5755 openvpn
  5220700  0.5521 libc-2.3.5.so
  4495358  0.4754 oprofiled
  1543508  0.1632 gawk
  1241862  0.1313 ld-2.3.5.so
   721805  0.0763 bash
   590218  0.0624 libssl.so.0.9.8
   557939  0.0590 libbz2.so.1.0.0
   527061  0.0557 libpython2.4.so.1.0


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users