Re: [Openvpn-users] vpn performance

  • Subject: Re: [Openvpn-users] vpn performance
  • From: Jason Keltz <jas@xxxxxxxxxxx>
  • Date: Wed, 13 Jul 2005 09:19:46 -0400

Here are a couple of responses to the responses generated by my OpenVPN performance message yesterday and my responses to those...

Paul Voccio mentioned giving the Soekris SSL accelerator card a try. I might give this a try. Unfortunately, Linux support is experimental right now, and that's where I need to deploy this box.

Daniel Lehmann suggested that for my Ghz class machine, the card might/might not work as expected.

Brian Leyton asked whether in the real world I would have all my users going full bore simultaneously. Tim Bruijnzeels asked whether I would be using the VPN for remote or local clients. In the real world, all users wouldn't be going full bore simultaneously. However, I am using this VPN for local and not for remote clients. In very short -- we have several services including NFS, printing, and several other home grown applications that rely heavily on an IP address that cannot necessarily be trusted. In trying to solve all the problems at once without having to implement "per software" trust model changes, I decided to try using a VPN. In fact, our VPN will act as a gateway between our machine room private network (where trust can be inferred), and our local network. Only now that I have the system ready for testing am I testing performance. Local performance here is all that really matters...

Kristof Hardy wondered whether the performance on a dual core AMD would be any better. I only have to buy one to answer that question :)

Cary Underwood made a great comment about the fact that if I could get 225 Mb with 1 CPU, I could thus get 900 Mb with 4 cpus, and hence the VPN was giving me 80% of the capacity of the gigabit network. While this is true, the problem is that as I add more traffic to the regular non-VPN gigabit LAN, the throughput goes down slowly, but as I add more traffic to the saturated VPN, throughput takes a nosedive. Furthermore, I'm not yet positive that if I were to run 4 OpenVPN instances that I would get the 900 Mb bandwidth since the machine has only has two "real" CPUs, and the other "2 CPUs" are showing up because of "hyperthreading".

Thanks for all of your responses...


