[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: OpenVPN Performance

> Basically, I'm a bit surprised that the FTP via the VPN was so low, and
> plesantly surprised that the SCP via the VPN was so high.
Can you please re-run these tests and this time run a tcpdump on the
link and look for icmp messages? eg:

tcpdump -lni eth0 icmp

or whatever physical ethernet terminates either side of your vpn. Can
you tell me if you see icmp reassembly time exceeded messages? Also if
you can, just for fun, you might want to try setting your MSS size down
for the ftp to vpn test. I think a good value is 1369. You can either do
with with a linux iptables firewall rule (if linux) or possibly in the
openvpn server config (the --mssfix value).

The cost of fragmentation with openvpn, imho, is quite high.. my
observations are that, in my system anyways, the minimum encapsulated
packet size that openvpn sends, is like 101 bytes. So a full sized frame
of 1500 bytes will make at least two frames - a large and a small.
Depending on settings and I'm not sure of the math or interactions with
other options, it could be like a 1477 byte frame and then the
afterforemention 101 byte frame. This in turn hurts you in several ways:

1) Your receiving end needs to reassemble a lot of fragments.
2) The number of packets per second is double (or more) than if we were
just going straight over the lan.

Why this is important to me is that I'm experiencing issues with packet
loss thru the vpn (frame goes in tap on one side but never comes out the
other) which appears to be due to the fact that the excessive number of
fragments that an active openvpn session tunneling hundreds of clients
generates, will appear to exhaust the kernels buffers for processing
fragmented packets, resulting in packet loss (and lots of 'icmp
fragmentation reassembly time exceeded' messages to prove it).

I've tried upping the kernel's memory pool to a little over 2M and no
luck, but I don't yet have a full grip yet. Your experiences with the
performance test would be useful information for me to have.

Thank you.

Openvpn-users mailing list