[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] how to increase performance(speed)

  • Subject: Re: [Openvpn-users] how to increase performance(speed)
  • From: Chris Black <cblack@xxxxxxxxxx>
  • Date: Tue, 18 Apr 2006 15:57:28 -0500

Have you done a measurement to see the difference between FTP over the VPN link to the PH machine vs FTP over a non-encrypted link to the PH machine? I'd be curious to see the difference in bandwidth and/or transfer time for the same file(s). I realize your firewall rules may not make this possible/easy, but it would be an informative test.

Also, is there any particular reason you are specifying that cipher (DES-EDE3-CBS [triple DES])? Both Blowfish (BF-CBC) and AES (AES-128-CBC) are faster on my machines and I believe AES is considered to be at least as strong as 3DES. I am currently using the default (BF-CBC). Changing the cipher to a faster (and perhaps even stronger) one such as AES may give you some improvement, but as I said in a previous post, for bandwidth purposes most lightly loaded modern machines can encrypt more than a T1s worth of bandwidth for any of the ciphers.

Timing output from "openssl speed bf-cbc; openssl speed des-ede3; openssl speed aes-128-cbc"
On a Linux 1.5GHz Athlon:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
blowfish cbc 59300.37k 63400.60k 64507.90k 64683.35k 65505.86k (~64MBps)
des ede3 13048.64k 13385.79k 13474.56k 13499.73k 13503.15k (~13MBps)
aes-128 cbc 40891.83k 42565.99k 43319.30k 43471.19k 43442.18k (~42MBps)

On an OpenBSD 700MHz Celeron:
blowfish cbc 11652.74k 12198.84k 12371.33k 12526.30k 12685.55k (~12MBps)
des ede3 1628.31k 1642.45k 1649.12k 1646.98k 1648.55 (~1.6MBps)
aes-128 cbc 9850.36k 10237.38k 10309.71k 10336.80k 10364.35k (~10MBps)


Toby McMillan, RHCE wrote:

Hi Chris, everyone,

My apologies, that should be instead of 0.12. Theyre on
the same LAN as the other servers that I mentioned, all behind a
Linksys, and all are individually connecting(right, each has its own
VPN client)to an OpenVPN server in PH. The links are primarily used
for FTP.

Here's a sample config file from one of those clients behind the Linksys.

dev tun
proto udp
remote [ip address erased] 1194
resolv-retry infinite
user nobody
group nobody
ca /etc/openvpn/ca.crt
cert /etc/openvpn/weberver01.crt
key /etc/openvpn/webserver01.key
ns-cert-type server
tls-auth /etc/openvpn/ta.key 1
cipher DES-EDE3-CBC
verb 3


On 4/19/06, Chris Black <cblack@xxxxxxxxxx> wrote:

As far as the original post is concerned, how is connected
to I did not see .0.12 mentioned in your description of
the network. I think I am not quite understanding your topology, do you
have three webservers at one on a single LAN behind a linksys and then
all of those webservers are individually connecting (each running their
own VPN client) to an OpenVPN server in the Philippines? Is web traffic
coming in for the three webservers through the linksys on an unencrypted
link and the vpn links are used for updates or something else?


Openvpn-users mailing list