[Openvpn-users] OpenVPN network throughput vs raw network throughput

[Gena Makhomed]

Hello, All!

I use OpenVPN 2.4.6 from EPEL repo on CentOS 7.5
I see very bad, from my point of view, network throughput values:

First test, between two servers without OpenVPN:

# iperf3 -c 137.74.xxx.xxx
Connecting to host 137.74.xxx.xxx, port 5201
[  4] local 138.201.xxx.xxx port 51934 connected to 137.74.xxx.xxx port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  13.9 MBytes   117 Mbits/sec   29    600 KBytes
[  4]   1.00-2.00   sec  12.5 MBytes   105 Mbits/sec    0    682 KBytes
[  4]   2.00-3.00   sec  11.2 MBytes  94.4 Mbits/sec    1    742 KBytes
[  4]   3.00-4.00   sec  12.5 MBytes   105 Mbits/sec    0    755 KBytes
[  4]   4.00-5.00   sec  11.2 MBytes  94.4 Mbits/sec    0    766 KBytes
[  4]   5.00-6.00   sec  11.2 MBytes  94.4 Mbits/sec    0    778 KBytes
[  4]   6.00-7.00   sec  12.5 MBytes   105 Mbits/sec    0    790 KBytes
[  4]   7.00-8.00   sec  11.2 MBytes  94.4 Mbits/sec    0    816 KBytes
[  4]   8.00-9.00   sec  11.2 MBytes  94.4 Mbits/sec    3    434 KBytes
[  4]   9.00-10.00  sec  12.5 MBytes   105 Mbits/sec    0    462 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec   120 MBytes   101 Mbits/sec   33             sender
[  4]   0.00-10.00  sec   117 MBytes  98.1 Mbits/sec 
receiver

iperf Done.

Second test, between OpenVPN interfaces:

# iperf3 -c 172.31.254.1
Connecting to host 172.31.254.1, port 5201
[  4] local 172.31.254.101 port 34580 connected to 172.31.254.1 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  4.13 MBytes  34.6 Mbits/sec   60   47.7 KBytes
[  4]   1.00-2.00   sec  4.08 MBytes  34.2 Mbits/sec   43   31.4 KBytes
[  4]   2.00-3.00   sec  3.07 MBytes  25.7 Mbits/sec   24   40.7 KBytes
[  4]   3.00-4.00   sec  3.44 MBytes  28.8 Mbits/sec   20   38.4 KBytes
[  4]   4.00-5.00   sec  3.19 MBytes  26.8 Mbits/sec   20   34.9 KBytes
[  4]   5.00-6.00   sec  2.82 MBytes  23.7 Mbits/sec   15   24.4 KBytes
[  4]   6.00-7.00   sec  3.31 MBytes  27.8 Mbits/sec   13   22.1 KBytes
[  4]   7.00-8.00   sec  3.56 MBytes  29.9 Mbits/sec   17   25.6 KBytes
[  4]   8.00-9.00   sec  2.82 MBytes  23.7 Mbits/sec   20   27.9 KBytes
[  4]   9.00-10.00  sec  2.82 MBytes  23.7 Mbits/sec   14   29.1 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  33.3 MBytes  27.9 Mbits/sec  246             sender
[  4]   0.00-10.00  sec  33.0 MBytes  27.7 Mbits/sec 
receiver

iperf Done.

As you can see, OpenVPN has very bad network throughput values,
compared to raw network values.

Configuration files, server:

$ cat /etc/openvpn/routers.conf

local 137.74.xxx.xxx
port 65535
proto udp4
dev tun0

fragment 1300
mssfix

ca routers-ca.crt
cert routers-server.crt
key routers-server.key
dh routers-dh2048.pem

server 172.31.254.0 255.255.255.0
client-to-client
topology subnet

route 172.17.99.0 255.255.255.0 172.31.254.1
route 172.17.100.0 255.255.255.0 172.31.254.1
route 172.17.101.0 255.255.255.0 172.31.254.1

client-config-dir client-config-dir-routers
ccd-exclusive

max-clients 252
keepalive 10 120

tls-auth routers-ta.key 0
opt-verify

user openvpn
group openvpn

persist-key
persist-tun

status /dev/null
log /dev/null
verb 0

$ cat /etc/openvpn/client-config-dir-routers/router1

ifconfig-push 172.31.254.101 255.255.255.0

iroute 172.17.99.0 255.255.255.0
iroute 172.17.100.0 255.255.255.0
iroute 172.17.101.0 255.255.255.0

Configuration file, client:

client
dev tun0
proto udp
remote vpn.example.com 65535
nobind

fragment 1300
mssfix

auth-nocache

ca router1-ca.crt
cert router1.crt
key router1.key

remote-cert-tls server
tls-auth router1-ta.key 1

user openvpn
group openvpn

persist-key
persist-tun

log /var/log/openvpn-router1.log
mute 20
verb 4

===============================================================

log fragment:

Control Channel: TLSv1.2, cipher TLSv1/SSLv3 
ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Data Channel: using negotiated cipher 'AES-256-GCM'

Question: what is wrong with my OpenVPN configuration?

raw network throughput is 100 MBit/s,
OpenVPN network throughput is 27 MBit/s.

How I can make OpenVPN work more faster,
with OpenVPN network throughput like raw network throughput ?

Both client and server are not CPU bound, CPU load is 5%.

--
Best regards,
 Gena

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users