OpenVPN performance

Hi, on my Omnia 5.1.4 i use OpenVPN, working OK, but performance is not best. It has cca half speed compared to traffic without VPN. Without VPN i can download (copy) file from server on full upload speed of connection around 50Mb/s, the same file copy over VPN from same server is on half of speed cca 25 Mb/s.

Is it something i have to live with it as its normal, or is there possibility to tweak performance?

I tried to do trick like change cipher, play with compression lzo, lz4-v2, mtu changes, but these tricks does not make any change in speed.

Thanks

what is your internet connection? If it’s asynchronous (as many connections nowadays are), your upload speed may be half of your download.

Connection is asynchronous, but its 350/40 Mb/s Fibre server side, on client there is 150 Mb/s download fibre. So dowmload speed from server uses 40 Mb/s upload limit. Without VPN goes even over this limit to 50Mb/s, bit with VPN its 25Mb/s max.

thinking of it, compression should make no change unless data are easily compressed. Tried without compression?

I tried all combinations of compression, it does not have real effect. Does somebody have real experience and real test results?

I tried many different configuration options to optimize OpenVPN on Omnia. It is limited by single thread use and usermode. Best i could manage with secure cipherd was stable 99 Mbit/s in a testing environment with direct ethernet connection. If you want maximum performance VPN you should look into wireguard (>500mbit). Next version OpenVPN 2.5 now supports PolyChaCha Cipher for data channel as well which will probably improve Performance significantly (hopefully in next openwrt release)

I use this cryopto on Omnia 5.1.2

2020-12-14 18:04:56 SSL Handshake: CN=rwserver, TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256

2020-12-14 18:04:56 PROTOCOL OPTIONS:
cipher: AES-128-GCM
digest: NONE
compress: NONE

All the usual Perfomsnce tweak options found if you google are not really useful on thid system, i found inly the fast-io option on the server usefull

I made working also WireGuard VPN Server running on my Omnia, next to OpenVPN running on same Omnia.

Simple data copy tests shows better performance of WireGuard, but for my real scenario of client-server app (desktop app on client communicating with SQL server via VPN) has no benefit. Both WireGuard and OpenVPN have exact same performance, meaning its just slow. But its probably general problem of SQL communication sensitivity for latency.

Benefit of OpenVPN is better support for domain environment, i am missing DOMAIN parameter in WireGuard options, or i just dont know how to do it. Routing to domain controller via WireGuard VPN is then not as good as via OpenVPN, here OpenVPN is winner.

There is no need for using compression option at all, just disable it. Also active TLS can degrade the throughput (especially when you changed the cipher list and you have some more modern/robust ciphers at use). Aside Ludus, Pakon, IDS (tools using Suricata to inspect packets) can slow down the traffic as each packet is inspected on-fly and that requires some system resources. So check also the cpu utilization.

There is pretty nice iperf testing example: https://community.openvpn.net/openvpn/wiki/PerformanceTestingOpenVPN
or : https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
Some time ago i was using iperf to test several services (mainly testing ssh,ftp,vpn with and without compression, on router (+lxc), wired and wireless networks):
Turris limited network throughput

Hi,
these tests are not relevant for my scenario. Technically, VPN uses my Server-side UPLOAD limits, thats not the problem in standard data copy scenarios.
My scenario is about SQL traffic on Client-Server application in domain environment. Tests in the link are normal tests, which does not cover my scenario at all.