VPN Performance on Marvell CPU

Turris Omnia
1

I see many topics asking about different types of VPN client configurations (and multiple VPN clients at one time) running on the router. Do we have any idea of the capability of the CPU and it’s ability over VPN? For example, my last router Netgear R7000 with a dual core 1.2Ghz (overclocked) ARM CPU was able to reach a maximum of 40-45Mbps download speed on a 125Mbps link over VPN.

Few things, VPN connection requires encryption, so is CPU heavy (Instruction sets? FPU?). OpenVPN is currently single threaded, so can only run on one core afaik, and you lose features like CTF.

Turris team, or others, care to comment? This is of big interest to me.

1 Like
2

You’ll probably be able to reach 100-110Mbps/s on a private link where you control both ends of the tunnel.
If using a public VPN service, I think you should expect 60-70Mbps doing a speedtest.
It’s mainly a Ghz story. I don’t think the crypto engine is going to improve those numbers by much, if at all, but it’s going to free your CPU to do other things.

Look for OpenVPN (not Openssl) speedtests using the Linksys WRT1200AC and WRT1900ACS. iperf benchmarks on the LAN are not going to give you what you seek.

3

Actually OpenVPN is quite slow, especially on embedded devices. This is generally because of not optimized kernel and userspace data transfers. You can speed it up by increasing MTU inside the tunnel, like
tun-mtu 9000
mssfix 0
It would use IP level fragmentation and you’ll get 2x or 3x speed up.

Just for comparison, I get 60-65 MBit/s with OpenVPN and default settings and 200-250 MBit/s with strongSwan (IPsec daemon) in kernel mode on an 4 core ARMv7.

4 Likes
4

Is there any idea yet about how well the crypto acceleration on the device will perform? I’m interested in VPN, HDD encryption, SSL and SSH.

5

Do you have a recipe for a site-to-site vpn between two oepnwrt/to devices?

6

I’ve tested the VPN performance on my Omnia (2GB) on 200/20Mbit line, the peak of the throughput is 4500KB/s in the download direction of the line (according to Total Commander, SMB protocol, no other than default services running on Omnia). I don’t think that Onmia can reach 100Mbit of OpenVPN traffic.

7

I have also the Turris Omnia 2GB Version. My Omnia is a Client in the ProtonVPN and i can Access the Internet with full speed around ~900 Mbps.

1 Like
8

Can you please create a how to topic on how to set up the protonvpn on turris? Thx

1 Like
9

he already did:
https://forum.test.turris.cz/t/resolved-openvpn-protonvpn-client-problem/4607
however there’s no way Omnia can do 900+mbps with openvpn - in his last post there is a speedtest with ~140mbps

10

Yes the test with ~140 was with my Laptop over WIFI and the other one was on my Desktop PC with Gigabit Lan.

11

again, there’s no way to get >150 mbps with openvpn running in turris omnia.
900+ means Intel i7 class CPU

12

You want a lifecast of my Testing? Or you want to say that the Speedtest.net is wrong? Or is something wrong with my Settings?

In the End i see me comming from ProtonVPN in the speed test. When i normaly go there it is from Init7.

13

Sorry, I meant a bit more step by step guide for someone who never setup the vpn in the turris before (maybe wasn’t patient enough) :slight_smile:

Just to make sure I understand those steps from the article mentioned above:
I just need to create a new config with data from ProtonVPN in there?
That’s it? You enable it there in LUCY? Where?

I am not trying to be lazy. Just don’t have enough time for testing without my wife trying to kill me for not being able to connect :slight_smile:

THX

14

No it’s a bit more then this. I will make a How-Two tonight.

You also need to Setup a Interfance and a Firewall Rule.

15

Awesome. thx
I think more than just myself will appreciate it.:thumbsup:

16

i believe there is something wrong with your sttings - like you have the vpn enabled in your desktop client

17

I don’t have a VPN Client on my Windows PC. Can it be that it fault to Encrypt on the Router and just past it threw?

18

you should do a traceroute to google

19

traceroute_test.png720×662 135 KB

vpn_speedtest.png923×1271 68.2 KB

20

Should be easy enough to use one of those “Check my IP” sites once while you think you are on the VPN from your desktop. Then disable your VPN, and check again.

I suspect you will have the same public facing IP, and you traffic is not routing through the tunnel.