On 04/28/2009 07:43:47 AM, Siim Põder wrote:
Hi
Karl O. Pinc wrote:
> So, I believe it's easy and cheap to add hardware
> to a OpenVPN box and create a situation where
> the kernel/userspace transition cost does matter.
It's easy and cheap if you add a second box or third. But if you are
approaching tens of openvpn boxes (at various locations) and you want
to
maintain rendundancy, it is not especially cheap nor is it especially
easy. Maintaining the system gets a bit trickier and simply relying on
ssh and grep doesn't cut it any more.
I believe you, but you lost me when it comes to the explanation.
What do ssh and grep have to do with adding a hardware encryption
card? (I think maybe you're thinking I'm still talking about
additional boxes. Recap: My point was that hardware encryption seems
to involve kernel/userspace transitions too.)
Also our own test show that using standard (ie, not neccessarily
optimized for routing) Opteron servers and intel e1000, we can
saturate
1G easilly (with up to 300Kpps in one direction), with about 10% of a
single core working in softirq (50% if conntrack is in the picture).
However, with openvpn, we can go up to ~80 Kpps without encryption and
in that case, rougly half of the load goes into softirq and the other
half goes into userland. Most of the drop from 300 to 80 should be
wasted work.
Out of curiosity, did you test the scheduler per
the link supplied by James MacLean?
http://sourceforge.net/mailarchive/forum.php?thread_name=492DBF02.1070305%40ednet.ns.ca&forum_name=openvpn-devel
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
