Hi, On Sat, Aug 22, 2015 at 12:43:46PM -0700, joh...@fastmail.com wrote: > > I'd claim that for ~20Mbit/s., your Atom CPU is fast enough to do > > AES256 without saturating the CPU, so the cipher isn't the bottleneck. > > > > More likely the extra bytes and the extra delay introduced by OpenVPN > > causing the 18M->15.5M slowdown. > > If the LOCAL-ROUTER machine is fast enough, and the cipher selection really > doesn't make a difference, is there more to tweak here?
Jan Just is wondering since years why OpenVPN is "slow", but he's talking
about "getting only 600Mbit out of a Gbit link" or such :-) - so I do not
think there is much more to tweak.
> 18M->15.5M is ~ a 14% slowdown. I don't know if that's as good as it gets or
> if more can be done.
If it was my link, I would be happy with that and focus on other things :-)
- I'm not sure if more can be squeezed out. Network performance tuning
is tricky.
> I've read about IPSEC being 'faster' than OpenVpn but then there's a lot of
> disagreement on that too. Plus the fact that I have even LESS of a clue
> about IPSEC :-/
IPSEC can go to higher speeds if done right because it's done in the kernel,
so no "copy packet to userland process, encapsulate, copy it back to kernel
space, send out" - but that's again talking about gbit ranges, not about
~20 Mbit/s
> I guess if there was hardware encryption in the loop, probably needed on both
> ends?, then that may improve.
Hardware encryption will reduce the CPU needed to achieve your throughput,
but since the CPU is not 100% utilized, I don't think it will make it
go faster. Bottleneck is not the CPU.
> 14% slower isn't horrible at all. But if you can get it to half that, why
> not?
>
> Is there still room to improve here?
I'm not sure. Different compression algorithms might help a bit -
"none" reduces latency somewhat, "lz4" needs less CPU (--compress lz4,
in git master versions, not in 2.3.x). I admit I have not measured how
much overhead OpenVPN creates in my use cases as it's not really relevant
- "it works and protects my packets" :-) - so I leave this to jjk to
comment on.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpNNlo7OWfwO.pgp
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
