Hi,
On 26/04/16 13:20, Dreetjeh D wrote:
Hello,
> openssl 1.0+ uses AESNI by default , unless explicitly left out during
> compilation. As openvpn uses libcrypto.so from openssl it will
> automagically pick up AESNI support or not.
> You can test whether openssl supports AESNI by running
> openssl speed -evp aes-256-cbc
> then run
> OPENSSL_ia32cap=0 openssl speed -evp aes-256-cbc
> and compare the results; on a Sandy Bridge server I get
>
> aes-256-cbc 265422.69k 278228.74k 281312.94k 282094.93k
> 282318.17k
> vs
> aes-256-cbc 42954.65k 46349.97k 47233.02k 114621.78k
> 115927.72k
>
Yes, I found OPENSSL_ia32cap=0 command yesterday and result shows
similar as you describe.
>
> similar to the openssl command you can disable AESNI in OpenVPN by
> running with the OPENSSL_ia32cap env var set to 0 ; performance will be
> determined by other factors as well, however. Again, on my SB server I
> get an iperf performance of 200 Mbps up/down over a gigabit link
without
> any tuning . When I run
> OPENSSL_ia32cap=0 openvpn --config ....
> I get an iperf performance of ~ 192 Mbps up and down - so that's a 4 %
> loss. On a N3150 I'd expect the performance difference to be greater,
> however.
> When you increase the tun-mtu size (to e.g. 9000) the performance gap
> will widen.
>
A lot has been written but it`s difficult to filter out correct info :)
Don`t know if you looked at the forum thread:
https://forums.openvpn.net/viewtopic.php?f=23&t=21598
Then you can also see the config i`m using.
I`m testing the server with two clients (routed), iperf between the
clients.
And I`m wondering how the packets in server flow in that case, maybe
there is a extra encrypt and or decrypt going on?
As soon as I have enough time, I want to test client-to-client too as
suggested by Traffic, see what that gives.
I had not seen that thread, but it's nice to see someone read the
Gigabit article I once wrote ;)
as for client-to-client: yes, an extra decrypt+encrypt is necessary, as
the encryption keys are derived for each client. Thus , with
client-to-client enabled the flow would be:
client1:tun --- internet ---- server:tun -> openvpn decxr+encr ->
server:tun -------- internet ---- client2:tun
the biggest bottleneck in all this is the fact that packets are only
1500 bytes long - again, if you increase the tun-mtu to 9000 the
performance will go up.
It is also worthwhile adding
snd-buf 0
rcv-buf 0
to the Linux client and servers, as that can boost performance a little bit.
HTH,
JJK
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
