OpenVPN performance

[RMerlin]

While fixing it, I also cleaned the code up a bit, making use of a shared/shutils.c function Asus added to handle CPU affinity.

https://github.com/RMerl/asuswrt-merlin/commit/f7b518603d6212a84bb281a8fea80eacd3b9fdd7

Note that I haven't had time to test the code on older MIPS devices yet to ensure the cpu_eval() function does work properly on it (the comment in the shutils code indicated that in theory it should).

 

[watusi]

Maybe somebody can clear up a bit of confusion for me.

I notice in the PrivateTunnel configurations that a single client configuration allows connection to multiple servers. That is, both TCP and UDP, and - I think - even multiple URLs. (Sorry, I don't have it in front of me.)

I understand that we have to run two servers if we want to support both UDP and TCP. But then I have to have two profiles on my device and choose one or the other.

Is there some way to have the sort of set-up that PrivateTunnel uses, so that the user doesn't have to select one?

Thanks for the info - I'll switch my UDP server from 2 to 1 and see what I get on my AC87.

 

[HarperVision]

What is your upstream speed at both ends? Your tunnel performance will be limited to the slowest of the two, between down and upstream). If downstream is 80 Mbps but upstream is only 20 Mbps, then the bi-directional performance will be limited to 20 Mbps.

..................The speed is also limited by the upstream speed of your Internet connection, which is typically quite slower than the downstream.

Thanks for all the great info on this site, first of all, but this is my first actual post here, so......

RMerlin,

I see you've mentioned this a couple times and I am beginning to think this is what my problem is. I have Oceanic TWC Extreme internet (30 down/5 up) here in HI on the OpenVPN client side using an Asus AC66U. I have my OpenVPN server running on an Asus AC56U at my parent's house outside Philly using Comcast's Blast internet at 100 down, 20 up.

I am trying to use things like my TiVo and Slingbox there at the server location as if it's on the same subnet so I can transfer the video files, etc. I am also playing around with using Playstation Vue service (only in NYC, Chicago and Philly) so I can watch my Philly sports teams on Comcast SportsNet Philadelphia (since DirecTV STILL doesn't offer this regional sports channel for some un-Godly reason!)

When I connect to the Vue service on my PS3 (after connecting the VPN to there of course) it does see the IP address at my parent's home within the Philly DMA, which is good, so it gives me the service and I can watch the channel lineup from there, which I love. The issue is, my connections is real slow, as others have mentioned. I use a TAP/UDP server and when I do a speedtest.net I can get it to about 7 down and 2.5 up, but while watching Vue channels I can see that it's a little fuzzy and not quite the "HD" they tout it can be. If you hit the R3 button on the remote/gamepad it brings up a small dialog on screen showing the bitrate and resolution it's currently playing at. Mine only shows the resolution as 856x540 and a bitrate that seems very consistent at 1.650 mbps.

This seems to support you saying that it's tied to the lowest of the parameters for upload, which in my case is 5 mbps. I called TWC and tried going with a higher upload speed, but they don't offer any higher, at least until Aug when they upgrade my island.

The question I have is, when I am "downloading" the Vue online cable service to watch their video channels, why would my "upload" speed here matter? Wouldn't it be my upload speed at my server site (in PA which has 20 mbps upload) that would be used since the Vue video would be downloaded there to my server, then re-uploaded from the server at 20 mbps to me here in HI?

Thanks in advance for ANY help anyone can provide!

 

[RMerlin]

Your parent's upload is what would matter here in your usage scenario. They will download stuff at 100 Mbits, send it to you at 20 Mbits (the slowest between their upload and your download). You wouldn't be sending much to your parent in such a scenario.

 

[HarperVision]

Your parent's upload is what would matter here in your usage scenario. They will download stuff at 100 Mbits, send it to you at 20 Mbits (the slowest between their upload and your download). You wouldn't be sending much to your parent in such a scenario.

Thanks RMerlin! That's what I thought. So in what scenario are you taking about where you're saying its limited to the lowest of the upload speeds?

Also, if I am "supposed" to be getting up to 20 Mbps here, why am I not? I saw here some saying the Comcast may be throttling the bandwidth. That's actually what I thought was going on before I ever saw this due to how my Slingbox streams have been acting. I've done lots of testing that seems to point to throttling by comcast. One sign is that every single time I setup a new sling signal I get the full bitrate the first time I connect out of the home (6-8 Mbps), but EVERY time thereafter I watch it initially jump to about 6-8 and then start lowering down to about 3.1 Mbps and then it stays at that level forever more until I do another full reset and redo setup like its new again. Wash, rinse, repeat!

How can I find out if I have my VPN speed optimized and to ensure its not throttling though?

 

[RMerlin]

Thanks RMerlin! That's what I thought. So in what scenario are you taking about where you're saying its limited to the lowest of the upload speeds?

In a scenario where you transfer data in both directions.

How can I find out if I have my VPN speed optimized and to ensure its not throttling though?

Search these forums, there's been various posts from users on how to optimize OpenVPN performance.

 

[RexKramer]

Im running RT-AC68U w/378.52_2 firmware and cant seem to solve my speed drop when I turn on OPENVPN using my PrivateInternetAccess account.

With VPN turned off:

With VPN turned on:

Here are my settings, wonder what might need changes or added. The only thing I'm unsure of is "Create NAT on Tunnel" and how to set that up manually?

 

[HarperVision]

Tha

In a scenario where you transfer data in both directions.



Search these forums, there's been various posts from users on how to optimize OpenVPN performance.

Thanks again! I've been searching and trying different things for about a month now and this is the best I can get so far. That's why when I saw your lowest upload speed comments it made me sit up and take notice. I see so many peopl ask the same question but every thread I've seen only has small, short, disjointed answers, if any answers at all. I've even seen the same person keep coming back in the thread repeatedly asking and no one answering. Maybe there should be a clear and concise sticky post that walks through each and every step, explains what it does and what is the recommended setting for a few common connection scenarios?

I have seen and I am sure there are a few here that have used two Asus routers to create a site to site VPN connection that makes the distant networks seem as one with optimal speed and stability, so maybe a layman's guide or thread of what these people have setup and what works best?

I'm pretty new to this, so speaking for myself and I'm sure many others that come here, we need a "For Dummies" guide!

 

[RMerlin]

I don't use any tunnel provider services (I use the free VPNbook service for doing testing/debugging), so I can't help with performance tune up, sorry. I only use the server to connect back home while I'm at work, and performance is fine for my needs - I never actually measured it.

 

[cosmoxl]

Im running RT-AC68U w/378.52_2 firmware and cant seem to solve my speed drop when I turn on OPENVPN using my PrivateInternetAccess account.

There are no magic settings. Don't mess with the "create NAT on tunnel", that's not going to be the magic setting.

Have you tried different servers, protocols, and ports? Truth is, Time Warner is probably throttling openvpn. With no throttling I think you can expect 20 megabits/sec with an AC68 on PIA at stock CPU clock rates. Be sure to use openvpn client 1 in that firmware version as that will put the openvpn task on core 2.

 

[HarperVision]

.............Have you tried different servers, protocols, and ports? Truth is, Time Warner is probably throttling openvpn. With no throttling I think you can expect 20 megabits/sec with an AC68 on PIA at stock CPU clock rates. Be sure to use openvpn client 1 in that firmware version as that will put the openvpn task on core 2.

Well that is interesting. I have Time Warner on my end and Comcast at my server end (parent's house). I always just assumed the throttling was on their end with Comcast. Would TWC throttle the download, as in my case, or just uploads from the server if it senses one?

I did the tests that were mentioned earlier in this thread to see if I was being throttled, but the tests said I wasn't. I'm not sure how accurate or reliable they are though?

 

[HarperVision]

The plot thickens! I downloaded the OpenVPN Windows GUI here on my work PC where we have Time Warner Business Internet (instead of consumer like at my Home) and I connected to my server in PA via Comcast and I am getting about 13-14 Mbps download, whereas on my home I've only gotten 6-7 max but usually 3-4Mbps. I wonder if they are throttling consumer internet that's using OVPN?

 

[Chrysalis]

I am amazed you got 20mbps.

My ac66 gives me 6mbps to an american server endpoint. (not tried any other closer endpoint)

Usually I can get speeds well above that on other protocols but not with openvpn. It is most defenitly not due to cpu bottlenecking, I suspect openvpn isnt managing to use a large rwin buffer.

I then ran some tests with tinc between the ac66 (installed from entware) and the same server and got 60mbps. So I think openvpn has limitations.

 

[kvic]

Any updates? I have the same problem with the OpenVPN server running on my ac68u, latest Merlin firmware. Using a 100/100mbps connection on both sides I get approx. 25mbps speed, one CPU core is at 60% and the second is at 0% usage.

I did a test to make sure its not a bandwidth problem: OpenVPN server running on Debian = approx. 60mbps speed (limited by the cpu core running at almost 100%)

Tested on my AC56U running OpenVpn server with a WAN up 100Mbps/down 100Mbps. Client external to LAN, raw 89Mbps/91Mbps. With OpenVpn 8Mbps / 13Mpbs.

Apparently AC56U CPU is NOT the bottleneck. Plenty idle cycles are there. Let's figure out something..

 

[maverickjesus]

Tested on my AC56U running OpenVpn server with a WAN up 100Mbps/down 100Mbps. Client external to LAN, raw 89Mbps/91Mbps. With OpenVpn 8Mbps / 13Mpbs.

Apparently AC56U CPU is NOT the bottleneck. Plenty idle cycles are there. Let's figure out something..

I have the same model and exactly the same situation (almost identical speeds as well, which I guess makes sense given the situation). Can push 100mbit on my FX8350 w/ AES extensions, so its definitely not the endpoint.

 

[kvic]

I have the same model and exactly the same situation (almost identical speeds as well, which I guess makes sense given the situation). Can push 100mbit on my FX8350 w/ AES extensions, so its definitely not the endpoint.

Crap! Now I got 38Mbps down 16Mps up. You won't believe what I did to make it happen.

 

[L&LD]

Crap! Now I got 38Mbps down 16Mps up. You won't believe what I did to make it happen.

Okay, I'll bite. What?

 

[kvic]

Okay, I'll bite. What?

I grabbed the low hanging fruit by setting "Hardware NAT" to Disable. Seems to me TUN device and Broadcom's CTF module not only cannot get along in the little kernel but get into intense litigation. My tests done on 378.55

For people having similar performance issue, may give it a try. Please provide feedback on your results. I would like to hear if you observe the same, in particular

1. Openvpn Server throughput is much lower when "Hardware NAT" is set to Auto
2. CPU utilisation is much higher (mostly by SIRQ up to 90%) when "Hardware NAT" is set to Auto (and Tool's page indicate it's indeed enabled).

EDIT: A better way to show CPU utilisation is to telnet/ssh/putty into Asus, type "top -d1" and then press "1". Please report both CPU0 & CPU 1 utilization at the top of the screen.

 

[maverickjesus]

Made no difference for me - same speed on both settings. What encryption cipher are you using? I'm on AES-256-CBC, I'm wondering if its just a computational bottleneck of the CPU.

 

[kvic]

Made no difference for me - same speed on both settings. What encryption cipher are you using? I'm on AES-256-CBC, I'm wondering if its just a computational bottleneck of the CPU.

Basic settings pretty much all defaults for me. I'm using BF-CBC. CPU0 utilization about 90% with HW NAT enabled. Only 40% with HW NAT disabled. What do u get?

It took me more than an hour to consistently reproduce the numbers and point finger at CTF. There are too many variables need under control. Both client and server better restart from a clean state after changing one variable eg.