oVPN 2.4 and RPiZ half o/t performance comparing to RPi2

[dolphs]

Hi - I like to have a permanent VPN connection between my two homes.

That is no longer an issue as I have openvpn 2.4.2 set up between two AESNI compatible boards and speeds are as expected, max bandwidth ( upload 30Mbit/s limit and download 100Mbit/s ) is used.

Also I managed to get satisfactory results between two RPi2 boards and openvpn2.4 ( both jessie and currently stretch ). Satisfactory meaning roughly 30Mbit both ways, which is more than convenient for streaming (U)HD as half of that would be just fine.

Yet I tried to move similar config to a RPiZero with Realtek 8152 LAN card ( ID 0bda:8152 Realtek Semiconductor Corp. ) and here it seems more tuning will be required if it will work at all ... My aim is to squish at least 20Mbit/s over VPN both ways.

The RPiZero shows currently following results ( below ) using iperf. It came to my attention whenever iperf starts to throw data in the VPN tunnel the openvpn process goes sky high ( 96% ), eg:

top - 15:00:27 up 42 min, 3 users, load average: 0.26, 0.10, 0.08
Tasks: 100 total, 2 running, 98 sleeping, 0 stopped, 0 zombie
%Cpu(s): 38.9 us, 23.2 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 37.9 si, 0.0 st
KiB Mem : 493252 total, 366508 free, 34804 used, 91940 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 403832 avail Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

529 root 20 0 8224 4904 4280 R 95.9 1.0 1:40.77 /usr/sbin/openvpn --daemon ovpn-server --st+


This results in data transfers just below my requirements:

A/ server to client
---
root@rpivpn01:~# iperf -c 192.168.20.11 -t30 -P1
------------------------------------------------------------
Client connecting to 192.168.20.11, TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[ 3] local 10.8.0.1 port 52692 connected with 192.168.20.11 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.1 sec 45.9 MBytes 12.8 Mbits/sec


B/ client to server
---
root@rpivpn11:~# iperf -c 192.168.10.61 -t30 -P1
------------------------------------------------------------
Client connecting to 192.168.10.61, TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[ 3] local 10.8.0.2 port 53554 connected with 192.168.10.61 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.8 sec 54.8 MBytes 14.9 Mbits/sec


Fiddled around with some kernel settings already, mainly

- /proc/sys/net/core/rmem_max
- /proc/sys/net/core/wmem_max

- /proc/sys/net/ipv4/tcp_rmem
- /proc/sys/net/ipv4/tcp_wmem

But do not seem to manage squeezing the final bits so it will reach 20-25Mbit.
Anyone a hint to get this working on a RPiZero ?

TIA!

[epoch1970]

Perhaps an udp tunnel instead of tcp?
Then I'd try Blowfish instead of AES-128

[dolphs]

thanks for your response,

Changing the CIPHER to AES128 is still an option ( currently 256 ).
Meanwhile please find below the interesting parts of my openvpn.server file ...

dev tun
proto udp4
persist-key
persist-tun
txqueuelen 1000

server 10.8.0.0 255.255.255.0
topology subnet

route 192.168.20.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 192.168.10.10"

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
comp-lzo no
fast-io

tls-version-min 1.2
remote-cert-tls client
tls-auth /etc/openvpn/key/ta.key 0
cipher AES-256-CBC
auth SHA256

[epoch1970]

Are you really sure you need AES-256 ??
If that VPN is for personal use, BF is already enough.
If an attacker has the choice between trying to root one end of a VPN tunnel and dumping traffic then brute-forcing its way through the data, what will he/she try first?
(Answer: break a window and steal the SD

[jamesh]

The soc on the zero is single core 700mhz, the Pi 2 is quadcore 1ghz, is it simply a processor speed issue?

[rpdom]

The soc on the zero is single core 700mhz, the Pi 2 is quadcore 1ghz, is it simply a processor speed issue?

[pedant]
The Pi0 runs at 700MHz when not loaded and ramps up to 1GHz when loaded.
The Pi2 runs at 600MHz when not loaded and ramps up to 900MHz when loaded.
(default settings, I just checked them on a couple of mine)

However the CPUs are very different as you say, and the Pi2 will outperform the Pi0 where any significant amount of CPU power is required.

[dolphs]

hi - I agree rgd cpu power, forgot to mention both devices use the performance governor and RPi2 is " overclocked " to 1000MHz.

However in this case " ovpn " utilises openSSL and if " AES-256-CBC " is being used that's single threading regardless
of what you have elsewhereone. Might be worth considering " AES-256-GCM " as it should perform better with openvpn 2.4, but only if AESNI would have been implemented.

Then again I can fall back to 128 or even Blowfish just for testing purposes . So these are actually first things I am going to test next days on my Rpi0 when I have time and will report back. For now I atached the RPi2 outcome of bf-cbc, aes-128-cbc, aes-256-cbc ( and aes-256-gcm just for reference ) - will compare with the RPi0 ( and realtek 8152 adaptor )

rpi2.zip

thanks for your response, it is appreciated!