[Soekris] net4801 performance with OpenVPN

Fridtjof Busse fbusse at gmx.de
Sat Jan 21 16:53:25 UTC 2006 

* Nate Nielsen <nielsen-list at memberwebs.com>:
> OpenVPN does it's processing in userland and each packet processed has
> numerous context switches. The processing path isn't optimized. All
> packet processing is serialized into one process.

I already thought about using in-kernel VPN, like isakmpd, but OpenVPN
is by far the easiest to set up, especially with differnet OS.

> OpenVPN has serialized encryption processing. Only one packet is
> processed at a time. An vpn1411 card will not help here. The overhead
> of going of a context switch into the kernel, sending to the card,
> interrupt generated by the card, processing, back out to userland, all
> that outweighs any peformance gains.

Sounds like the suggestions in the archives about not using vpn14x for
userland-crypto were right.

> For comparison on the net4801 I've gotten a steady 7.5 Mbits on an
> IPSEC encrypted connection (running  blowfish-cbc). Once I put in a
> vpn1411 (used aes-cbc) and added polling[1], that went up to 10Mbits.
> 
> Note that all of the above is on FreeBSD 6.0. Perhaps other OS's will
> perform differently.

I was thinking of OpenBSD, but any *BSD is fine with me :)

> > The VIA C3 currently gives me ~ 9 MBit/s over 802.11g at 30% CPU
> > with OpenVPN (AES). Is the soerkis able to perform equally? 
> 
> Nope, not even close. This is a 486 class CPU we're talking about. Of
> course that has it's uses, such as reliability, heat generation. In
> any case the numbers above all max out the CPU.
> 
> From what I've heard the VIA also has AES on chip.

Yes, but not the old generation I'm running (it's not even small
formfactor). Nehemiah and above have this crypto-coprocessor.

> > Does anybody have numbers for OpenVPN over 802.11g or ethernet for a
> > net4801? 
> 
> Depending on the OS/driver, 802.11g will bog down the machine further.

That's what I was afraid of.

> Hope my rambling helps a bit. I've been working on these same
> performance issues a lot over the past months.

Thanks, that really helped me a lot!
Looks like I'll have to look for an Mini-ITX VIA system.
-- 
Fridtjof Busse
"Education is not my top priority --- education is my top priority."

George W. Bush
February 27, 2001
>From a budget speech in Washington, D.C.

More information about the Soekris-tech mailing list