4

My small ALIX machine is not coping with the new demand for OpenVPN throughput I have. So I'm looking to replace it. Problem is, I don't have any experience with hardware sizing for OpenVPN. I'm looking for something that satisfies this profile:

  • = 100Mbit/sec Througput

  • Cipher either AES-128-CBC or AES-256-CBC or Blowfish
  • Small power footprint

I've been looking into pairing a small Atom single-core with a PCI GigE nic, but have my doubts.

What works for you? What can you recommend?

Any answers like "I get x Mbit/sec with this rig" also very much appreciated to get a feeling for it.

Thanks in advance.

EEAA
  • 108,414
  • 18
  • 172
  • 242
leto
  • 231
  • 2
  • 5
  • 11
  • 2
    What OS? If the OS support crypto acceleration boards then this Soekris board will allow an Alix to push most of that connection: http://soekris.com/vpn1401.htm You'd still be limited to the 100Mbit connections (and the nic-chips on the Alix have a hard time saturating the connection). – Chris S Oct 10 '10 at 14:49
  • That's what I thought *grin* Bought a vpn1411 for my Alix 2D3, put "engine cryptodev" in OpenVPN config and "cipher AES-128-CBC" and ... 10 Mbit/sec. To be honest I think this hardware acceleration sucks on ALIX because of Interrupt latency. Some other folks confirmed that. But maybe we all miss something? EDIT: I'm on OpenBSD 4.6 i386 – leto Oct 10 '10 at 14:52
  • @leto - from the FAQ: "If you are not comfortable with the idea of your questions and answers being edited by other trusted users, this may not be the site for you." My edits were for grammar, proper capitalization, and setting the proper form of "horsepower", which is supposed to be one word. As the FAQ said, if you're not comfortable with others editing your questions/answers, then you may want to go elsewhere. – EEAA Oct 10 '10 at 15:08
  • I didn't see any difference. Sorry for that, I normally also correct errors of people, I promise to be better next time. I'm kind of new here. Will check out the FAQ now. – leto Oct 10 '10 at 15:12
  • No problem, just making sure you were brought up to speed on how things go around here. Welcome! – EEAA Oct 10 '10 at 15:14
  • How many concurrent VPN connections? These primarily road warriors? – gravyface Oct 10 '10 at 15:17
  • The Setup looks like this: (home network)<--GigE-->(openvpn router)<--100Mbit-->(Internet)<-->(dedicated server). It's to get a static IP at home, so we're talking about one connection, the router acting as a client. Maybe three connections maximum in the forseeable future, but that would be the worst case. The client is on a dynamic IP, so yes, a road warrior. – leto Oct 10 '10 at 15:18
  • @Leto, I've had an Alix2C10 (2D3 w/o some pins) with the LX700, VPN1411, FreeBSD 8.1, IPSec AES 128 CBC did about 40Mbps (lightning got it). A friend has a similar setup and it does 60Mbps. I've heard of problems in the past with software not using the hardware, possibly the case here? Or Maybe the 2D3 has issues I'm not aware of, do you have any links to more info? – Chris S Oct 12 '10 at 01:56

2 Answers2

2

Getting 100 Mbps throughput is easy, getting much more than 300 Mbps throughput is very hard (on Linux). This is due to the 'tun'/'tap' design in the Linux kernel.

Also, the blowfish algorithm is largely clockspeed bound, as I've found out when comparing hardware that ranged from brandnew to 8 yrs old.

AES128 and AES256 might benefit from Intel's AES-NI patch which seems to speed things up even on non-AES-NI capable hardware.

Anything running more than 800 MHz should be fine to get 100 Mbps throughput, with decent GigE cards (intel, broadcom, etc).

janjust
  • 582
  • 2
  • 5
1

You need at least:

  • decent GBit NICs. Cheap NICs generate too much interrupts per traffic, which hogs CPU.
  • when the machine doesn't do anything else, a 800MHz to 1GHz x86 (Atom) should do
  • look into a VIA CPU. They've integrated crypto, which lends itself very good to machines designated as VPN concentrator.
knitti
  • 700
  • 6
  • 9
  • The basement junk yard says: Get a D510 Atom dual-core, I have the DDR2 memory, the Intel GbE desktop NIC (PCI) and some USB-Sticks for RAID1. It has interrupt moderation and TCP offload. The VIA mainboards are nice, no question. But after I've been burn't with interrupts and latency with the vpn1411 I guess I would like to try a software only solution. What do you think? Intel Atom + Intel 1000 GT? Greets – leto Oct 10 '10 at 16:19
  • I've been burned by vpn1411 too, the VIA C7/Eden CPUs are different, because the crypto is builtin into the CPU. Works great and, at least with OpenBSD, out-of-the box. – knitti Oct 10 '10 at 17:17
  • 1
    Good to hear, they have a very amicable power footprint, AFAIK. What are you using exactly? I've read there are differences concerning Padlock features. What would you opt for? – leto Oct 10 '10 at 17:25
  • I've come across the J7F4K1G5S with a VIA C7 CPU (http://www.jetwaycomputer.com/spec/J7F4K1G5S.pdf). Might it possibly push 100Mbit/sec AES-128-CBC? Thanks in advance – leto Oct 10 '10 at 17:32
  • this look almost like too much :-) I don't know, how efficient OpenVPN is, but with a http://www.liantec.com/product/emboard/EMB-5730.htm (C7 500MHz) we did about 50-60 MBit IPSec (AES+SHA) with CPU utilization <15%, so I think you will be fine. – knitti Oct 10 '10 at 17:41