2

I am planning an new network. All the traffic coming out of this network will be fowarded into a VPN in order to exit out onto the Internet on a distant server. This will be done via OpenVPN. There will be only one tunnel.

We're looking at a very high speed Internet connection with a downstream speed of 100 Mbit/s and an upstream speed of 5 Mbit/s.

What sort of hardware will I need to support such speeds ? Are there any thumb rules for hardware sizing of OpenVPN servers ?

Will an atom board be sufficient ? What about an AMD Geode 800Mhz ?

Thank you in advance for your help,

Antoine Benkemoun
  • 7,314
  • 3
  • 41
  • 60

4 Answers4

4

I would guess an Atom CPU will handle 100mbit of OpenVPN traffic. Under load you might find an Atom will introduce a little more latency than a faster CPU but this will probably not be significant when considered against the latency of any long distant links you have between the server and the clients.

Some unscientific test results, running data between my netbook with an Atom CPU to a local OpenVPN server (over a 1000mbit network, but the netbook only has a 100Mbit NIC):

dspillett@minirant:~$ time dd if=/dev/zero bs=1024 count=1048576 | nc -q 0 192.168.43.1 3333
1048576+0 records in
1048576+0 records out
1073741824 bytes (1.1 GB) copied, 91.2072 s, 11.8 MB/s
real        1m31.227s
user        0m1.792s
sys         0m25.874s
dspillett@minirant:~$ 

dspillett@minirant:~$ time dd if=/dev/zero bs=1024 count=1048576 | nc -q 0 192.168.44.1 3333
1048576+0 records in
1048576+0 records out
1073741824 bytes (1.1 GB) copied, 113.082 s, 9.5 MB/s
real        1m53.107s
user        0m1.468s
sys         0m15.337s
dspillett@minirant:~$

where 192.168.43.1 is the server as seen just over the local network and 192.168.44.1 is the same machine as seen via an OpenVPN link over that network. The VPN is in bridged mode, using a UDP based connection.

htop showed the CPU being taxed more during the VPN test than the user+sys counts from time indicate because time is only counting dd's CPU activity not the VPN's. It showed cpu0 at ~70% and cpu1 at ~30% all through the test which would suggest the CPU is close to the limit it can transfer via OpenVPN in that test (that Atom was single core but with hyperthreading) - though it still managed to shuffle along at 9.5Mbyte/sec.

As an indication of the latency added by the VPN (which will be a combination of overheads from CPU work encrypting data and overhead from the tunnelling method), pinging with small (default, 56 byte payload) packets:

--- 192.168.43.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 8997ms
rtt min/avg/max/mdev = 0.138/0.166/0.183/0.015 ms
--- 192.168.44.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 8998ms
rtt min/avg/max/mdev = 0.544/0.614/0.860/0.091 ms

and larger (2048 byte payload) ones:

--- 192.168.43.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet los
rtt min/avg/max/mdev = 0.514/0.521/0.531/0.021 ms
--- 192.168.44.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9011ms
rtt min/avg/max/mdev = 0.710/0.997/1.437/0.173 ms

Obviously you'll get different results with the VPN handling multiple connections exhibiting real-world traffic patterns, so you might want to perform some more detailed tests yourself. You might be able to squeeze more out with some tweaking - my OpenVPN set is pretty much running on out-of-the box defaults.

David Spillett
  • 22,534
  • 42
  • 66
2

I'm not aware of any published benchmarks other than some informal tests a few people have run and posted to their web sites. Anecdotally, the crypto code (OpenSSL) doesn't seem to be the most optimized in the world but it doesn't seem to be a pig either. An easy benchmark for you would be to setup an OpenVPN server and client on a couple PCs on a LAN and time moving some traffic across them while watching CPU load on both.

I can tell you that I'm able to saturate an 802.11g link operating at 54Mbps with encrypted traffic without max'ing out the CPU on a junk Pentium II 400Mhz machine that is the OpenVPN server on my home LAN. That makes me think that the Geode could probably do it, too.

OpenSSL (and therefore OpenVPN) supports some hardware offload solutions, too. A low-end solution is the Via "padlock", included in some Via chipsets. That might also be a way to keep your CPU requirements low. See:

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

I have set-up 2 OpenVPN servers and both working fine, I have made 3 clients for each and they ssem to,be cooping fine.

One is based on RasPi 3 with 32Gb very fast Micro SD and additional 32Gb USB key, so far so good.

The other one is a laptop with 4Gb Ram and 500Gb HD running UBUNTU, this one is working also fine.

My conclusion is this; if you don't have a lot of client in my case 3, you really don't need a lot of number crunching beast therefore very little cost in setting it up.

My Internet download speed is 60Mb/s and upload speed is 16 Mb/s, that is why I have 3 clients, i.e. ~ 5Mb/s each.

Cheers

Siamak

Siamak
  • 11
  • 1
0

I would recommend a VIA Nano. With a via VIA Nano L2200 @ 1600MHz I am able to push 330 Mbits. The VIA nano is in the same price-range as the Atom and has hardware AES support. To get performance like this you will need to change from blowfish from AES and add the following to openssl.conf:

openssl_conf = openssl_def
[openssl_def]
engines = openssl_engines
[openssl_engines]
padlock = padlock_engine
[padlock_engine]
default_algorithms = ALL

Here is a link to an example of a mobo/CPU combo: http://www.via-itx.com/via-vb8001.html