1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wanted: OpenVPN Benchmarker

Discussion in 'Tomato Firmware' started by lancethepants, Jun 4, 2013.

  1. lancethepants

    lancethepants Network Guru Member

    Since version 2.3.0, OpenVPN has supported PolarSSL as an alternative to OpenSSL. Initially it didn't seem that appealing to me because PolarSSL did not include the Blowfish cipher, OpenVPN's default cipher and that of many VPN services. Now that PolarSSL does have Blowfish, it seems like a viable alternative to OpenSSL.
    TomatoUSB recently has had some performance enhancements in the firmware, so I'm just curious how OpenSSL and PolarSSL stack up against each other.

    I've read on a few occasions individuals maxing out their cpu's before they can max out the internet connection when using a VPN provider. If this is the case with you, perhaps you would like to humor me, and see if PolarSSL works any better. I don't have a fast enough internet connection to max out my cpu.

    It's really easy to use my binary with Tomato's exisiting OpenVPN server/client, available at
    http://lancethepants.com/files/

    Put the binary on your router, preferably in /jffs.
    I've placed it in /jffs/sbin/openvpn.

    Then in
    Administration -> Scripts -> Init
    place
    Code:
    /bin/mount --bind /jffs/sbin/openvpn /usr/sbin/openvpn
    or applicable to your binary location.

    Afterwards, reboot, and your OpenVPN Server/Client, will start normally. You can look in the logs and you should see the OpenVPN version (latest as writing this is 2.3.2)

    The following ciphers are supported with PolarSSL, though I imagine most stick to AES or Blowfish.

    AES-128-CBC 128 bit default key
    AES-192-CBC 192 bit default key
    AES-256-CBC 256 bit default key
    CAMELLIA-128-CBC 128 bit default key
    CAMELLIA-192-CBC 192 bit default key
    CAMELLIA-256-CBC 256 bit default key
    DES-CBC 64 bit default key
    DES-EDE-CBC 128 bit default key
    DES-EDE3-CBC 192 bit default key
    BF-CBC 128 bit default key
     

    Attached Files:

  2. somms

    somms Network Guru Member

    [​IMG]
    Normal FTTH speed (not thru OpenVPN tunnel) on RT-N66U...


    [​IMG]
    Thru OpenVPN UDP TAP tunnel after installing your OpenVPN 2.3.2 binary...


    [​IMG]
    Following a reboot back on Shibby's Tomato OpenVPN 2.3.0 RT-N66U firmware thru OpenVPN tunnel UDP TAP...
     
  3. lancethepants

    lancethepants Network Guru Member

    Hmmmm, interesting results. Slower Upload but faster download. Does your VPN Provider provide more than ~11-12 Mb/s, or is that really what the RT-N66U maxes out at? I thought a router like that could do more, buy maybe I'm wrong.
    Salt Lake City? I live in the Valley. Can't wait for Utopia.
     
  4. somms

    somms Network Guru Member

  5. phuque99

    phuque99 LI Guru Member

    You could recompile the kernel and the openvpn modules with "-march=" and "-mtune" that matches the SoC processor of your router. It should squeeze out more performance over the default MIPS32. If I'm not wrong, RT-N66U is 74Kc. Maybe you can try "-march=74kc -mtune=27kc" compiler flags. Running dmesg on your router should show you the actual architecture type.

    http://gcc.gnu.org/onlinedocs/gcc/MIPS-Options.html
     
  6. lancethepants

    lancethepants Network Guru Member

    RMerlin claims to have achieved 22Mb/s, which is a lot more impressive than 10Mb/s.
    I've compiled another binary using the 74kc paramenter for testing, and uploaded it to my site.
    I've also attached the script used to compile it. I've been using -03 which should work better than -0s for performance. I know this is what Shibby has used for his OpenSSl and OpenVPN compiling parameters. Maybe this will work a little better, though I'm going to guess only marginally.
     

    Attached Files:

  7. phuque99

    phuque99 LI Guru Member

    You then run openssl benchmark (before and after) to see if anything improved. Just add all the crypto hash that you're interested / using:

    $ openssl speed sha256 sha512
     
  8. RMerlin

    RMerlin Network Guru Member

    My benchmarks were done by running iperf through a local tunnel, not through an Internet speed test, where performance can be affected by the specific settings used by your tunnel provider, your Internet connection, that provider's performance, etc...

    Here are my test results (and as an added bonus, the same test on the new RT-AC56U):


    Code:
    iperf -c 10.16.0.1 -M 1400 -N -l 64K -t 30
     
     
    === 3.0.0.4.270.24:
    AES-128-CBC [152]  0.0-30.0 sec  69.9 MBytes  19.5 Mbits/sec
     
     
    === 3.0.0.4.270.25 (with openvpn + openssl + lzo optim):
    AES-128-CBC [152]  0.0-30.0 sec  79.5 MBytes  22.2 Mbits/sec
     
     
    === 3.0.0.4.367.28 ARM (800 MHz):
    AES_128-CBC [156]  0.0-30.0 sec    217 MBytes  60.7 Mbits/sec
    The iperf server was running on the router itself
     
  9. RMerlin

    RMerlin Network Guru Member

    BTW, OpenSSL is heavily ASM-optimized (provided you either run 1.0.1, or have backported the 1.0.1 ASM code to 1.0.0, which is the route I took). I doubt you will get better performance out of PolarSSL personally.
     
  10. somms

    somms Network Guru Member

    Wow...the RT-AC56U appears to be much more of a workhorse compared to RT-N66U!;)
     
  11. RMerlin

    RMerlin Network Guru Member

    Dual-core 800 MHz ARM A9.
     
  12. lancethepants

    lancethepants Network Guru Member

    Hey RMerlin.
    I know that routing is quite a bottleneck for these devices.
    With WAN <-> LAN really slows things down (when not using stock firmwares fastnat or whatver it's called).
    Even VLAN <-> VLAN suffers from the same problem because of the routing slowdown.
    Would it then make any difference whether you conduct the test doing tun or tap?
    Tun is routing from one subnet to another, I guess tomato automatically sets up the firewall to handle this.
    So if you're running tun, would you then incur an additional performance penalty compared to running tap. Since tap is just a tap device attached to a bridge, would that avoid hitting the routing table?
     
  13. RMerlin

    RMerlin Network Guru Member


    Not sure, as I never played with TAP beside just making sure it worked. In theory I assume it might need better throughput, unless Linux's tap driver added some different type of overhead. Also, TAP implies having more traffic going through your tunnel, since all broadcasts/multicasts will also be going through it, so that will carry its own impact.

    Someone would have to do an actual test setup, having one computer on the WAN side and another on the LAN side, and test performance running ipset between both computers (note that my own tests had the ipset server running on the router itself, which probably took quite a few CPU cycles on its own, so a real PC to PC test would be more accurate).
     
  14. somms

    somms Network Guru Member

    [​IMG]

    Update: Now able to achieve @30Mb/s TAP UDP OpenVPN tunnel throughput using Shibby's tomato-R7000-ARM-119-VPN-64K flashed onto the Netgear R7000 functioning as OpenVPN server!;)
     

Share This Page