Preview: yet another dose of intro into the OpenVPN engine

[RMerlin]

Since implementing OpenVPN, I've spent quite some time trying to squeeze out more performance out of it. The 600 MHz MIPS processor in the N66/AC66 simply lacks the raw power to be able to achieve very high OpenVPN performance when going through a fast (30+ Mbits) Internet connection.

For historical interest, here are the results of past improvements. These are throughput rates measured by running an iperf server on the router, and an iperf client on the WAN side. The client and router were connected over an OpenVPN tunnel (over my LAN, so the Internet connection is not a factor - this is on a Gigabit LAN).

The tunnel is TUN-based, with AES-128-CBC as cipher.

Note that since I was running the iperf server on the router itself (for simplicity), these numbers might not be the true maximum speed you could reach through a tunnel. But as all tests were done with the same setup, the performance jumps are a valid reference.

Router is either an RT-AC66U or an RT-N66U (they should have the same performance).

Oldest test data I have in my notes:

=== 3.0.0.4.270.24:
AES-128-CBC [152]    0.0-30.0 sec  69.9 MBytes  19.5 Mbits/sec

With 270.25, I was compiling openssl + openvpn + lzo with -O3 compiler optimizations, and I also backported all the native ASM code from OpenSSL 1.0.1 into the 1.0.0 version used by Asuswrt.

=== 3.0.0.4.270.25 (with openvpn + openssl + lzo optim):
AES-128-CBC [152]  0.0-30.0 sec  79.5 MBytes  22.2 Mbits/sec

I lost track of other improvements occurring in the following releases (some could be from Asus themselves), but still some improvement in the latest public release:

=== 3.0.0.4.374_32:
AES-128-CBC             0.0-30.0 sec  84.8 MBytes  23.7 Mbits/sec

And now, the latest bit of nitro that got poured into the firmware:

=== 3.0.0.4.374.33_Alpha3
AES-128-CBC             0.0-30.1 sec  93.8 MBytes  26.1 Mbits/sec

This latest optimization done by the compiler is applied firmware-wide, so it might improve general performance of the whole router, not just OpenVPN.

So between 270.24 and 374.33, there's been quite some improvements, going from 19.5 Mbits/s to 26.1 Mbits/sec. Not bad

 

[Sky1111]

Thanks Merlin - when do you think we will see beta builds to try?
Rough ETA on 'production" version of these improvements?

(I think you already have a line-up of volunteers to test it for you )

 

[RMerlin]

Thanks Merlin - when do you think we will see beta builds to try?
Rough ETA on 'production" version of these improvements?

(I think you already have a line-up of volunteers to test it for you )

No idea. Slowly working on merging the latest AC56 GPL whenever I can find some time to work on it, and I have yet to merge new PControl patch in for testing.

Keep in mind these optimisations mentionned here are only for MIPS-based routers, they do not apply to ARM.

 

[netware5]

Hi RMerlin, did you check the OVPN performance with AES-256-CBC? I am very interested in the cipher length influence on the performance. My tests with www.speedtest.net show not more than 15 mbits.

 

[RMerlin]

Hi RMerlin, did you check the OVPN performance with AES-256-CBC? I am very interested in the cipher length influence on the performance. My tests with www.speedtest.net show not more than 15 mbits.

I didn't test it due to lack of time. Been quite busy lately, still trying to find enough free time to finalize merging the latest GPL code in.

 

[netware5]

I didn't test it due to lack of time. Been quite busy lately, still trying to find enough free time to finalize merging the latest GPL code in.

OK, I appreciate your efforts to maintain this wonderful firmware. If you perform any additional tests when you have time I'll be very grateful. BTW, I have installed 32GB Class 10 MicroSD card in my router. It works perfect and I managed to install Entware without any issues. Cheers!

 

[RMerlin]

The impact seems lower than I would have expected when jumping to AES-256-CBC. Results with the 33 alpha build:

[ ID] Interval       Transfer     Bandwidth
[152]  0.0-30.0 sec  92.3 MBytes  25.8 Mbits/sec

 

[TimothyM96]

Thanks for your hard work on this. I just setup OpenVPn and went from 60 down to 8 down.

Is there any beta builds out yet that incorporate these changes?

 

[RMerlin]

Thanks for your hard work on this. I just setup OpenVPn and went from 60 down to 8 down.

Is there any beta builds out yet that incorporate these changes?

Not yet.

Don't expect to get anywhere close to the original 60 tho. You should however be getting more than 8 Mbps already, depending on how you are set up. Is this a server or a client configuration? If it's a client, it might be tied to your tunnel provider's performance, the encryption used, the strength of the keys used, etc...

At best these improvements might get you from 8 to 9 or 10 Mbps, if the bottleneck is really your router.

 

[TimothyM96]

Thanks for the reply. I have it setup as a client, what is the different between that and server? I use StrongVPN if that helps.

 

[RMerlin]

Thanks for the reply. I have it setup as a client, what is the different between that and server? I use StrongVPN if that helps.

A server is when you are outside of home and want to connect back home, over a secure VPN tunnel. A client is when you want your home network to send all its outbound traffic through a tunnel provider.

See if StrongVPN offers different servers for your tunnel, maybe the one you are using is too far away or overloaded.

 

[TimothyM96]

Thanks. I just bought a different VPN provider and trying a different setup. Will report back.