OpenVPN CPU utilisation and performance

I've just got OpenVPN running on my BT HomeHub 5A. Looks like there are two procossors on the box as TOP is reporting overall 44% CPU while OpenVPN is showing about 90% CPU.

Speedtest.net shows only 7.4Mbps as compared to about 53Mbps when the VPN is turned off.

Is this to be expected? I'm not doing MASSIVE data transfer. I'm using AES-128-CBC

Thanks
Dave

yes, low end routers do not fare well with openvpn.
high-end arm (1,5GHz+) can do about 100mbps, for more you need a real pc/server .

maybe wireguard does better?

Mayhap it does, but my VPN provider (PrivateInternetAccess) doesn't talk wireguard so that's a pretty acedemic.consideration.

Dave

If there is HW crypt engine, it should decrease the CPU cost to a low level.

Take a look here: https://justus.berlin/2016/02/performance-of-tunneling-methods-in-openwrt/

Basically there are in-kernel VPNs like L2TP, IPIP and tun/tap device VPNs.

OpenVPN uses the tun device and this causes context switches and the encryption is not offloaded to hardware on most machines because the vendors don't release GPL drivers for their crypto engines if they exist at all.

You could try wireguard.io - that uses fast modern crypto that is also quite fast on MIPS and is a in-kernel VPN.

On their mailing list they reported up to 60mbit/s on a 841N TP-Link router - so this might work for you.

I'd love to use that, but my VPN provider (Private Internet Acces) doesn't support it.

Dave

The datasheet from Lantiq for the chipset used in the HH5A says there's a "Data Encryption Unit for IPSec". The question then becomes does LEDE for the HH5A support that embedded crypto engine, or if it's OpenVPN that needs to do so whether that supports it.

Dave

I have the same router but openvpn is able to pull for me 10Mbps. I actually use stronger cipher AES-256-CBC.