OpenVPN performance tuning

Hey, I'm wondering if anyone has any tips on OpenVPN performance tuning. I've read OpenVPN very slow speed and OpenVPN performance threads. Some useful data I picked-up in my research is to run openvpn --show-ciphers to get a list of supported ciphers and openssl speed -evp aes-128-gcm, openssl speed -evp chacha20-poly1305, etc. to get baseline CPU performance numbers for them, and yes, the CPU on my router is pathetic, but that's not the whole story.

What I see in practice with OpenVPN is very roughly:

  • No VPN: 30Mbps (yes, my internet is also pathetic, which is why I haven't invested in a better router)
  • VPN direct from my laptop (any below cipher): 30Mbps (so the OpenVPN server isn't the bottleneck)
  • VPN from OpenWrt router, aes-256-gcm: 1Mbps
  • VPN from OpenWrt router, aes-128-gcm: 2Mbps
  • VPN from OpenWrt router, chacha20-poly1305: 3Mbps
  • VPN from OpenWrt router, no data encryption: 8Mbps

So yes, apparently it's partially choking on some other bottleneck, but what bottleneck? I have set option comp_lzo 'no'. The HMAC authentication? IDK. That's what I'd like some insight into. top shows ~33% idle CPU, which makes me think there's something else going on.

Btw OpenWrt is 21.02.2, it's all (client and server) OpenVPN 2.5.x, and I'm not tweaking any other performance options from the default client-side or running it differently between my laptop and OpenWRT configs. The router is an Archer C7 v2 but I also have an AR150 and AR300M kicking around, but openssl speed still favors the C7. Thanks!

Yup.... change to WireGuard :stuck_out_tongue:

In all seriousness, while you may be able to get some suggestions here, OpenVPN is inherently very inefficient for low CPU power embedded devices like consumer routers.

If you are using a VPN service and it supports WG, or if you have control of the other endpoint and can add that support, it would be well worth it in terms of the performance improvements.

3 Likes

You don’t make it clear if you have a personal server/client setup or commercial?
But I would say that the speed is mostly based in these combinations.
What is the clients and servers ability to make cryptographic acceleration?
What crypto solution do you use? TLS1.2 or 1.3?
RSA or EC?
RSA, how big keys?
Stream or block cipher?
ISP upstream and downstream speed?

With apple products as clients and the Edgerouter 4 as server with TLS1.2 RSA 2042, the max performance seems to be at 36Mbit if the upstream and downstream speed of the connection can handle it or more.

Many forget that if you have your own VPN server the data goes the same amount in both ways on the same ISP connection, so download speed doesn’t do it. You need upload speed also.