OpenVPN: Real Speedup [DCO]

Запись создана 30 января, 2025

We have a test bench of two servers, connected with physical 10G ports

Let’s see what iperf3 will show

[  5]   0.00-1.00   sec  1.08 GBytes  9.29 Gbits/sec                  
[  5]   1.00-2.00   sec  1.08 GBytes  9.30 Gbits/sec                  
[  5]   2.00-3.00   sec  1.08 GBytes  9.29 Gbits/sec  

Now let’s put OpenVPN between those two and repeat iperf3

[  5]   0.00-1.00   sec  82.0 MBytes   687 Mbits/sec                  
[  5]   1.00-2.00   sec  94.0 MBytes   789 Mbits/sec                  
[  5]   2.00-3.00   sec  96.4 MBytes   808 Mbits/sec                  

now, let’s enable DCO and check the speed again

[  5]   0.00-1.00   sec   206 MBytes  1.73 Gbits/sec                  
[  5]   1.00-2.00   sec   227 MBytes  1.90 Gbits/sec                  
[  5]   2.00-3.00   sec   213 MBytes  1.79 Gbits/sec                  
[  5]   3.00-4.00   sec   159 MBytes  1.33 Gbits/sec                  
[  5]   4.00-5.00   sec   160 MBytes  1.35 Gbits/sec

What a magic! What else we can do? if it’s an virtual environment — enable AES+ option to CPU and check again

[  5]   0.00-1.00   sec   227 MBytes  1.90 Gbits/sec                  
[  5]   1.00-2.00   sec   238 MBytes  2.00 Gbits/sec                  
[  5]   2.00-3.00   sec   234 MBytes  1.96 Gbits/sec                  
[  5]   3.00-4.00   sec   233 MBytes  1.95 Gbits/sec    

Now is a question you have is «HOW?» let me show you a few steps and my config files!

On both side server/client

apt install openvpn-dco-dkms
echo 'ovpn-dco-v2' >> /etc/modules-load.d/modules.conf

/etc/openvpn/client/test.conf

client
remote test1.srv.in 1194
dev tun
proto udp
persist-key
persist-tun
tls-client
script-security 2
cipher AES-256-GCM
auth SHA256
data-ciphers AES-256-GCM
auth-nocache
remote-cert-tls server

/etc/openvpn/server/server.conf

proto udp
 port 1194
  dev tun
ifconfig 172.16.45.1 255.255.255.0
server 172.16.45.0 255.255.255.0
push "route-metric 100"
keepalive 3 10
 user nobody
group nogroup
persist-key
persist-tun
status server-openvpn-status.log
   log server-openvpn.log
  verb 2
client-to-client
client-config-dir /etc/openvpn/ccd
topology subnet
cipher AES-256-GCM
auth SHA256
data-ciphers AES-256-GCM
fast-io
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
txqueuelen 4000
tun-mtu 1420

DCO has a several limitations, you can read about it here https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html

» Запись из раздела Linux, vpn | Комментировать

Комментарии

• Поиск

• О авторе

   Артур Шакиров
  artur@shakirov.com
  

Реклама

• Последние записи

  • OpenVPN: Real Speedup [DCO]
  • Ansible playbook to add users with ssh keys and sudo
  • Sentry cleanup
  • «firstBit.Сервер лицензий 2» Ubuntu Linux
  • HPE Smart Array E208i-a SR Gen10 firmware update
  • GrayLog: Hostname datanode not verified
  • ProxMox Qemu create Ubuntu template
  • Sentry: All events is empty
  • ProxMox migration fails: Host key verification failed.
  • LVM resize HOWTO
  • Sangoma Linux after migration from VMWare ESXi to ProxmoxVE fails to boot
  • FreeIPA WebUI login fails
  • HP Proliant Gen9 G9 DMAR error
  • Mikrotik FAN speed on CCR2004-1G-12S+2XS
  • Dell iDrac FAN speed adjustment
  • FreeIPA allow queries from other networks
  • zfs arc size
  • Maipu S3100-9TP enable ssh
  • OpenVPN error — ca md too weak
  • k9s and microk8s