Poor OpenVPN performance on Raspberry Pi

Tonight I tested a Raspberry Pi model B running Raspbian as an OpenVPN-capable router. I used an Apple USB FastEthernet adaptor as the external interface. Results are disappointing. Pushing traffic through the VPN produced 90% CPU usage at about 8 Mbit with the CPU running at 700 MHz (no CPU overclocking). That’s far below what my tests with “openssl speed” produced.

My goal is to produce a low-power router capable of high-speed VPN encryption using OpenVPN, PPTP, and IPsec. Simply routing is easy, but encrypting on the device is another matter.

OpenVPN defaults to using OpenSSL with SHA-1. Using an average network packet of 1K, “openssl speed” indicates that my Pi should out-perform my Buffalo router by about 3 times over:

However, it doesn’t. In fact the Buffalo can achieve 12-13 Mbit at 100% CPU usage. My first guess was that that OpenVPN isn’t compiled with hard-float support, unlike OpenSSL itself. However, both binaries are linked to the same hard-float-capable libraries:

Does anyone know what’s going on?

Tags: , ,

  1. BooT Loos’s avatar

    Hi there!!

    My guess go to the poorly built USB qualcomm drivers on the raspberry. I had also performance troubles with them, low network speed and CPU stuck on I/O operations when accessing the disk.
    If you are wondering, the RJ-45 is internally plugged to the USB too :S.

    Let me know if you manage to fix it!!!! ;)

    Reply

    1. BooT Loos’s avatar

      An external USB disk I mean!!!! xDDD

      Reply

    2. Tyler Wagner’s avatar

      Wow, you’re right. Both interfaces say “USB 2.0″ in lshw:

      Reply

    3. Ed’s avatar

      Personally I favour the PC Engines ALIX (pcengines.ch) for low-power routing and OpenVPN-ing, although at 3-4W at idle rising to 6W at load (according to the manual, not measured by me) it’s not quite as low power as the Raspberry Pi. Three built-in 100M network interfaces, too.

      Reply

      1. Tyler Wagner’s avatar

        Cool. I’m looking at an ALIX 2D13 board as a new router. Have you benchmarked the OpenVPN throughput on yours? Can you quote max bytes per second and packets per second for it?

        Reply

        1. Ed’s avatar

          Well, here is what openssl tells me on an ALIX 2D13 running Debian wheezy:

          and on another one running pfSense:

          so I wonder what they’ve done wrong in FreeBSD 8.1, which is what that version of pfSense is.

          In the past I’ve run iperf on the debian machine and unencrypted it had no trouble driving the
          100M network as fast as you’d expect. The hardware itself is excellent; the two machines
          above have been running almost continuously for just over three years, trouble free.

          Reply

          1. Tyler Wagner’s avatar

            Thanks for that, Ed. My guess is that FreeBSD/pfSense doesn’t have support for the crypto coprocessor compiled in.

            If you have an opportunity to use iperf over an OpenVPN link to the Debian wheezy device, I’d love to know what it can do. Or are you saying it can saturate the 100mbit link via OpenVPN?

            I read that the Debian wheezy image for Alix uses a read-only filesystem. Does it have overlay support so you can apt-get install whatever tools you want?

            Reply

            1. Ed’s avatar

              I’ve stuck a 2.5″ IDE disk in the case with the ALIX using double sided foam tape, and just keep /boot on the CF card, so I can use plain Debian and not care about wearing out flash. The pfSense machine, on the other hand, runs off the CF card, readonly all the time (except for a cron job that saves some stats once a day).

              Or are you saying it can saturate the 100mbit link via OpenVPN?

              No, it can’t saturate the link via OpenVPN. I can’t measure the maximum performance of mine, because the two machines are separated by about 500km and the internet at the moment; both are limited by ADSL upstream rates. Here’s a chart showing you get the best performance using the aes-128 crypto dev, and probably can expect below 20Mbit unless you plug one of these into the mini-PCI slot. I have not felt the need; in my setup it’s fast enough.

              Reply

            2. Ed’s avatar

              I’ve used a 2.5″ IDE disk and just keep /boot on the CF card, so I can use plain Debian and not care about wearing out flash (it also functions as a backup file and print server). The pfSense machine, on the other hand, runs off the CF card, readonly all the time (except for a cron job that saves some stats once a day).

              Or are you saying it can saturate the 100mbit link via OpenVPN?

              No, it can’t saturate the link via OpenVPN. I can’t measure the maximum performance of mine, because the two machines are separated by about 500km and the internet at the moment; both are limited by ADSL upstream rates. Here’s a chart showing you get the best performance using the aes-128 crypto dev, and probably can expect below 20Mbit unless you plug one of these into the mini-PCI slot. I have not felt the need; in my setup it’s fast enough.

              Reply

              1. Tyler Wagner’s avatar

                Damn. That’s not a great deal better than I’m seeing with OpenWRT on my Buffalo WZR-HP-G300NH, which can push 13 Mbit over stock OpenVPN.

                I am unfortunately coming to the conclusion that OpenVPN just sucks. VPN in userspace is a mistake. I think I’ll reimplement my VPN as kernel mode PPTP.

                Reply

                1. RangerZ’s avatar

                  Tyler

                  I am trying to run OpenVPN on a Buffalo WZR-HP-G300NH using DD-WRT 19846 (last buffalo version). I can not get past about 1.5-2 Mbps. I would be happy with 13. I can get 25 plus normaly. I off loaded the OpenVPN to it’s own box set up as an AP with wireless off and get the same results.

                  What firmware are you using? Any other tips?

                  Thanks RangerZ

                  Reply

                  1. Tyler Wagner’s avatar

                    I use PPTP now, which isn’t as secure but was easier with the Mikrotik I have at the other end.

                    My Buffalo WZR-HP-G300NH presently runs OpenWRT 12.09. These tests with OpenVPN were tested under 10.03.1.

                    Reply

                  2. Samuel’s avatar

                    Be carefull, sha1 is used for authenticatig the packets, not to encrypt them. You should rather check the speed of the cipher used (which is bf-cbc by default)

                    Reply

                    1. Tyler Wagner’s avatar

                      Ah, thank you! That may explain some anomalies I’ve seen in the performance.

                      Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">