Poor OpenVPN performance on Raspberry Pi

Tonight I tested a Raspberry Pi model B running Raspbian as an OpenVPN-capable router. I used an Apple USB FastEthernet adaptor as the external interface. Results are disappointing. Pushing traffic through the VPN produced 90% CPU usage at about 8 Mbit with the CPU running at 700 MHz (no CPU overclocking). That’s far below what my tests with “openssl speed” produced.

My goal is to produce a low-power router capable of high-speed VPN encryption using OpenVPN, PPTP, and IPsec. Simply routing is easy, but encrypting on the device is another matter.

OpenVPN defaults to using OpenSSL with SHA-1. Using an average network packet of 1K, “openssl speed” indicates that my Pi should out-perform my Buffalo router by about 3 times over:

# Buffalo WZR-HP-G300NH with OpenWRT 10.03.1:
root@buffalo:~# openssl speed sha1
type             16 bytes     64 bytes    256 bytes   1024 bytes   2048 bytes
sha1               910.96k     2470.68k     4990.85k     6953.07k     7284.12k

# Raspberry Pi with Raspbian "wheezy" @ 700 MHz ARM clock:
root@routerberrypi:~# openssl speed sha1
type             16 bytes     64 bytes    256 bytes   1024 bytes   2048 bytes
sha1              1634.07k     5627.26k    14426.31k    23815.77k    29542.22k

However, it doesn’t. In fact the Buffalo can achieve 12-13 Mbit at 100% CPU usage. My first guess was that that OpenVPN isn’t compiled with hard-float support, unlike OpenSSL itself. However, both binaries are linked to the same hard-float-capable libraries:

root@routerberrypi:~# ldd /usr/sbin/openvpn
...
	libssl.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0 (0xb6dfd000)
	libcrypto.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6c9a000)

root@routerberrypi:~# ldd /usr/bin/openssl
...
	libssl.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0 (0xb6ebe000)
	libcrypto.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6d5b000)

Does anyone know what’s going on?

Tags: , ,

  1. BooT Loos’s avatar

    Hi there!!

    My guess go to the poorly built USB qualcomm drivers on the raspberry. I had also performance troubles with them, low network speed and CPU stuck on I/O operations when accessing the disk.
    If you are wondering, the RJ-45 is internally plugged to the USB too :S.

    Let me know if you manage to fix it!!!! ;)

    Reply

    1. BooT Loos’s avatar

      An external USB disk I mean!!!! xDDD

      Reply

    2. Tyler Wagner’s avatar

      Wow, you’re right. Both interfaces say “USB 2.0” in lshw:

        *-network:0
             description: Ethernet interface
             physical id: 1
             logical name: eth0
             serial: b8:27:eb:73:6a:f9
             size: 10Mbit/s
             capacity: 100Mbit/s
             capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
             configuration: autonegotiation=on broadcast=yes driver=smsc95xx driverversion=22-Aug-2005 duplex=half firmware=smsc95xx USB 2.0 Ethernet link=no multicast=yes port=MII speed=10Mbit/s
        *-network:1
             description: Ethernet interface
             physical id: 2
             logical name: eth1
             serial: 00:80:8e:8a:92:8d
             size: 100Mbit/s
             capacity: 100Mbit/s
             capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
             configuration: autonegotiation=on broadcast=yes driver=asix driverversion=22-Dec-2011 duplex=full firmware=ASIX AX88772 USB 2.0 Ethernet ip=192.168.203.115 link=yes multicast=yes port=MII speed=100Mbit/s

      Reply

    3. Ed’s avatar

      Personally I favour the PC Engines ALIX (pcengines.ch) for low-power routing and OpenVPN-ing, although at 3-4W at idle rising to 6W at load (according to the manual, not measured by me) it’s not quite as low power as the Raspberry Pi. Three built-in 100M network interfaces, too.

      Reply

      1. Tyler Wagner’s avatar

        Cool. I’m looking at an ALIX 2D13 board as a new router. Have you benchmarked the OpenVPN throughput on yours? Can you quote max bytes per second and packets per second for it?

        Reply

        1. Ed’s avatar

          Well, here is what openssl tells me on an ALIX 2D13 running Debian wheezy:

          # openssl speed sha1
          type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
          sha1              2032.82k     5914.24k    12764.07k    18072.92k    20570.11k

          and on another one running pfSense:

          # openssl speed sha1
          type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
          sha1              1479.11k     4123.99k     8481.66k    11614.88k    12975.66k

          so I wonder what they’ve done wrong in FreeBSD 8.1, which is what that version of pfSense is.

          In the past I’ve run iperf on the debian machine and unencrypted it had no trouble driving the
          100M network as fast as you’d expect. The hardware itself is excellent; the two machines
          above have been running almost continuously for just over three years, trouble free.

          Reply

          1. Tyler Wagner’s avatar

            Thanks for that, Ed. My guess is that FreeBSD/pfSense doesn’t have support for the crypto coprocessor compiled in.

            If you have an opportunity to use iperf over an OpenVPN link to the Debian wheezy device, I’d love to know what it can do. Or are you saying it can saturate the 100mbit link via OpenVPN?

            I read that the Debian wheezy image for Alix uses a read-only filesystem. Does it have overlay support so you can apt-get install whatever tools you want?

            Reply

            1. Ed’s avatar

              I’ve stuck a 2.5″ IDE disk in the case with the ALIX using double sided foam tape, and just keep /boot on the CF card, so I can use plain Debian and not care about wearing out flash. The pfSense machine, on the other hand, runs off the CF card, readonly all the time (except for a cron job that saves some stats once a day).

              Or are you saying it can saturate the 100mbit link via OpenVPN?

              No, it can’t saturate the link via OpenVPN. I can’t measure the maximum performance of mine, because the two machines are separated by about 500km and the internet at the moment; both are limited by ADSL upstream rates. Here’s a chart showing you get the best performance using the aes-128 crypto dev, and probably can expect below 20Mbit unless you plug one of these into the mini-PCI slot. I have not felt the need; in my setup it’s fast enough.

              Reply

            2. Ed’s avatar

              I’ve used a 2.5″ IDE disk and just keep /boot on the CF card, so I can use plain Debian and not care about wearing out flash (it also functions as a backup file and print server). The pfSense machine, on the other hand, runs off the CF card, readonly all the time (except for a cron job that saves some stats once a day).

              Or are you saying it can saturate the 100mbit link via OpenVPN?

              No, it can’t saturate the link via OpenVPN. I can’t measure the maximum performance of mine, because the two machines are separated by about 500km and the internet at the moment; both are limited by ADSL upstream rates. Here’s a chart showing you get the best performance using the aes-128 crypto dev, and probably can expect below 20Mbit unless you plug one of these into the mini-PCI slot. I have not felt the need; in my setup it’s fast enough.

              Reply

              1. Tyler Wagner’s avatar

                Damn. That’s not a great deal better than I’m seeing with OpenWRT on my Buffalo WZR-HP-G300NH, which can push 13 Mbit over stock OpenVPN.

                I am unfortunately coming to the conclusion that OpenVPN just sucks. VPN in userspace is a mistake. I think I’ll reimplement my VPN as kernel mode PPTP.

                Reply

                1. RangerZ’s avatar

                  Tyler

                  I am trying to run OpenVPN on a Buffalo WZR-HP-G300NH using DD-WRT 19846 (last buffalo version). I can not get past about 1.5-2 Mbps. I would be happy with 13. I can get 25 plus normaly. I off loaded the OpenVPN to it’s own box set up as an AP with wireless off and get the same results.

                  What firmware are you using? Any other tips?

                  Thanks RangerZ

                  Reply

                  1. Tyler Wagner’s avatar

                    I use PPTP now, which isn’t as secure but was easier with the Mikrotik I have at the other end.

                    My Buffalo WZR-HP-G300NH presently runs OpenWRT 12.09. These tests with OpenVPN were tested under 10.03.1.

                    Reply

                  2. Samuel’s avatar

                    Be carefull, sha1 is used for authenticatig the packets, not to encrypt them. You should rather check the speed of the cipher used (which is bf-cbc by default)

                    Reply

                    1. Tyler Wagner’s avatar

                      Ah, thank you! That may explain some anomalies I’ve seen in the performance.

                      Reply

Reply to Ed Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.