The packetflow

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

The packetflow

Post by Pippin » Sat Apr 23, 2016 9:06 am

Hello all,

Quote from Gigabit Networks:
when an 'iperf' packet is sent to the VPN server IP address, the packet enters the kernel's 'tun0' device. The packet is then forwarded to the userspace OpenVPN process, where the headers are stripped. The packet is encrypted and signed using OpenSSL calls. The encryption and signing algorithms can be configured using the '--cipher' and '--auth' options.

The resulting packet is then fragmented into pieces according to the '--fragment' and --mssfix' options. Afterwards, the encrypted packet is sent out over the regular network to the OpenVPN server. On the server, the process is reversed. First, the packet is reassembled, then decrypted and finally sent out the 'tun0' interface.
The given example shows the packetflow between two machines.
Let`s say we have routed client -> server -> client
The server has two ports: client -> (eth0 -> server -> eth1) -> client
My question is, how would the packetflow look like internally in the server?

Thanks.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: The packetflow

Post by Traffic » Sat Apr 23, 2016 1:43 pm

Pippin wrote:The server has two ports: client -> (eth0 -> server -> eth1) -> client
It depends .. are both clients using the same openvpn server instance ?

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: The packetflow

Post by Pippin » Sat Apr 23, 2016 7:19 pm

Yes, they are using the same instance.
I`m doing some throughput testing on my new self build pfSense router and want to understand the results I'm getting.
So, packets are flowing through the server, from client to client, routed, not internal client-to-client.
Server
Remote Access (SSL/TLS+User Auth)
udp
tun
tls static key 2048
Diffie Hellman 2048
Certs 2048
Encryption AES-256-CBC
Auth digest SHA512
prng RSA-SHA512 32
fast-io
comp-lzo no
tls-version-min 1.2 or-highest
Both clients
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 192.168.11.200 1194 udp
lport 0
verify-x509-name "OVPN-SERVER-CERT" name
auth-user-pass
ns-cert-type server
comp-lzo no
prng RSA-SHA512 32
tls-version-min 1.2 or-highest
1. First without OpenVPN
iperf3 -c 192.168.11.11 -t 30
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 3.31 GBytes 948 Mbits/sec sender
[ 4] 0.00-30.00 sec 3.31 GBytes 948 Mbits/sec receiver
2. Then encryption disabled
cipher none
auth none
iperf3 -c 192.168.11.11 -t 30
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 967 MBytes 270 Mbits/sec sender
[ 4] 0.00-30.01 sec 967 MBytes 270 Mbits/sec receiver
3. OpenVPN + BSD crypto engine
iperf3 -c 192.168.11.11 -t 30
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 571 MBytes 160 Mbits/sec sender
[ 4] 0.00-30.01 sec 571 MBytes 160 Mbits/sec receiver
4. OpenVPN + AES-NI
iperf3 -c 192.168.11.11 -t 30
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 570 MBytes 159 Mbits/sec sender
[ 4] 0.00-30.01 sec 570 MBytes 159 Mbits/sec receiver
I can imagine in a client server client flow the server has maybe double encrypt/decrypt/fragment task.
So I'm curious how the packets flow and how that affects performance.

There are two more things I want to test:
Client -> Server
Client -> Server -> LAN-client

Thank you.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: The packetflow

Post by Traffic » Sat Apr 23, 2016 9:35 pm

Pippin wrote:Yes, they are using the same instance.
I`m doing some throughput testing on my new self build pfSense router and want to understand the results I'm getting. So, packets are flowing through the server, from client to client, routed, not internal client-to-client.
Pippin wrote:I can imagine in a client server client flow the server has maybe double encrypt/decrypt/fragment task.
So I'm curious how the packets flow and how that affects performance.
I am not sure of the details maybe ask the mailing list ..

But I imagine something this:

Code: Select all

Client.1:
   iperf.packet -> tun.device -> encrypt/frag/mmsfix -> NIC.device -> *internet*

Server:
   *internet* -> NIC.device -> reassemble/decrypt(1) -> tun.device -> (routing)
   tun.device -> encrypt/frag/mmsfix -> NIC.device -> *internet*

Client.2:
   *internet* -> NIC.device -> reassemble/decrypt -> tun.device -> iperf.packet
(1) I do not know if --client-to-client has any performance benefits ..
Try testing with & without --client-to-client .. let me know :geek:

Expand this:
https://community.openvpn.net/openvpn/w ... orks_Linux

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: The packetflow

Post by Pippin » Mon Apr 25, 2016 2:51 pm

Server:
*internet* -> NIC.device -> reassemble/decrypt(1) -> tun.device -> (routing)
tun.device -> encrypt/frag/mmsfix -> NIC.device -> *internet*
Yes, I was thinking something similar. One small correction, there are two interfaces.
*internet* -> NIC.device1 -> reassemble/decrypt(1) -> tun.device -> (routing)
tun.device -> encrypt/frag/mmsfix -> NIC.device2 -> *internet*

When I have enough time I will also test your suggestion, client-to-client, I guess througput will drop but it`s a guess, I have no good understanding of the packet flow and want to "mess around" first :)

Post Reply