OpenVPN Support Forum

Posted: **Sat Apr 23, 2016 9:06 am**

Hello all,

Quote from Gigabit Networks:

when an 'iperf' packet is sent to the VPN server IP address, the packet enters the kernel's 'tun0' device. The packet is then forwarded to the userspace OpenVPN process, where the headers are stripped. The packet is encrypted and signed using OpenSSL calls. The encryption and signing algorithms can be configured using the '--cipher' and '--auth' options.

The resulting packet is then fragmented into pieces according to the '--fragment' and --mssfix' options. Afterwards, the encrypted packet is sent out over the regular network to the OpenVPN server. On the server, the process is reversed. First, the packet is reassembled, then decrypted and finally sent out the 'tun0' interface.

The given example shows the packetflow between two machines.
Let`s say we have routed client -> server -> client
The server has two ports: client -> (eth0 -> server -> eth1) -> client
My question is, how would the packetflow look like internally in the server?

Thanks.

Posted: **Sat Apr 23, 2016 1:43 pm**

Pippin wrote:The server has two ports: client -> (eth0 -> server -> eth1) -> client

It depends .. are both clients using the same openvpn server instance ?

Posted: **Sat Apr 23, 2016 7:19 pm**

Yes, they are using the same instance.
I`m doing some throughput testing on my new self build pfSense router and want to understand the results I'm getting.
So, packets are flowing through the server, from client to client, routed, not internal client-to-client.

Server

Remote Access (SSL/TLS+User Auth)
udp
tun
tls static key 2048
Diffie Hellman 2048
Certs 2048
Encryption AES-256-CBC
Auth digest SHA512
prng RSA-SHA512 32
fast-io
comp-lzo no
tls-version-min 1.2 or-highest

Both clients

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 192.168.11.200 1194 udp
lport 0
verify-x509-name "OVPN-SERVER-CERT" name
auth-user-pass
ns-cert-type server
comp-lzo no
prng RSA-SHA512 32
tls-version-min 1.2 or-highest

1. First without OpenVPN

iperf3 -c 192.168.11.11 -t 30
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.00 sec 3.31 GBytes 948 Mbits/sec sender
[ 4] 0.00-30.00 sec 3.31 GBytes 948 Mbits/sec receiver

2. Then encryption disabled

cipher none
auth none
iperf3 -c 192.168.11.11 -t 30
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 967 MBytes 270 Mbits/sec sender
[ 4] 0.00-30.01 sec 967 MBytes 270 Mbits/sec receiver

3. OpenVPN + BSD crypto engine

iperf3 -c 192.168.11.11 -t 30
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 571 MBytes 160 Mbits/sec sender
[ 4] 0.00-30.01 sec 571 MBytes 160 Mbits/sec receiver

4. OpenVPN + AES-NI

iperf3 -c 192.168.11.11 -t 30
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-30.01 sec 570 MBytes 159 Mbits/sec sender
[ 4] 0.00-30.01 sec 570 MBytes 159 Mbits/sec receiver

I can imagine in a client server client flow the server has maybe double encrypt/decrypt/fragment task.
So I'm curious how the packets flow and how that affects performance.

There are two more things I want to test:
Client -> Server
Client -> Server -> LAN-client

Thank you.

Posted: **Sat Apr 23, 2016 9:35 pm**

Pippin wrote:Yes, they are using the same instance.
I`m doing some throughput testing on my new self build pfSense router and want to understand the results I'm getting. So, packets are flowing through the server, from client to client, routed, not internal client-to-client.

Pippin wrote:I can imagine in a client server client flow the server has maybe double encrypt/decrypt/fragment task.
So I'm curious how the packets flow and how that affects performance.

I am not sure of the details maybe ask the mailing list ..

But I imagine something this:

Code: Select all

Client.1:
   iperf.packet -> tun.device -> encrypt/frag/mmsfix -> NIC.device -> *internet*

Server:
   *internet* -> NIC.device -> reassemble/decrypt(1) -> tun.device -> (routing)
   tun.device -> encrypt/frag/mmsfix -> NIC.device -> *internet*

Client.2:
   *internet* -> NIC.device -> reassemble/decrypt -> tun.device -> iperf.packet

(1) I do not know if --client-to-client has any performance benefits ..
Try testing with & without --client-to-client .. let me know

Expand this:
https://community.openvpn.net/openvpn/w ... orks_Linux

Posted: **Mon Apr 25, 2016 2:51 pm**

Server:
*internet* -> NIC.device -> reassemble/decrypt(1) -> tun.device -> (routing)
tun.device -> encrypt/frag/mmsfix -> NIC.device -> *internet*

Yes, I was thinking something similar. One small correction, there are two interfaces.
*internet* -> NIC.device1 -> reassemble/decrypt(1) -> tun.device -> (routing)
tun.device -> encrypt/frag/mmsfix -> NIC.device2 -> *internet*

When I have enough time I will also test your suggestion, client-to-client, I guess througput will drop but it`s a guess, I have no good understanding of the packet flow and want to "mess around" first

OpenVPN Support Forum

The packetflow

The packetflow

Re: The packetflow

Re: The packetflow

Re: The packetflow

Re: The packetflow