OpenVPN Performance
Posted: Mon Aug 29, 2022 1:42 pm
Hi,
we've got an OpenVPN-AS with failover on version 2.11.0.
Works fine except for the performance.
Its an bare-metal Server on Ubuntu22 with only openvpn-server as service.
SSD, 32GB RAM and Intel Xeon E5-2697A v4 CPU.
The Uplink is 1Gbit dedicated synchronous.
Speedtest result and other performancetests confirm that the bandwich is useable.
The Client got 1 Gbit download too.
If we try to copy an single big file from openvpnserver to an connected Client we got around 6-10MB/s.
Here are the server and client example configs
{
"admin_ui.https.ip_address": "all",
"admin_ui.https.port": "943",
"aui.eula_version": "3",
"auth.ldap.0.add_req": "XX",
"auth.ldap.0.bind_dn": "XX",
"auth.ldap.0.bind_pw": "XX",
"auth.ldap.0.case_sensitive": "false",
"auth.ldap.0.enable": "true",
"auth.ldap.0.name": "My LDAP servers",
"auth.ldap.0.server.0.host": "XX",
"auth.ldap.0.server.1.host": "XX",
"auth.ldap.0.ssl_ca_cert": "/etc/ssl/certs/XX.pem",
"auth.ldap.0.ssl_verify": "internal",
"auth.ldap.0.timeout": "4",
"auth.ldap.0.uname_attr": "sAMAccountName",
"auth.ldap.0.use_ssl": "never",
"auth.ldap.0.user_exists_check": "true",
"auth.ldap.0.users_base_dn": "XX",
"auth.module.type": "ldap",
"auth.pam.0.service": "openvpnas",
"auth.radius.0.acct_enable": "false",
"auth.radius.0.name": "My Radius servers",
"cs.admin_only": "false",
"cs.ca_bundle": "XX",
"cs.cert": "XX",
"cs.cws.pwd_change": "false",
"cs.cws.pwd_strength": "true",
"cs.cws_proto_v2": "true",
"cs.cws_ui_offer.android": "true",
"cs.cws_ui_offer.autologin": "true",
"cs.cws_ui_offer.ios": "true",
"cs.cws_ui_offer.linux": "true",
"cs.cws_ui_offer.mac": "false",
"cs.cws_ui_offer.mac_v3": "true",
"cs.cws_ui_offer.server_locked": "false",
"cs.cws_ui_offer.user_locked": "true",
"cs.cws_ui_offer.win": "false",
"cs.cws_ui_offer.win_v3": "true",
"cs.https.ip_address": "all",
"cs.https.port": "943",
"cs.priv_key": "XX",
"cs.prof_sign_web": "true",
"cs.tls_version_min": "1.3",
"dbpush.hosts.0.enable": "true",
"dbpush.hosts.0.internal": "PRIMARY",
"dbpush.hosts.0.password": "",
"dbpush.hosts.0.public": "XX",
"dbpush.hosts.0.ssh_port": "22",
"dbpush.hosts.0.username": "root",
"dbpush.hosts.1.enable": "true",
"dbpush.hosts.1.internal": "SECONDARY",
"dbpush.hosts.1.password": "",
"dbpush.hosts.1.public": "XX",
"dbpush.hosts.1.ssh_port": "22",
"dbpush.hosts.1.username": "root",
"failover.mode": "ucarp",
"host.name": "XX",
"sa.compression_warning_shown": "displayed",
"sa.initial_run_groups.0": "web_group",
"sa.initial_run_groups.1": "openvpn_group",
"ssl_api.local_addr": "all",
"ssl_api.local_port": "945",
"subscription.bundle": "",
"subscription.saved_state": "",
"ucarp.addr": "XX",
"ucarp.secret": "XX",
"upgrade.current_version": "2.10.2",
"upgrade.initial_version": "2.10.1",
"vpn.client.basic": "false",
"vpn.client.cipher": "AES-256-CBC",
"vpn.client.config_text": "route-metric 10\nregister-dns",
"vpn.client.routing.inter_client": "true",
"vpn.client.routing.reroute_dns": "true",
"vpn.client.routing.reroute_gw": "false",
"vpn.daemon.0.client.netmask_bits": "21",
"vpn.daemon.0.client.network": "XX",
"vpn.daemon.0.listen.ip_address": "all",
"vpn.daemon.0.listen.port": "443",
"vpn.daemon.0.listen.protocol": "tcp",
"vpn.daemon.0.server.ip_address": "all",
"vpn.general.osi_layer": "3",
"vpn.server.cipher": "AES-256-CBC",
"vpn.server.config_text": "",
"vpn.server.daemon.enable": "true",
"vpn.server.daemon.ovpndco": "false",
"vpn.server.daemon.protocols": "both",
"vpn.server.daemon.tcp.n_daemons": "32",
"vpn.server.daemon.tcp.port": "443",
"vpn.server.daemon.udp.n_daemons": "32",
"vpn.server.daemon.udp.port": "1194",
"vpn.server.data_ciphers": "AES-256-GCM:Chacha20-Poly1305:AES-128-GCM:AES-256-CBC",
"vpn.server.dhcp_option.adapter_domain_suffix": "XX",
"vpn.server.dhcp_option.domain": "XX",
"vpn.server.duplicate_cn": "true",
"vpn.server.enable_cipher_fallback": "false",
"vpn.server.foreign_bridge": "",
"vpn.server.group_pool.0": "XX",
"vpn.server.port_share.enable": "false",
"vpn.server.port_share.ip_address": "1.2.3.4",
"vpn.server.port_share.port": "1234",
"vpn.server.port_share.service": "custom",
"vpn.server.routing.allow_private_nets_to_clients": "true",
"vpn.server.routing.gateway_access": "true",
"vpn.server.routing.private_access": "route",
"vpn.server.routing.private_network.0": "XX",
"vpn.server.routing.private_network.1": "XX",
"vpn.server.routing.private_network.10": "XX",
"vpn.server.routing.private_network.11": "XX",
"vpn.server.routing.private_network.2": "XX",
"vpn.server.routing.private_network.3": "XX",
"vpn.server.routing.private_network.4": "XX",
"vpn.server.routing.private_network.5": "XX",
"vpn.server.routing.private_network.6": "XX",
"vpn.server.routing.private_network.7": "XX",
"vpn.server.routing.private_network.8": "XX",
"vpn.server.routing.private_network.9": "XX",
"vpn.server.static.0.netmask_bits": "21",
"vpn.server.static.0.network": "XX",
"vpn.server.tls_cc_security": "tls-cryptv2",
"vpn.server.tls_version_min": "1.3",
"vpn.tls_refresh.interval": "60",
"xmlrpc.relay_level": "0"
}
Are we doing anything wrong? We didnt expect to got the full 100MB/s but 6-10MB/s with this Hardware? Seams we missing here anything.
Thanks for your Tips!
we've got an OpenVPN-AS with failover on version 2.11.0.
Works fine except for the performance.
Its an bare-metal Server on Ubuntu22 with only openvpn-server as service.
SSD, 32GB RAM and Intel Xeon E5-2697A v4 CPU.
The Uplink is 1Gbit dedicated synchronous.
Speedtest result and other performancetests confirm that the bandwich is useable.
The Client got 1 Gbit download too.
If we try to copy an single big file from openvpnserver to an connected Client we got around 6-10MB/s.
Here are the server and client example configs
Server Config
{
"admin_ui.https.ip_address": "all",
"admin_ui.https.port": "943",
"aui.eula_version": "3",
"auth.ldap.0.add_req": "XX",
"auth.ldap.0.bind_dn": "XX",
"auth.ldap.0.bind_pw": "XX",
"auth.ldap.0.case_sensitive": "false",
"auth.ldap.0.enable": "true",
"auth.ldap.0.name": "My LDAP servers",
"auth.ldap.0.server.0.host": "XX",
"auth.ldap.0.server.1.host": "XX",
"auth.ldap.0.ssl_ca_cert": "/etc/ssl/certs/XX.pem",
"auth.ldap.0.ssl_verify": "internal",
"auth.ldap.0.timeout": "4",
"auth.ldap.0.uname_attr": "sAMAccountName",
"auth.ldap.0.use_ssl": "never",
"auth.ldap.0.user_exists_check": "true",
"auth.ldap.0.users_base_dn": "XX",
"auth.module.type": "ldap",
"auth.pam.0.service": "openvpnas",
"auth.radius.0.acct_enable": "false",
"auth.radius.0.name": "My Radius servers",
"cs.admin_only": "false",
"cs.ca_bundle": "XX",
"cs.cert": "XX",
"cs.cws.pwd_change": "false",
"cs.cws.pwd_strength": "true",
"cs.cws_proto_v2": "true",
"cs.cws_ui_offer.android": "true",
"cs.cws_ui_offer.autologin": "true",
"cs.cws_ui_offer.ios": "true",
"cs.cws_ui_offer.linux": "true",
"cs.cws_ui_offer.mac": "false",
"cs.cws_ui_offer.mac_v3": "true",
"cs.cws_ui_offer.server_locked": "false",
"cs.cws_ui_offer.user_locked": "true",
"cs.cws_ui_offer.win": "false",
"cs.cws_ui_offer.win_v3": "true",
"cs.https.ip_address": "all",
"cs.https.port": "943",
"cs.priv_key": "XX",
"cs.prof_sign_web": "true",
"cs.tls_version_min": "1.3",
"dbpush.hosts.0.enable": "true",
"dbpush.hosts.0.internal": "PRIMARY",
"dbpush.hosts.0.password": "",
"dbpush.hosts.0.public": "XX",
"dbpush.hosts.0.ssh_port": "22",
"dbpush.hosts.0.username": "root",
"dbpush.hosts.1.enable": "true",
"dbpush.hosts.1.internal": "SECONDARY",
"dbpush.hosts.1.password": "",
"dbpush.hosts.1.public": "XX",
"dbpush.hosts.1.ssh_port": "22",
"dbpush.hosts.1.username": "root",
"failover.mode": "ucarp",
"host.name": "XX",
"sa.compression_warning_shown": "displayed",
"sa.initial_run_groups.0": "web_group",
"sa.initial_run_groups.1": "openvpn_group",
"ssl_api.local_addr": "all",
"ssl_api.local_port": "945",
"subscription.bundle": "",
"subscription.saved_state": "",
"ucarp.addr": "XX",
"ucarp.secret": "XX",
"upgrade.current_version": "2.10.2",
"upgrade.initial_version": "2.10.1",
"vpn.client.basic": "false",
"vpn.client.cipher": "AES-256-CBC",
"vpn.client.config_text": "route-metric 10\nregister-dns",
"vpn.client.routing.inter_client": "true",
"vpn.client.routing.reroute_dns": "true",
"vpn.client.routing.reroute_gw": "false",
"vpn.daemon.0.client.netmask_bits": "21",
"vpn.daemon.0.client.network": "XX",
"vpn.daemon.0.listen.ip_address": "all",
"vpn.daemon.0.listen.port": "443",
"vpn.daemon.0.listen.protocol": "tcp",
"vpn.daemon.0.server.ip_address": "all",
"vpn.general.osi_layer": "3",
"vpn.server.cipher": "AES-256-CBC",
"vpn.server.config_text": "",
"vpn.server.daemon.enable": "true",
"vpn.server.daemon.ovpndco": "false",
"vpn.server.daemon.protocols": "both",
"vpn.server.daemon.tcp.n_daemons": "32",
"vpn.server.daemon.tcp.port": "443",
"vpn.server.daemon.udp.n_daemons": "32",
"vpn.server.daemon.udp.port": "1194",
"vpn.server.data_ciphers": "AES-256-GCM:Chacha20-Poly1305:AES-128-GCM:AES-256-CBC",
"vpn.server.dhcp_option.adapter_domain_suffix": "XX",
"vpn.server.dhcp_option.domain": "XX",
"vpn.server.duplicate_cn": "true",
"vpn.server.enable_cipher_fallback": "false",
"vpn.server.foreign_bridge": "",
"vpn.server.group_pool.0": "XX",
"vpn.server.port_share.enable": "false",
"vpn.server.port_share.ip_address": "1.2.3.4",
"vpn.server.port_share.port": "1234",
"vpn.server.port_share.service": "custom",
"vpn.server.routing.allow_private_nets_to_clients": "true",
"vpn.server.routing.gateway_access": "true",
"vpn.server.routing.private_access": "route",
"vpn.server.routing.private_network.0": "XX",
"vpn.server.routing.private_network.1": "XX",
"vpn.server.routing.private_network.10": "XX",
"vpn.server.routing.private_network.11": "XX",
"vpn.server.routing.private_network.2": "XX",
"vpn.server.routing.private_network.3": "XX",
"vpn.server.routing.private_network.4": "XX",
"vpn.server.routing.private_network.5": "XX",
"vpn.server.routing.private_network.6": "XX",
"vpn.server.routing.private_network.7": "XX",
"vpn.server.routing.private_network.8": "XX",
"vpn.server.routing.private_network.9": "XX",
"vpn.server.static.0.netmask_bits": "21",
"vpn.server.static.0.network": "XX",
"vpn.server.tls_cc_security": "tls-cryptv2",
"vpn.server.tls_version_min": "1.3",
"vpn.tls_refresh.interval": "60",
"xmlrpc.relay_level": "0"
}
Client Config
# This is a comment
# Automatically generated OpenVPN client config file
# Generated on Fri Mar 18 16:02:15 2022 by xx.xx.xx
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Certificate serial: 45, certificate common name: xx
# Expires 2032-03-15 16:02:15
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=xx
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=xx@xx.xx.xx
# Default Cipher
cipher AES-256-CBC
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=xx.xx.xx:943
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
XX
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
XX
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
XX
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=0
client
server-poll-timeout 4
nobind
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 443 tcp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
dev tun
dev-type tun
remote-cert-tls server
tls-version-min 1.2
reneg-sec 604800
auth-user-pass
verb 3
push-peer-info
<ca>
-----BEGIN CERTIFICATE-----
XX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
XX
-----END PRIVATE KEY-----
</key>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
XX
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
# Extra user-defined configuration
route-metric 10
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
# Automatically generated OpenVPN client config file
# Generated on Fri Mar 18 16:02:15 2022 by xx.xx.xx
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Certificate serial: 45, certificate common name: xx
# Expires 2032-03-15 16:02:15
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=xx
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=xx@xx.xx.xx
# Default Cipher
cipher AES-256-CBC
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=xx.xx.xx:943
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
XX
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
XX
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
XX
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=0
client
server-poll-timeout 4
nobind
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 443 tcp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
remote xx.xx.xx 1194 udp
dev tun
dev-type tun
remote-cert-tls server
tls-version-min 1.2
reneg-sec 604800
auth-user-pass
verb 3
push-peer-info
<ca>
-----BEGIN CERTIFICATE-----
XX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
XX
-----END PRIVATE KEY-----
</key>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
XX
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
# Extra user-defined configuration
route-metric 10
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
Are we doing anything wrong? We didnt expect to got the full 100MB/s but 6-10MB/s with this Hardware? Seams we missing here anything.
Thanks for your Tips!