openvpn and system overhead
Eugene Grosbein
eugen at grosbein.net
Wed Apr 17 23:12:23 UTC 2019
17.04.2019 22:08, Wojciech Puchar wrote:
> i'm running openvpn server on Xeon E5 2620 server.
>
> when receiving 100Mbit/s traffic over VPN it uses 20% of single core.
> At least 75% of it is system time.
>
> Seems like 500Mbit/s is a max for a single openvpn process.
>
> can anything be done about that to improve performance?
Anyone concerning performance should stop using solutions processing payload traffic
with userland daemon while still using common system network interfaces
because of unavoidable and big overhead due to constant context switching
from user land to kernel land and back. Be it openvpn or another userland daemon.
You need either some netmap-based solution or kernel-side vpn like IPsec (maybe with l2tp).
For me, IKE daemon plus net/mpd5 work just fine. mpd5 is userland daemon too,
but it processes only signalling traffic like session establishment packets
and then it setups kernel structures (netgraph nodes) so that payload traffic is processed in-kernel only.
More information about the freebsd-hackers
mailing list