openvpn and system overhead

[Wojciech Puchar]

>>
>> You need either some netmap-based solution or kernel-side vpn like IPsec (maybe with l2tp).
>> For me, IKE daemon plus net/mpd5 work just fine. mpd5 is userland daemon too,
>> but it processes only signalling traffic like session establishment packets
>> and then it setups kernel structures (netgraph nodes) so that payload traffic is processed in-kernel only.
>
>
> Addendum to previous message to freebsd-hackers:
>
> We have (also) considered a netmap-enhanced (enabled?) OpenVPN.  You still have the problem that the ‘stack’ inside OpenVPN is single-threaded/single packet at a time.
>
> Also, you’ll need to multiplex > 1 instance of OpenVPN, maybe using the programability of VALE (aka ‘mswitch’).
>
there is no problem that openvpn is single threaded. i can easily divide 
things over multiple openvpn processes.

The problem is CPU load it produces. It will not be smart to use up whole 
8 core machine just to provide 3-4Gbps of VPN traffic with no spare power 
to do actual work.

i found that most of time openvpn executes system call, encryption takes 
little time.

if FreeBSD would be able to provide multiple packets per read/write call 
from/to tun device, as well as send/recv would have multipacket version - 
it would mean speeding it up at least 4 times.