I changed default crypto to:
ikev2 quick active esp from $local_gw to $remote_gw \
from $local_lan to $remote_lan peer $remote_gw \
ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \
childsa enc aes-128-ctr \
psk "pass"
That increased VPN throughput up to 750KB/s but it is still too slow.
Mayba some sysctl tweaks would also help with this?
Any hint would be appreciated. Thank you.
$ ifstat -i vr0
vr0
KB/s in KB/s out
4.48 100.64
24.14 503.63
15.32 237.62
0.33 6.32
27.37 516.81
25.92 548.57
25.36 516.66
23.49 514.80
30.79 594.94
37.45 583.15
34.16 621.32
31.54 653.58
31.40 659.72
33.00 667.91
40.15 753.08
34.54 738.35
32.15 639.13
35.11 621.26
34.78 733.43
34.59 728.21
On Fri, 18 Jan 2019 18:25:11 +0100
Radek <alee...@gmail.com> wrote:
> To be more precise:
> I use net/ifstat for current bw testing.
> If I push data by netcat over public IPs, it is up to 5MB/s.
> If I push data by netcat through VPN, it is up to 400KB/s.
> Endusers in LANs also complain about VPN bw.
>
> > You should use curl + nginx (with tmpfs) or iperf for bw testing.
> I do not need to get very exact bw. My "netcat test" shows that data transfer
> over VPN is ~10 times slower.
>
> > Have you tried your NC on the loopback as a reference ?
> $ time nc -N 127.0.0.1 1234 < 50MB.test
> 0.054u 1.476s 0:10.54 14.4% 0+0k 1281+1io 0pf+0w
>
> > is the HEADER compression activated ?
> I do not know. How can I check it out?
>
> > just drop the all sendbug data if you actually want to help.
> OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018
> rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
> 500 MHz
> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> real mem = 536363008 (511MB)
> avail mem = 512651264 (488MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
> pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
> pcibios0: pcibios_get_intr_routing - function not supported
> pcibios0: PCI IRQ Routing information unavailable.
> pcibios0: PCI bus #0 is the last bus
> bios0: ROM list: 0xc8000/0xa800
> cpu0 at mainbus0: (uniprocessor)
> mtrr: K6-family MTRR support (2 registers)
> amdmsr0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> 0:20:0: io address conflict 0x6100/0x100
> 0:20:0: io address conflict 0x6200/0x200
> pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
> glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
> vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
> 00:00:24:cd:90:10
> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address
> 00:00:24:cd:90:11
> ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address
> 00:00:24:cd:90:12
> ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
> 00:00:24:cd:90:13
> ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
> 3579545Hz timer, watchdog, gpio, i2c
> gpio0 at glxpcib0: 32 pins
> iic0 at glxpcib0
> pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
> wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFH-008G>
> wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version
> 1.0, legacy support
> ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00
> addr 1
> isa0 at glxpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbc0: unable to establish interrupt for irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
> gpio1 at nsclpcsio0: 29 pins
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> usb1 at ohci0: USB revision 1.0
> uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00
> addr 1
> ugen0 at uhub1 port 1 "American Power Conversion Smart-UPS C 1500 FW:UPS 10.0
> / ID=1005" rev 2.00/1.06 addr 2
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on wd0a (3f37e17802c01339.a) swap on wd0b dump on wd0b
>
> > You should use curl + nginx (with tmpfs) or iperf for bw testing.
> >
> > don't drop data, maybe the driver of the ethernet card is crappy ?
> >
> > just drop the all sendbug data if you actually want to help.
> >
> > Have you tried your NC on the loopback as a reference ?
> > is the HEADER compression activated ?
>
>
> On Fri, 18 Jan 2019 09:28:45 -0500
> sven falempin <sven.falem...@gmail.com> wrote:
>
> > On Fri, Jan 18, 2019 at 8:58 AM Radek <alee...@gmail.com> wrote:
> >
> > > I have configured Site-to-Site ikev2 VPN between two routers (Soekris
> > > net5501-70).
> > > Over the internet my transfer speed between these machines is up to
> > > 5000KB/s (it is OK).
> > > Over the VPN it is up to 400KB/s only.
> > >
> > > Is there any way to squeeze more performance out from these hardware and
> > > speed up the VPN?
> > >
> > > Tested with netcat:
> > > $ nc 10.0.15.254 1234 < 49MB.test
> > > $ nc -l 1234 > 49MB.test
> > >
> > > $ cat /etc/iked.conf
> > > ikev2 quick active esp from $local_gw to $remote_gw \
> > > from $local_lan to $remote_lan peer $remote_gw \
> > > psk "pass"
> > >
> > > $ dmesg | head
> > > OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018
> > > rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC
> > > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
> > > 500 MHz
> > > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> > > real mem = 536363008 (511MB)
> > > avail mem = 512651264 (488MB)
> > > mpath0 at root
> > > scsibus0 at mpath0: 256 targets
> > > mainbus0 at root
> > > bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
> > >
> > >
> > >
> > You should use curl + nginx (with tmpfs) or iperf for bw testing.
> >
> > don't drop data, maybe the driver of the ethernet card is crappy ?
> >
> > just drop the all sendbug data if you actually want to help.
> >
> > Have you tried your NC on the loopback as a reference ?
> > is the HEADER compression activated ?
> >
> > --
> > --
> > ---------------------------------------------------------------------------------------------------------------------
> > Knowing is not enough; we must apply. Willing is not enough; we must do
>
>
> --
> radek
--
radek
