Let's benchmark with netperf UDP to start with, to eliminate TCP effects and
packet loss. Test with different packet sizes.
On 30 December 2019 10:48:19 GMT, Nikos Mavrogiannopoulos
<[email protected]> wrote:
>It wouldn't matter benchmarking it. It will not be significantly
>different. From what you describe the crypto capacity of cpu is at
>least 10-fold what you see on the wire. So the issue is somewhere else.
>
>
>On December 30, 2019 10:08:28 AM UTC, Carles Pina i Estany
><[email protected]> wrote:
>>
>>Hi,
>>
>>On Dec/30/2019, David Woodhouse wrote:
>>> On Sat, 2019-12-28 at 22:53 +0100, Carles Pina i Estany wrote:
>>> > Hi openconnect,
>>> >
>>> > I have a question regarding CPU usage, network speed and
>>openconnect.
>>> >
>>> > I'm using openconnect from Debian (Debian package version 8.02-1)
>>> > connecting to a Cisco AnyConnect. I'm using NetworkManager but I'm
>>happy
>>> > to use the command line if this would help.
>>>
>>> A few months ago we had a similar thread, and some performance
>>> improvements went into the 8.03 release. Please could you update to
>>git
>>> master and try?
>>
>>on Saturday I tried with v8.05. I couldn't see any big improvement.
>>Since then I reverted back to use the Debian package (v8.02-1)
>>integrated with the NetworkManager.
>>
>>> There's also an experimental perfhacks branch:
>>>
>>http://git.infradead.org/users/dwmw2/openconnect.git/shortlog/refs/heads/perfhacks
>>>
>>> Most of that is for ESP support, not DTLS, but the 'reuse packets
>>> instead of free/malloc' bought us a few percent and I'd like to
>>> eventually fix up all the buffer sizing inconsistencies and merge it
>>> (or just move to using rings).
>>
>>I'll try to test the perfhack branch today.
>>
>>> > I see that openconnect uses about 35 to 40% of CPU (measured with
>>top)
>>> > in my 4 cores laptop.
>>> >
>>> > When using openconnect the connection is about 5 to 8 MB/s
>>otherwise
>>> > more than twice this speed.
>>> >
>>> > The system administrators on the other side don't seem to be aware
>>of
>>> > any speed limitation or throttling.
>>> >
>>> > The internet connection or even the upload speed to the other side
>>is
>>> > higher if no OpenConnect is used.
>>> >
>>> > My question is: do you know of any way to make the VPN faster?
>>> >
>>> > Any experience compiling openconnect (I might try this anyway)
>>instead
>>> > of using the Debian precompiled version? Any parameters that could
>>be
>>> > used, faster cyphering, etc.?
>>>
>>> You can try forcing it to use different ciphers with the
>>--dtls-ciphers
>>> option.
>>
>>I haven't succeeded forcing gnutls-cli to do benchmarks for
>>AES-256-CBC.
>>I've tried:
>>gnutls-cli --benchmark-ciphers --priority=PERFORMANCE
>>gnutls-cli --benchmark-ciphers --priority=SECURE256
>>
>>--dtls-ciphers is not an option on my gnutls-cli (version 3.6.7)
>>
>>> Please could you set it running, then use 'perf record -a
>>netperf....'
>>> to record the *full* system activity (including kernel and
>>openconnect)
>>> for each of a large upload, and a large download. Use your own
>>existing
>>> benchmark or workload if that's easier than netperf.
>>>
>>> Let's see where it's actually spending the time, and what we can do
>>> about it.
>>
>>I'll do it.
>>
>>Thanks!
>
>--
>Sent from my mobile. Please excuse my brevity.
>
>_______________________________________________
>openconnect-devel mailing list
>[email protected]
>http://lists.infradead.org/mailman/listinfo/openconnect-devel
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
openconnect-devel mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/openconnect-devel
