Hello I have done some benchmarking of OpenVPN and wanted to share my numbers and also ask some questions. Here is a table that shows how OpenVPN scales. I ran up to 4 instances of OpenVPN servers simulatenously with different ciphers:
ICMP test (MiByes/s) *Cipher\OpenVPNs instances* *1* *2* *3* *4* *BF-CBC* 35 65 84 96 *AES-128-CBC* 45 80 94 96(lower CPU) *AES-256-CBC* 40 76 96 96(low CPU) Total of 800 tunnels were established in each test. Each tunnel was utilized with following ping command: "ping -I tunX -s 800 -i 0.003 <OpenVPN IP>". Lower CPU indicates that CPU usage was lower than in other tests. Deployment was as follows: 1. Server (Intel Xeon E5530 6GB of RAM with two 1GBit NICs; Ubuntu 10.04) connected directly with two clients (without a switch, so that total throughput could be 2Gbits) 2. Client1 (Q6600) runs half of the OpenVPN client instances 3. Client2 (Intel Xeon E5530) runs the other half of OpenVPN instances. Questions: 1. Why single OpenVPN server instance never consumes more than 85% of a CPU core in the System Monitor? Is this related to ep_pool() call that has a minimum wait interval and OpenVPN does not do anything at that time? 2. During the ping test on the server I observed that incoming traffic (ping requests) pushed out outgoing traffic (ping responses). The incoming and outgoing traffic should be equal, but this does not hold true in a load test. Any explanation why that happened? Maybe because ICMP is unreliable protocol and datagrams(responses) were dropped? 3. Have anyone tried to run OpenVPN on a newer CPU that has AES-NI instruction set (e.g. Xeon E56XX series)? I would like to know what would be the bandwidth benefit when AES is chosen as the data Tunnel Cipher? 4. During a OpenVPN 1200 client bomb test I observed that OpenVPN stalled with 100% CPU. In the openvpn log I saw that there are too many opened files (output of "ls /proc/PID/fd | wc -l" showed that there were 1027 opened files). The bad thing is that killing all those 1200 clients did not help the OpenVPN server to recover and it remained in stall state. It looks like a bug for me. Are there any tools which are already developed and would help in benchmarking multiple OpenVPN clients/servers? Regards, Ansis Atteka
