Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Speed difference using widget and setting up router as client

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!

Topic Author
aph
Posts: 8
Joined: Mon Feb 23, 2015 3:04 pm

Speed difference using widget and setting up router as client

Postby aph » Mon Feb 23, 2015 3:44 pm

I have an RT-AC68U which is practically as god as consumer grade routers get. Regardless of this when I set up the router to act as an openvpn client I get speeds of about 10-15mbps tops, in comparison to 45-50 when using the widget on the desktop. Is there a magic setting I'm missing? I have 300mbps available.

Settings:
► Show Spoiler

I didn't put in persist-tun and persist-key because I saw they're pushed from the server. My Compression is turned off at the router; the comp-lzo setting was giving me trouble (dns lookups ok but a bad gateway -- no icmp responses)


Topic Author
aph
Posts: 8
Joined: Mon Feb 23, 2015 3:04 pm

Re: Speed difference using widget and setting up router as client

Postby aph » Mon Feb 23, 2015 5:32 pm

[ Removed, wrong thread ]
Last edited by aph on Mon Feb 23, 2015 5:46 pm, edited 3 times in total.


Topic Author
aph
Posts: 8
Joined: Mon Feb 23, 2015 3:04 pm

Re: Speed difference using widget and setting up router as client

Postby aph » Mon Feb 23, 2015 5:45 pm

Sorting "top" by CPU usage I see that the vpn client jumps to 20-25% when there's heavy transfer. Probably an issue with capping out a single thread. Bummer.


Topic Author
aph
Posts: 8
Joined: Mon Feb 23, 2015 3:04 pm

Re: Speed difference using widget and setting up router as client

Postby aph » Mon Feb 23, 2015 6:42 pm

This appears to be a direct result of the ciphers used for encryption. Particularly the 256-bit requirements for both TLS and standard transport. I was able to improve speed by 50% by targeting affinity for the openvpn process to run on the second core while the first handles all the rest of the routing, but any tweaking of the ciphers resulted in a failed handshake.

Of course they are mathematically very complex so it's no surprise a consumer grade router can't keep up with speeds above 15mbps. I tried auto detection of the mtu size, different buffering values for sending and receiving, and the txqueue size all of which had almost no effect. Only dedicating the second core to the process had a measurable effect.

Looks like I'll be running it from my PC, and figuring out a way to force other devices through the tunnel.

User avatar

parityboy
Site Admin
Posts: 1092
Joined: Wed Feb 05, 2014 3:47 am

Re: Speed difference using widget and setting up router as client

Postby parityboy » Mon Feb 23, 2015 10:09 pm

@aph

You've hit one of the walls put up by consumer-grade routers. None of them have offloading of the ciphers used by OpenVPN - newer Intel chips have AES-NI, which accelerates AES in hardware - because the CPUs they use are typically MIPS cores, and adding an "SSL accelerator" to the router would drive up the price.

Additionally yes, OpenVPN (unfortunately) is single threaded so throughput is limited to what a single core can handle. Overall throughput on a CS node is therefore limited to

a) the number of CPU cores (one OpenVPN instance per core)
b) the presence (or not) of AES-NI
c) the hard throughput limit of the network interface(s)

If you're up for it, you could build a cheap high-frequency box running something like pfSense or ZeroShell, and relegate your existing router to WiFi duty.

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Speed difference using widget and setting up router as client

Postby Tealc » Tue Feb 24, 2015 3:12 am

@aph

We talked about this a lot already, and we came to the conclusion that it would be less expensive to have a "small" linux server.
I've found out that to be able to get to speeds like the ones in Windows we need at least 1.2/1.5Ghz + 128Mb RAM + openwrt.

I've currently installed a "NETGEAR Nighthawk AC1900 Gigabit Router" in a cyber-cafe that has 40 to 60 people connected at the same time, this router is permanently connected to Franfurt-Cantus (this way the person that owns the cyber-cafe doesn't need to worry about what people do in the internet), and on the day of installation, I got 40/40 in a 100/100 Fiber-Optic connection, I was quite happy in the outcome of this but I will check again later this week if there was any downtime, mostly problems with the dnsmasq + dnscrypt (I got those a lot).

So just saying, if you want a very good router think in 200USD for this one, if not you can get a lot of those dual-core 1.2Ghz mini-tv-pc for 100USD just be sure it runs linux (because a lot of them only runs Android).

I'm currently also starting a project for the new Raspberrypi 2 it seems that it can get a lot closer to those "small" linux machine for 35USD :-D we will see.


Topic Author
aph
Posts: 8
Joined: Mon Feb 23, 2015 3:04 pm

Re: Speed difference using widget and setting up router as client

Postby aph » Tue Feb 24, 2015 9:33 am

Thanks for putting some hard numbers on what kind of clock speeds I'll need to handle offloading the workload. Unfrotunately NUC form factor is out since they're wifi. I'm very interested in hearing how far you're able to go with the Ras Pi 2.

I have the RT-AC68U, which is Asus' direct competitor to the AC1900. I'm disappointed it doesn't measure up to the AC1900 here.

Running one openvpn thread per core doesn't result in higher throughput than a single core either. Affinity seems to favor the process started first. In this case I started the second client on its own core 15 seconds before the first client:

OpenVPN Client 1 - Running
Statistics
TUN/TAP read bytes 0
TUN/TAP write bytes 0
TCP/UDP read bytes 5918
TCP/UDP write bytes 2978
Auth read bytes 128
pre-compress bytes 0
post-compress bytes 0
pre-decompress bytes 0
post-decompress bytes 0

OpenVPN Client 2 - Running
Statistics
TUN/TAP read bytes 37364817
TUN/TAP write bytes 63118946
TCP/UDP read bytes 69162369
TCP/UDP write bytes 44634762
Auth read bytes 63119105
pre-compress bytes 0
post-compress bytes 0
pre-decompress bytes 11156
post-decompress bytes 11954

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Speed difference using widget and setting up router as client

Postby Tealc » Sat Feb 28, 2015 1:37 am

This is my current cs.ovpn file in my router

► Show Spoiler


Has you can see I don't use the "remote" option built-in, since I start the process with "openvpn --cd /etc/openvpn --config /etc/openvpn/cs.ovpn --remote 46.165.222.245 443 &"
I use a "login.auth" (chmod 600) with my hashed token and the build-in CA cert, it seems it helps to speed up the process :-D
This just works, I do have a problem if the connection time-out for some reason it just doesn't get re-connected, but I manage to put something like a cron job (would be good to have systemd on it) to check the openvpn PID and ping twitter.com if one of them gives out 0 as a result it restarts the router.


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: Yahoo [Bot] and 14 guests

Login