Improving OpenVPN performance and throughput

Originally published at: Improving OpenVPN performance and throughput

OpenVPN, Wireguard, L2TP/IPSec, SSTP, IKEv2, PPTP, or others. If you had the luxury of choosing, which VPN protocols would you use? Therein lies my problem. In my current use case, I must find a way to improve OpenVPN performance and throughput. You may have been following my Linux home lab build. One of the most…

Great post, really nice to read.
Ubiquity hardware/software is to be reckoned with, but one might not want to dismiss core Unix/Linux open-source software on bare-metal as well.

I’m running OPNsense on a mini PC (not wanting to advertise so I won’t link anything unless asked for) and I’m near line-rate performance on a Gigabit fiber connection, on my home network, with lots of vlan, firewalling, QoS, etc…

Sure, VPN eats a lot of resources and I need to do some more thorough testing, and it’s very true that ovpn, though quick and easy to setup, is not really shinning in the performance department, but If I recall correctly, I could get around 40 to 50 percent bandwidth depending on endpoint and parameters with my hardware (which is an ‘affordable’ 150$ box btw.)

So as a *nix and open-source advocate, you might want to consider these alternatives as well, and give them a fair trial in your testing.

Kind Regards

2 Likes

Agreed with Ubiquiti. Also, the value isn’t there anymore, especially now with price gouging, so many items out of stock.

Have a look at this TP-Link lineup (hard to beat the value for a home lab type rack setup):
Router: VPN Router - Gigabit Routers for Business - TP-Link (+ OpenVPN client)
Switch: TL-SG2210MP | JetStream 10-Port Gigabit Smart Switch with 8-Port PoE+ | TP-Link
Controller: OC200 | Omada Hardware Controller | TP-Link
Access points: Access Points | TP-Link

If you want to use Wiregaurd, then can add or replace the router with https://www.pivpn.io/ on an RPi 4.

Or use a Brume (GL-MV1000) Edge Computing Gateway | No WiFi Module– GL.iNet router. (supports Wireguard client up to 250 Mbps ISP speed)

Just one example, And there are a bunch of other Ubiquiti alternatives out there.

Thank you for your post.

Background:

I have an OpenVPN server running on my Windows 10 VPS. The Internet connection of VPS is ~750 Mbps for Download and ~450 Mbps for upload (Obtained by multiple speedtest.net tests). The VPS has 2 vCPU and 8 GB RAM. The VPS serves only two clients of OpenVPN. However, the speedtest for clients normally shows 30 Mbps of the test while VPN is enabled.

What I have tried:

  • Please see the config

Config:

  • Server
;local a.b.c.d

--duplicate-cn

port 443

;proto tcp

proto udp

sndbuf 393216

rcvbuf 393216

push "sndbuf 393216"

push "rcvbuf 393216"

txqueuelen 4000

tun-mtu 9000 

mssfix 0

fragment 0

;dev tap

dev tun

ca "ca.crt"

cert "ERVER.crt"

key "C:\\SE.key"  # This file should be kept secret

dh "dh.pem"

;topology subnet

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

;push "route 192.168.10.0 255.255.255.0"

;push "route 192.168.20.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 8.8.8.8"

keepalive 10 120

tls-auth "tls-auth.key" 0 # This file is secret

cipher AES-128-CBC

persist-key

persist-tun

;mute 20

explicit-exit-notify 1

  • Client
dev tun
proto udp
remote IP 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-128-CBC
verb 3
<ca>
-----BEGIN CERTIFICATE-----
</ca>
<cert>
</cert>
<key>
-----BEGIN PRIVATE KEY-----
</key>
<tls-auth>
</tls-auth>
1 Like

Hi @mmbo not sure what can be done while on Windows OS. These optimizations were tested on Linux.

You should use WireGuard instead of OpenVPN when possible. It’s much faster.

Welcome to the forums!

1 Like