Originally published at: Improving OpenVPN performance and throughput
OpenVPN, WireGuard, L2TP/IPSec, SSTP, IKEv2, PPTP, or others. If you had the luxury of choosing, which VPN protocols would you use? Therein lies my problem. In my current use case, I must find a way to improve OpenVPN performance and throughput. You may have been following my Linux home lab build. One of the most…
Great post, really nice to read.
Ubiquity hardware/software is to be reckoned with, but one might not want to dismiss core Unix/Linux open-source software on bare-metal as well.
I’m running OPNsense on a mini PC (not wanting to advertise so I won’t link anything unless asked for) and I’m near line-rate performance on a Gigabit fiber connection, on my home network, with lots of vlan, firewalling, QoS, etc…
Sure, VPN eats a lot of resources and I need to do some more thorough testing, and it’s very true that ovpn, though quick and easy to setup, is not really shinning in the performance department, but If I recall correctly, I could get around 40 to 50 percent bandwidth depending on endpoint and parameters with my hardware (which is an ‘affordable’ 150$ box btw.)
So as a *nix and open-source advocate, you might want to consider these alternatives as well, and give them a fair trial in your testing.
Kind Regards
2 Likes
Agreed with Ubiquiti. Also, the value isn’t there anymore, especially now with price gouging, so many items out of stock.
Have a look at this TP-Link lineup (hard to beat the value for a home lab type rack setup):
Router: VPN Router - Gigabit Routers for Business - TP-Link (+ OpenVPN client)
Switch: TL-SG2210MP | JetStream 10-Port Gigabit Smart Switch with 8-Port PoE+ | TP-Link
Controller: OC200 | Omada Hardware Controller | TP-Link
Access points: Access Points | TP-Link
If you want to use Wiregaurd, then can add or replace the router with https://www.pivpn.io/ on an RPi 4.
Or use a https://store.gl-inet.com/products/brumegl-mv1000-edge-computing-vpn-router router. (supports Wireguard client up to 250 Mbps ISP speed)
Just one example, And there are a bunch of other Ubiquiti alternatives out there.
Thank you for your post.
Background:
I have an OpenVPN server running on my Windows 10 VPS. The Internet connection of VPS is ~750 Mbps for Download and ~450 Mbps for upload (Obtained by multiple speedtest.net tests). The VPS has 2 vCPU and 8 GB RAM. The VPS serves only two clients of OpenVPN. However, the speedtest for clients normally shows 30 Mbps of the test while VPN is enabled.
What I have tried:
- Please see the config
Config:
- Server
;local a.b.c.d
--duplicate-cn
port 443
;proto tcp
proto udp
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
txqueuelen 4000
tun-mtu 9000
mssfix 0
fragment 0
;dev tap
dev tun
ca "ca.crt"
cert "ERVER.crt"
key "C:\\SE.key" # This file should be kept secret
dh "dh.pem"
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth "tls-auth.key" 0 # This file is secret
cipher AES-128-CBC
persist-key
persist-tun
;mute 20
explicit-exit-notify 1
- Client
dev tun
proto udp
remote IP 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-128-CBC
verb 3
<ca>
-----BEGIN CERTIFICATE-----
</ca>
<cert>
</cert>
<key>
-----BEGIN PRIVATE KEY-----
</key>
<tls-auth>
</tls-auth>
1 Like