From owner-freebsd-hackers@freebsd.org Sat Apr 20 06:13:52 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE87B1584747 for ; Sat, 20 Apr 2019 06:13:52 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "eg.sd.rdtc.ru", Issuer "eg.sd.rdtc.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D200F84C21 for ; Sat, 20 Apr 2019 06:13:41 +0000 (UTC) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: freebsd-hackers@freebsd.org Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTP id x3K6DWWj048152; Sat, 20 Apr 2019 13:13:32 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: openvpn and system overhead To: Wojciech Puchar References: <0cc6e0ac-a9a6-a462-3a1e-bfccfd41e138@grosbein.net> Cc: freebsd-hackers@freebsd.org From: Eugene Grosbein Message-ID: <5CBAB88C.4020402@grosbein.net> Date: Sat, 20 Apr 2019 13:13:32 +0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: D200F84C21 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [0.33 / 15.00]; ARC_NA(0.00)[]; MX_INVALID(0.50)[greylisted]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.25)[0.252,0]; NEURAL_HAM_LONG(-0.50)[-0.495,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[grosbein.net]; NEURAL_SPAM_MEDIUM(0.18)[0.175,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(0.00)[country: RU(0.00)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:29072, ipnet:2a03:3100::/32, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Apr 2019 06:13:53 -0000 On 19.04.2019 23:42, Wojciech Puchar wrote: >> because of unavoidable and big overhead due to constant context switching >> from user land to kernel land and back. Be it openvpn or another userland daemon. >> >> You need either some netmap-based solution or kernel-side vpn like IPsec (maybe with l2tp). > > well it has to cooperate with multitude of clients like windoze, > point&click routers etc. that's why openvpn. Windows has stock support for IPSec with and without L2TP and has no stock openvpn, so IPSec is more preferable. Cheap and slow SOHO routers generally have worst performance with openvpn that with any other kind of VPN, too.