Date: Thu, 18 Apr 2019 06:11:57 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Wojciech Puchar <wojtek@puchar.net>, freebsd-hackers@freebsd.org Subject: Re: openvpn and system overhead Message-ID: <0cc6e0ac-a9a6-a462-3a1e-bfccfd41e138@grosbein.net> In-Reply-To: <alpine.BSF.2.20.1904171707030.87502@puchar.net> References: <alpine.BSF.2.20.1904171707030.87502@puchar.net>
next in thread | previous in thread | raw e-mail | index | archive | help
17.04.2019 22:08, Wojciech Puchar wrote: > i'm running openvpn server on Xeon E5 2620 server. > > when receiving 100Mbit/s traffic over VPN it uses 20% of single core. > At least 75% of it is system time. > > Seems like 500Mbit/s is a max for a single openvpn process. > > can anything be done about that to improve performance? Anyone concerning performance should stop using solutions processing payload traffic with userland daemon while still using common system network interfaces because of unavoidable and big overhead due to constant context switching from user land to kernel land and back. Be it openvpn or another userland daemon. You need either some netmap-based solution or kernel-side vpn like IPsec (maybe with l2tp). For me, IKE daemon plus net/mpd5 work just fine. mpd5 is userland daemon too, but it processes only signalling traffic like session establishment packets and then it setups kernel structures (netgraph nodes) so that payload traffic is processed in-kernel only.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0cc6e0ac-a9a6-a462-3a1e-bfccfd41e138>