Using ptpp VPN and OpenVPN in a KVM Slow speed. Other protocols full speed ?

[ictdude]

Using ptpp VPN and OpenVPN in a KVM Slow speed. Other protocols full speed ? Port 22 SSH Apache 80 full
speed download.

Using virtio network drivers als did test realtek and Intel E 1000.

Max speed is like 1.68 Mb download. If i use in the same VM SSH download i have full speed ? Like 20 Mb
Can the virtio network drivers handle full speed over OpenVPN or ptpp VPN ?

Because SSL and Encryption 256 AES is used ? I am testing untangle in a VM box.
Where can be the bottle neck ? Did already some trial and error. Until now nothing ....
Server VM (untangle) has 5GB RAM must be ok. CPU also ok.

 

[Mr.Holmes]

Hello ictdude,

becoming curios I made some investigations:

High speed:

with E1000:

- plain 25MB/s

- openvpn 14MB/s

with virtio

- plain 41MB/s

- openvpn 14MB/s

native

- plain 60MB/S

- openvpn 30MB/s

Low speed (no difference between any kvm and native):

- plain 1MB/s

- openvon 900kB/s

Conclusion:

In case of higher speed virtio is better, but using openvpn the bottleneck is probably the CPU (in my case it was an intel i5, I´ll repeat the test with an i7), top shows > 50% load.

Kind regards

Mr.Holmes

 

[ictdude]

Hello ictdude,

becoming curios I made some investigations:

High speed:

with E1000:

- plain 25MB/s

- openvpn 14MB/s

with virtio

- plain 41MB/s

- openvpn 14MB/s

native

- plain 60MB/S

- openvpn 30MB/s

Low speed (no difference between any kvm and native):

- plain 1MB/s

- openvon 900kB/s

Conclusion:

In case of higher speed virtio is better, but using openvpn the bottleneck is probably the CPU (in my case it was an intel i5, I´ll repeat the test with an i7), top shows > 50% load.

Kind regards

Mr.Holmes

Holmes thank you for you reply,

I have a I7 core X980 24GB RAM, so that must be enough power
Maybe i know what the problem can be. Looking to all my components
used in my server.

I also use Shorewall firewall on top of Proxmox.
virtio drivers for open VPN. The openVPN server is running
in a KVM. Bottle neck can be NAT on the Shorewall firewall


Situation is like this:

WAN IP ----> Shorewall firewall --NAT Translation to LAN Address (10.0.1.x)
Then on the openVPN server again NAT to LAN ...

I am going to change this and see what the performance will be.

So new setup to try will be:

WAN IP ----> Routed WAN direct to KVM (openVPN server) Then do NAT to LAN...
Will give openVPN server a WAN address (Situation now = LAN address 10.0.1.x)

Can you please tell me how your configuration looks like ?
So i can compare this. So i can make a similar system if my new approach will fail.

Really appreciate your feed back thnx !!! Please let me know

 

[Mr.Holmes]

Testconfiguration was as follows:

- transfer of a 300MB gz file via sftp (same file in all cases)

- openvpn client

- proxmox server 3.2 on intel i5 650

- or kvm ubuntu 13.10 using 2 cores on it (bthw: the second core improved slightly the performance)


low speed:

- vdsl WAN connection

- NAT directly to openvpn client (no firewall)

- openvpn server ubuntu 13.10 on a XEN host connected via Internet

high speed:

- Gbit LAN (+ bridge) between server and client (no router)

- openvpn server on ubuntu 13.04 in intel i7 2600

 

[ictdude]

Testconfiguration was as follows:

- transfer of a 300MB gz file via sftp (same file in all cases)

- openvpn client

- proxmox server 3.2 on intel i5 650

- or kvm ubuntu 13.10 using 2 cores on it (bthw: the second core improved slightly the performance)


low speed:

- vdsl WAN connection

- NAT directly to openvpn client (no firewall)

- openvpn server ubuntu 13.10 on a XEN host connected via Internet

high speed:

- Gbit LAN (+ bridge) between server and client (no router)

- openvpn server on ubuntu 13.04 in intel i7 2600

Thnx for your reply. Over here i did some testing. Direct vpn traffic routed to the KVM box. Same result.
Also did route all traffic thru the tunnel to test internet speed from openVPN client. Still not good.
Turned off the firewall still to slow.

Next approach, will install a openVPN server direct on the Proxmox host. So without virtualisation.
But before i do that first test the setup in a Second Proxmox installed in a KVM.
Don't want to mess things up. First some testing. Hope that will work out.

 

[adamb]

You should definitely be able to pull much better speeds than that. The tun adapter itself is maxed out around 160mbps, which you aren't coming close to. I have run Untangle within proxmox for years without any issues, but I keep all my openvpn setup's on CentOS due to the lack of AES-NI support within the version of openssl on Untangle.

 

[ictdude]

You should definitely be able to pull much better speeds than that. The tun adapter itself is maxed out around 160mbps, which you aren't coming close to. I have run Untangle within proxmox for years without any issues, but I keep all my openvpn setup's on CentOS due to the lack of AES-NI support within the version of openssl on Untangle.

Can you tell me how your Proxmox network looks like ? Its very strange that i have this performance.
While all others service work fine on this box. Like port 80 Apache ftp ssh smtp good connection speed. 100 mbps
I use port UDP 1194 for OpenVZ. Don't think SSL TCP 443 needs to be open because it works like this.

Untangle has only UDP 1194 open. Anny clue how to trouble shoot this ?

My network on the promox host looks like this:



# device: eth0
auto eth0
iface eth0 inet static
address 46.4.x.x
broadcast 46.4.x.255
netmask 255.255.255.224
gateway 46.4.x.x
pointopoint 46.4.x.x


up sysctl -p


# Routed network

auto vmbr1
iface vmbr1 inet static
address 46.4.x.x
netmask 255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0


# Dnat Routed

auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
up sysctl -p



up route add -host 46.4.x.x dev vmbr1 (Extra IP4)

 

[adamb]

I bridge my eth devices so I can hand them to a guest. Are you using openVZ or KVM, two totally different things. If openvz is what you are using, then I can be of no help and you should change the title of this thread.

 

[ictdude]

I bridge my eth devices so I can hand them to a guest. Are you using openVZ or KVM, two totally different things. If openvz is what you are using, then I can be of no help and you should change the title of this thread.

I use KVM.(untangle ISO install) If i bridge i need to set a mac address at my provider. I like to keep it routed.
But i believe if i install OpenVPN direct on top of the Proxmox box, then its direct linked. (Main adress Proxmox server)
From there i will do some speed test.

I am still testing. Did install a Proxmox in a KVM. That works fine. Don't like to mess up my running Proxmox.
Next step on this second Prox in a KVM i install OpenVPN direct in this KVM host.
Just to see if it works and if it not give any troubles.

Noticed "free" OpenVPN server is not free only 2 licenses. So first i need to install the Community edition.
Has no gui. Do some testing. If this is working , install it on my Proxmox see how the speed is. ppffff ...

Trial and error testing here ...

 

[ictdude]

Here a update of test result.

I did install successfully openVPN on top of the Proxmox host.
I did turn off the Shoreline Firewall. As you can see a tun0 OpenVPN interface.

I can connect all works fine. But again the speed is MAX 2 Mbps !!????
So i connect to the OpenVPN interface at IP 172.16.107.1 (OpenVPN tunnel)

And make a ssh connection. Only MAX 2 Mbps download
When i go with out the tunnel and download over ssh i have full speed !!??

How crazy is that ??? If somebody has a clue or a hint, please let me know ...

Still investigate this problem ..




eth0 Link encap:Ethernet HWaddr 6c:62:6d:d9:0a:96
inet addr:46.4.x.y Bcast:46.4.x.255 Mask:255.255.255.255

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1


lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.107.1 P-t-P:172.16.107.2 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1


venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: fe80::1/128 Scope:Link

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1


vmbr0 Link encap:Ethernet HWaddr d6:bd:c4:df:1a:b9
inet addr:10.254.254.254 Bcast:10.255.255.255 Mask:255.0.0.0


UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1


vmbr1 Link encap:Ethernet HWaddr 2a:e7:70:18:f8:f5
inet addr:46.4.x.y Bcast:46.4.x.y. Mask:255.255.255.255

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 

[ictdude]

This time ... a clean installation only Debian ... maybe i better post this at OpenVPN forum ..

I did a clean install of Debian ... Then i installed
OpenVPN on top of this machine.... Nothing complicated just a base setup ...

And really strange problem is still there !!!??? Max 2mbps ?????

So its not a Proxmox problem ...

I host this server at Hetzner .. but there servers or not direct connected to the sub-net of the gateway ..
They have a default route to access the sub-net on there network interface .... ;-(((


Could connect as usual:

Wed Apr 23 13:12:30 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 23 13:12:30 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 23 13:12:30 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 23 13:12:30 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 23 13:12:30 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Apr 23 13:12:30 2014 [server2] Peer Connection Initiated with [AF_INET] 78.46.x.y:1194 <--- My Debian server
Wed Apr 23 13:12:31 2014 MANAGEMENT: >STATE:1398251551,GET_CONFIG,,,
Wed Apr 23 13:12:32 2014 SENT CONTROL [server2]: 'PUSH_REQUEST' (status=1)
Wed Apr 23 13:12:32 2014 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Apr 23 13:12:32 2014 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 23 13:12:32 2014 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 23 13:12:32 2014 OPTIONS IMPORT: route options modified
Wed Apr 23 13:12:32 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 23 13:12:32 2014 MANAGEMENT: >STATE:1398251552,ASSIGN_IP,,10.8.0.6,
Wed Apr 23 13:12:32 2014 open_tun, tt->ipv6=0
Wed Apr 23 13:12:32 2014 TAP-WIN32 device [LAN-verbinding 28] opened: \\.\Global\{C20D36A6-FD19-482F-A061-490FB847CF8A}.tap
Wed Apr 23 13:12:32 2014 TAP-Windows Driver Version 9.9
Wed Apr 23 13:12:32 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {C20D36A6-FD19-482F-A061-490FB847CF8A} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Apr 23 13:12:32 2014 Successful ARP Flush on interface [2] {C20D36A6-FD19-482F-A061-490FB847CF8A}
Wed Apr 23 13:12:37 2014 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Wed Apr 23 13:12:37 2014 MANAGEMENT: >STATE:1398251557,ADD_ROUTES,,,
Wed Apr 23 13:12:37 2014 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Apr 23 13:12:37 2014 Route addition via IPAPI succeeded [adaptive]
Wed Apr 23 13:12:37 2014 Initialization Sequence Completed

Wed Apr 23 13:12:37 2014 MANAGEMENT: >STATE:1398251557,CONNECTED,SUCCESS,10.8.0.6,78.46.x.y