Poor network performance with Zeroshell VM

tommisan

Renowned Member
Dec 9, 2014
36
0
71
Hi Everyone,

I am using a OpenVPN server (Zeroshell 3.8.2, Linux distribution) on a Proxmox VM environment (enterprise repo).

The problem is that the vm has really poor network performance on a full Gb network.

Best (unexpected) results are with Intel e1000 and vmxnet3 driver, but we are talking about max 6 MB/s on Gb NIC. VirtIO performs around 1MB/s.

I tested on a Proxmox cluster (4.4) and on a single node (5.1), similar results.

With a similar Zeroshell setup on a very old physical server I can easily get 24 MB/s.

No firewall on Proxmox, NIC are in Linux bridge mode.

I would appreciate any ideas.
Thanks
 
Last edited:
This is VM config with virtio driver (which I generally use in linux vm):

bootdisk: scsi0
cores: 1
ide2: none,media=cdrom
memory: 4092
name: zeroshell
net0: virtio=...,bridge=vmbr0
net1: virtio=..,bridge=vmbr1
net2: virtio=...,bridge=vmbr2
numa: 0
ostype: l26
scsi0: qnap:103/vm-103-disk-1.qcow2,size=8G
scsihw: virtio-scsi-pci
smbios1: uuid=...
sockets: 1
 
I am using a OpenVPN server (Zeroshell 3.8.2, Linux distribution) on a Proxmox VM environment (enterprise repo).
The problem is that the vm has really poor network performance on a full Gb network.
For encrypted traffic? If so, it could help to expose AES CPU Flag to the VM.
So, try to set the VM CPU type to "host", shutdown the VM, then start it again.
 
log vpn

2018-01-24 16:44:39 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-24 16:44:39 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-24 16:44:39 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

test openssl speed

The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
bf-cbc 73126.65k 80542.50k 83113.21k 84060.81k 84526.05k

The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 46269.65k 51255.30k 52734.89k 83771.73k 84243.40k
 
test with different CPU core and driver:

VMXNET3 driver
2 core (CPU set to default kvm64)-> 10 MB/s (CPU 70% under file transfert, default use CPU 5%)

E1000 driver
1 core (CPU set to default kvm64) -> 6 MB/s (CPU about 130% under file transfert, default use CPU 7%)
4 core (CPU set to default kvm64)-> 9.2 MB/s (CPU 40% under file transfert, default use < CPU 3%)
4 core (CPU set to host) -> 9.5 MB/s (CPU 40% under file transfert, default use < CPU 3%)

virtio driver
1 core (CPU set to default kvm64) -> about 1 MB/s (CPU about 20% under file transfert, default use CPU 7%)
4 core (CPU set to default kvm64)-> about 1 MB/s (CPU 7% under file transfert, default use < CPU 3%)
4 core (CPU set to host)-> about 1 MB/s (CPU 5% under file transfert, default use < CPU 3%)

RTL8139 driver
2 core (CPU set to default kvm64)-> about 9 MB/s (CPU 80% under file transfert)
 
Last edited:
That's really strange. The benchmarks look good, so it is not an encryption throughput problem. Maybe some offloading does not work correctly inside of the guest?

Are your benchmarks done with or without encryption? If they were done with encryption, please benchmark without to get the base line.
 
I did some test with iperf3
It seems a problem with the VPN logical/software interface (maybe related to openvpn?)

On the public physical NIC (ethx) I get 65 MB/s, which is reasonable value. (In the private NIC I get 90 MB/s)

On the VPN logical NIC (VPN99) I get the same 10-12 MB/s

Could be also interesting to know the max speed of a OpenVPN server (TCP, encrypted) on a Gb NIC..I got 24 MB/s on an old server
 
Latest tests:
openvpn with tcp and udp showed similar values (8-11MB/s). udp performed better but still close to tcp values
openvpn without encrpytion (--cypher none): 12.5 MB/s

In another datacenter with a openvpn server (tcp, encrypted) installed on a brand new physical server I got 24 MB/s (Gb network).

Has anyone achieved better results of 24 MB/s in a Gb network with openvpn?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!