Netgate SG-1000 microFirewall

Author Topic: Multiple OpenVPN tunnels multicore CPU  (Read 287 times)

0 Members and 1 Guest are viewing this topic.

Offline lunkens

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Multiple OpenVPN tunnels multicore CPU
« on: December 04, 2017, 06:52:54 am »
I have been trying to find info on this subject for days via google. Since I do not what the technical term of this is it’s hard to to find  ::)

Multi-core CPU, multiple OpenVPN tunnels (4 tunnels to same provider) 1 tunnel to each Core for maximum speed in decrytpion. Is that possible and will it increase speed?

I see statements a Celeron Quadcore J1900 can do upto 600Mbit with 4 active tunnels. By ”balancing” load on all 4 cores.  :o

Can someone please point me in the direction of a solution? Or if it’s even possible and what ”the name” of it is called.   ;D

Online JKnott

  • Hero Member
  • *****
  • Posts: 984
  • Karma: +36/-4
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #1 on: December 04, 2017, 08:27:48 am »
I don't think you can assign a tunnel to a core.  The operating system balances the load around the cores as needed.  You can even use CPU monitors to see that.

Offline heper

  • Hero Member
  • *****
  • Posts: 2690
  • Karma: +253/-11
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #2 on: December 04, 2017, 11:58:03 am »
I don't think you can assign a tunnel to a core.  The operating system balances the load around the cores as needed.  You can even use CPU monitors to see that.

no but ovpn is single threaded. so on a quad-core you can't use more then 1/4 of its potential when using a single ovpn-instance.

more instances can theoretically improve throughput.... but that'll depend much on the protocols that are used. (torrents could possibly benefit, a http-session to a single website won't)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9260
  • Karma: +1054/-309
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #3 on: December 04, 2017, 12:45:21 pm »
Each client will be its own openvpn process. The kernel scheduler will do whatever it thinks is appropriate there.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline lunkens

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #4 on: December 04, 2017, 01:16:15 pm »
So if I understand this...  :o setting up 4 OPT interfaces configuring them a interface group?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9260
  • Karma: +1054/-309
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #5 on: December 04, 2017, 02:12:07 pm »
Why an interface group? What are you trying to accomplish?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline lunkens

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #6 on: December 05, 2017, 03:28:35 am »
My goal is to saturate my WAN as much as possible (500Mbit) with my current 4core router.

I am connecting to a VPN provider which allow 4 simultaneous tunnels with
OpenVPN AES-256-GCM encryption.

Goal is to have OpenVPN to use all 4 cores of the CPU to decrypt the traffic. This to increase the total speed and utilize all processor-power over the cores.

My reasoning of this statement is founded from the info that 1 OpenVPN tunnel can only utilize 1 core in the CPU. This is not a multi wan, rather a multi tunnel solution.

Current setup using 1 tunnel and 1 core giving me about 120Mbit.

Is this possible?  :)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9260
  • Karma: +1054/-309
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #7 on: December 05, 2017, 02:06:58 pm »
Depends on the traffic. It sounds like you want a load balancing gateway group, not an interface group.

In that case it WILL NOT bond all the connections into one large pipe. It will, however, distribute outgoing connections among the various tunnels on a per-state basis according to the gateway weights.

Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline lunkens

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #8 on: December 06, 2017, 02:59:53 pm »
So basically if I understand this right. Several tunnels will not increase download speed due to more CPU power at it disposal?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9260
  • Karma: +1054/-309
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #9 on: December 06, 2017, 03:28:38 pm »
Load balancing does not bond multiple connections into one large pipe.

The benefit you gain depends on the traffic in your environment.

https://forum.pfsense.org/index.php?topic=124373.msg697215#msg697215
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline JoeDiffieHellman

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Multiple OpenVPN tunnels multicore CPU
« Reply #10 on: December 07, 2017, 01:42:47 pm »
Gateway load balancing seems to work well. I have two PIA VPN tunnels configured on an SG-3100. I have them both as part of a gateway group in tier 1, and my test machine matches a firewall rule that sends all traffic to that gateway group by default.

When running a Speedtest, the download test uses both tunnels - one openvpn process on each CPU. During the upload test, it only uses one of the tunnels. If I have the gateway group prefer one tunnel over the other, the download test only uses that tunnel and not the other, and the upload behavior doesn't change. I was able to confirm that by watching top from a console and looking at the bandwidth monitor.

I managed to pull down 60 mbit over OpenVPN doing it this way a few times, but on average it was about 50 mbit. I know there's more throughput available here given the hardware specs, so I need to figure out the best encryption algorithm to use. I want to try a real bench test to take the intertubes variable out of the equation to see how this really works.
« Last Edit: December 07, 2017, 03:03:50 pm by JoeDiffieHellman »