Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How do I lower OpenVPN CPU usage server side?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How do I lower OpenVPN CPU usage server side?

How would I minimize my CPU usage, does COMP-LZO use a lot of CPU?

Comments

  • exception0x876exception0x876 Member, Host Rep, LIR

    you might want to provide your server config file so we can see what possible improvements can be made

  • Removing compression will help, using lighter ciphers will help more.

    Thanked by 1elgs
  • NyrNyr Community Contributor, Veteran

    LowEndAddiction said: does COMP-LZO use a lot of CPU

    Depends on the data you are transferring.

    tehdan said: Removing compression will help, using lighter ciphers will help more.

    This. Which cipher are you using, @LowEndAddiction? Does your CPU support AES-NI? What throughput are you expecting? What's the network between you and the server?

  • edited February 2016

    @Nyr said:
    This. Which cipher are you using, LowEndAddiction? Does your CPU support AES-NI? What throughput are you expecting? What's the network between you and the server?

    I am a casual torrenter and I have a 150Mbit download speed. I use AES-256-CBC (which I modified in your OpenVPN installer script) but I have tried using BF-CBC and AES-128-CBC and I get around the same results. I am on the East Coast of the US and I am connecting to Italy and I get no more than around 10Mbps. The server is on a 1Gbps connection. A traceroute seems to show some Level3 and private peering. Average ping on a 60 second test is 123ms.

  • NyrNyr Community Contributor, Veteran

    LowEndAddiction said: I use AES-256-CBC (which I modified in your OpenVPN installer script) but I have tried using BF-CBC and AES-128-CBC and I get around the same results.

    Don't use AES-256-CBC, that's an overkill. Do AES-128-CBC if AES-NI is available on the server or BF-CBC if not. But this is most likely not the limiting factor if you are only getting 10 megabits.

    LowEndAddiction said: I am on the East Coast of the US and I am connecting to Italy and I get no more than around 10Mbps.

    That's likely a problem. What are you using the VPN for? Does it need to be in Europe/Italy or could you switch to a network near you?

  • are you even seeing high cpu usage? or do you just assume thats what is causing the low throughput? might want to see the other OpenVPN thread for instructions about increasing your send/receive buffers --- that can provide a massive boost in throughput.

    Thanked by 1netomx
  • @Nyr said:
    That's likely a problem. What are you using the VPN for? Does it need to be in Europe/Italy or could you switch to a network near you?

    I would prefer somewhere in Europe, preferably a country that respects privacy. Netherlands or Italy seems to be fine for me. Aside from that point, the CPU on my VPS is a "Intel Xeon E312xx (Sandy Bridge)" with a CPU MHz of 1999.999. I had tried disabling COMP-LZO as it is constantly compressing/decompressing as well as OpenVPN itself is constantly encrypting/decrypting. I know this is a weaker CPU to use for OpenVPN but I'm hoping it will do. I am seeing around 20%-30% of the CPU being used and I am going to need that as low as possible.

  • if you type:

    cat /proc/cpuinfo

    does it list 'aes' in the flags section?

  • Or this (just makes it easier for spotting) ▼

    cat /proc/cpuinfo |grep -io "aes"

  • NyrNyr Community Contributor, Veteran

    LowEndAddiction said: I would prefer somewhere in Europe, preferably a country that respects privacy. Netherlands or Italy seems to be fine for me.

    Italy is horrible about that, honestly not better than Canada which is a lot closer.

    LowEndAddiction said: Aside from that point, the CPU on my VPS is a "Intel Xeon E312xx (Sandy Bridge)" with a CPU MHz of 1999.999. I had tried disabling COMP-LZO as it is constantly compressing/decompressing as well as OpenVPN itself is constantly encrypting/decrypting. I know this is a weaker CPU to use for OpenVPN but I'm hoping it will do. I am seeing around 20%-30% of the CPU being used and I am going to need that as low as possible.

    A dedicated E3 core can do 100 mbps just fine, likely your node is a bit busy. LZO (adaptative) is not always compressing, only when it's appropriate to do so. Other than that, transit from your US ISP to Italy could be crappy/congested.

    Just so you can get an idea, I can "only" do about 50 mbps to my VPN in RU from ES, depending on the time of the day. You can get a VPS on a better network? Maybe. Are you going to hit 150 mbps between most Italian ISPs and your home connection? Likely not.

  • edited February 2016

    @Nyr said:
    Just so you can get an idea, I can "only" do about 50 mbps to my VPN in RU from ES, depending on the time of the day. You can get a VPS on a better network? Maybe. Are you going to hit 150 mbps between most Italian ISPs and your home connection? Likely not.

    It is a shared E3 core, sadly, I would like to stick with a NAT VPS as it offers more anonymity because more servers/users are behind one IP. I am on the fence about using a VPN as I am paranoid, but I don't want to be on a server with a dedicated IP either... To Netherlands I was unable to get over 10Mbps as well, maybe it's my ISP but doing a tracert I seen a lot of Cogent and Level3. Just looking to get more than ~10Mbps to be honest.

    P.S: My CPU does show "aes" when doing cat /proc/cpuinfo

  • NyrNyr Community Contributor, Veteran

    LowEndAddiction said: P.S: My CPU does show "aes" when doing cat /proc/cpuinfo

    Then, using AES-128-CBC will help a bit (not a lot) with the CPU load. My suggestion? Spin up a Vultr/DO instance in NYC just to check what speeds are you getting there. Then, check with an Amsterdam instance.

    My guess? Amsterdam would perform better than your current VPS and NYC will get you very decent speeds where CPU will be the real bottleneck.

    TL;DR: not much you can do with that Italian VPS, get one which performs better and is in a closer network if you are concerned about speeds.

  • @Nyr said:
    TL;DR: not much you can do with that Italian VPS, get one which performs better and is in a closer network if you are concerned about speeds.

    Thanks for the advice! One more thing... Is it possible that you can add an option for an RSA4096 certificate in your setup script?

  • Ole_JuulOle_Juul Member
    edited February 2016

    LowEndAddiction said: I would prefer somewhere in Europe, preferably a country that respects privacy.

    It is more important where the company is incorporated because that is where a suite needs to go. The actual location of the server is less relevant because it will, presumably be non-logging and you will have paid anonymously so they don't have ready information on you.

    LowEndAddiction said: I would like to stick with a NAT VPS as it offers more anonymity because more servers/users are behind one IP.

    Commercial VPNs let you hop around all over the world. Some even randomly route you through various nodes before you reach your exit IP. But more importantly, whatever IP you have at any given time will be shared by others all over the world. You really can't compare a commercial VPN with a single node operated by yourself. They are quite different and a self hosted one will not give you much anonymity, only some privacy.

  • @Ole_Juul said:

    I do know all about VPN's and how they work. I am actually subscribed to a few and tried about 5-6 in the past year or so. I do not trust VPN companies to be completely honest. I do not believe that a VPN company will accept the consequences or allow themselves to be constantly bothered by authorities or copyright infringement notices because of a couple users. They will eventually find out who's doing it and log them. If the VPN provider themselves don't log, there's always a chance that the datacenter logs which is a strong possibility in the US as the new CISA laws and many providers do not want to have their services used for anonymous traffic as IP ranges will start to become blacklisted because of abusive users. That being said, I will try my chances with a NAT IPv4 VPS as I have full control over my server and use it for hosting small websites, etc. I am not really doing anything on it other than torrenting and usual browsing.

  • Nice to see that you're thinking this through. I think that is the most important aspect of security and privacy that one needs to work on. Many people just chose a solution without have thoroughly considered their personal threat model and how the various components work with that and together.

    I do like your idea of using a NAT VPS.

  • NyrNyr Community Contributor, Veteran

    LowEndAddiction said: Is it possible that you can add an option for an RSA4096 certificate in your setup script?

    Possible? Yes. Will I? Not now.

Sign In or Register to comment.