Projet

Général

Profil

Benchmark VPN » Historique » Version 16

Version 15 (Baptiste Jonglez, 08/06/2014 16:29) → Version 16/17 (Baptiste Jonglez, 08/06/2014 16:39)

{{>toc}}

h1. Benchmark VPN

But : *étudier la performance de différentes solutions de VPN sur des petits routeurs OpenWRT.*

Le but final étant de se servir des tunnels pour router des IP publiques : [[Partage_ADSL_OpenVPN]]

Pour les autres critères de choix (facilité de mise en place, sécurité, etc), voir [[VPN]].

h2. Méthodologie

Matériel : un routeur à benchmarker, et deux ordinateurs testeurs (voir plus bas pour se contenter d'un seul ordinateur testeur)

Le routeur monte un tunnel VPN avec un ordinateur branché sur le WAN. Sur le LAN, l'autre ordinateur se connecte normalement.

En un schéma :

!benchmark-setup.png!

Une fois ce setup en place, on utilise iperf en TCP entre les deux laptops, en empruntant le tunnel (i.e. entre 192.168.42.1 et 172.23.38.2 sur le schéma)

On ne fait pas de iperf sur le routeur directement, car iperf bouffe lui-même pas mal de CPU. De plus, sur le routeur, on ne met ni firewall, ni NAT.

Tests à réaliser : *iperf TCP entre les deux laptops, dans les deux sens*, dans les cas suivants :

* test gros paquets (1400 octets), puis petits paquets (cf. VoIP, 50 à 100 octets, la mesure standard étant 64 octets)
* sans emprunter le VPN (baseline), puis à travers le VPN

Paramètres mesurés :

* débit mesuré par iperf, et en déduire le nombre de paquets par secondes (attention à la taille des headers dans le calcul)
* consommation CPU sur le routeur (difficilement automatisable / reproductible ?)

Autres tests possibles :

* avec/sans firewall stateful
* client connecté sur le wifi plutôt que sur un des ports LAN (mais les résultats risquent de beaucoup dépendre du matériel wifi)

À terme, on peut envisager une automatisation de ce processus, par exemple via un paquet OpenWRT pour le routeur et une configuration toute faite et/out script pour le testeur.

h3. Notes sur iperf

* C'est difficile de choisir la taille des paquets (l'option "-M" fait des choses...)
* Le débit donné par iperf correspond au payload TCP. Avec des petits paquets, le débit affiché peut facilement être deux fois plus faible que le débit brut sur l'interface (overhead des headers TCP/IP/Ethernet)
* Les chiffres obtenus sont donc à prendre avec des pincettes... C'est l'ordre de grandeur qui est important.

h3. Avec un seul laptop

C'est possible de tester avec un seul laptop, si il a deux interfaces réseau (par exemple une carte réseau USB). Par contre, il faut bidouiller un peu : si on iperf vers une de ses propres adresses, ça va rester en local et ne pas passer par le routeur.

Solution : utiliser les *network namespaces* de linux. Technique décrite ici : http://blog.bofh.it/debian/id_446

La première interface est eth0, qui sera branchée sur le WAN (donc côté VPN), tandis que eth1 sera utilisée en simple client sur le LAN.

<pre>
ip netns add bench
ip link set eth1 netns bench
ip netns exec bench ip link set lo up
ip netns exec bench ip link set eth1 up
</pre>

Il suffit ensuite de faire toutes les manips sur eth1 avec @ip netns exec bench@ devant, ou bien carrément lancer un shell dans le nouveau namespace :

<pre>
ip netns exec bench /bin/bash
</pre>

h2. Related

Rien de bien concret côté OpenWRT :

* http://wiki.openwrt.org/doc/howto/performance
* http://wiki.openwrt.org/doc/hardware/performance

h2. Résultats

h3. Template

Example result (fictional):

|_.Techno |_.Version |_.Packet size |_.In throughput |_. In measured pps |_.Out throughput |_.Out measured pps |_.Router CPU load |
|/2. No VPN |/2. linux 3.3.8 | 1500 | 95 Mbps | 3K | 95 Mbps | 3K | 50% sirq |
| 64 | 50 Mbps | 15K | 50 Mbps | 15K | 95% sirq |
|/2. Openvpn |/2. 2.2 | 1500 | 40 Mbps | 1K | 35 Mbps | 1K | 10% sirq, 90% openvpn |
| 64 | 5 Mbps | 5K | 10 Mbps | 5K | 50% sirq, 50% openvpn |
|/2. PPP/L2TPv2 |/2. linux 3.3.8
xl2tp 1.3.1 | 1500 | 40 Mbps | 1K | 35 Mbps | 1K | 20% sirq, 80% kernel |
| 64 | 5 Mbps | 5K | 10 Mbps | 5K | 50% sirq, 50% kernel |

"in" and "out" throughput are defined with respect to the client. "in" is VPN server to LAN client, "out" is LAN client to VPN server.

h3. TP-Link WR841N v8

See specs: http://wiki.openwrt.org/toh/tp-link/tl-wr841nd#hardware

*Notes:*

* The router is running AA 12.09.1 (2cd71e9e), with default queuing policies (no QoS). Note that the tunnels don't have transmit queues.
* The laptop used for benchmarking is running Archlinux, and uses the "netns" trick with two network cards (integrated gigabit and USB gigabit)
* Each throughput figure is obtained by a 60-seconds TCP iperf session
* Except noted otherwise, everything uses the default config:

* OpenVPN: no compression, 2048 RSA static key, p2p mode, UDP, Blowfish, SHA1
* Tinc: no compression, 2048 RSA key, Blowfish, SHA1
* The format for versions is <code><software> <version used by the router> (<version used by the VPN server, i.e. laptop>)</code>
*
"payload size" is the size of the TCP payload when using iperf in TCP mode. If you specify "iperf -M X", then the size of the TCP payload is "X - 12" (don't ask me why...)
* IN: from VPN server to LAN client
* OUT: from LAN client to VPN server
* The format for versions is <code><software> <version used by the router> (<version used by the VPN server, i.e. laptop>)</code>
* Each throughput figure is obtained by a 60-seconds TCP iperf session
*
CPU usage is determined by looking hard at <code>top</code>, so consider it ±5% (if not a bit more)
* Except noted otherwise, everything uses the default config:

* OpenVPN: no compression, 2048 RSA static key, p2p mode, UDP, Blowfish, SHA1
* Tinc: no compression, 2048 RSA key, Blowfish, SHA1
*
This is TCP: for small packets, the ACKs are far from negligible (small UDP packets should produce much better throughputs, probably x1.5)
* Analysis: see Analysis below the table

|_.Techno |_.Version |_.Payload size |_.Direction |_.Throughput |_.pps |_.CPU (usr) |_.CPU (sys) |_.CPU (sirq) |_.Comment |
|_/4.No VPN |/4. linux 3.3.8 (3.14.5) |/2. 1448 | IN |=. 94.2 Mbps |>. 8129 |=. |=. |=. 50% | Line speed |
| OUT |=. 94.2 Mbps |>. 8129 |=. |=. |=. 55% | Line speed |
|/2. 76 | IN |=. 17.4 Mbps |>. 28590 |=. |=. |=. 99% | |
| OUT |=. 23.4 Mbps |>. 38463 |=. |=. |=. 99% | |
|_/4.GRE |/4. linux 3.3.8 (3.14.5) |/2. 1448 | IN |=. 92.7 Mbps |>. 8003 |=. |=. |=. 78% | Line speed |
| OUT |=. 92.8 Mbps |>. 8014 |=. |=. |=. 88% | Line speed |
|/2. 76 | IN |=. 10.5 Mbps |>. 17197 |=. |=. |=. 99% | |
| OUT |=. 9.92 Mbps |>. 16309 |=. |=. |=. 99% | |
|_/4.IPIP |/4. linux 3.3.8 (3.14.5) |/2. 1448 | IN |=. *93.0 Mbps*|>. 8024 |=. |=. |=. *70%* | Line speed |
| OUT |=. *93.0 Mbps*|>. 8026 |=. |=. |=. *80%* | Line speed |
|/2. 76 | IN |=. 11.3 Mbps |>. 18602 |=. |=. |=. 99% | |
| OUT |=. 11.4 Mbps |>.*18803*|=. |=. |=. 99% | |
|_/4.PPP/L2TPv2 |/4. linux 3.3.8 (3.14.5)
xl2tp 1.3.1 (1.3.6) |/2. 1448 | IN |=. 88.8 Mbps |>. 7661 |=. |=. |=. 99% | Router is not very |
| OUT |=. 88.6 Mbps |>. 7648 |=. |=. |=. 99% | responsive (sometimes |
|/2. 76 | IN |=. 9.59 Mbps |>. 15780 |=. |=. |=. 99% | the PPP session |
| OUT |=. 8.36 Mbps |>. 13745 |=. |=. |=. 99% | even timeouts) |
|_/4.Tinc
Default cipher
Default digest |/4. tinc 1.0.21 (1.0.24)
OpenSSL 1.0.1g (1.0.1.g) |/2. 1448 | IN |=. 15.9 Mbps |>. 1369 |=. 55% |=. 20% |=. 25% | |
| OUT |=. 15.1 Mbps |>. 1301 |=. 50% |=. 25% |=. 25% | |
|/2. 76 | IN |=. 1.26 Mbps |>. 2069 |=. 40% |=. 25% |=. 35% | |
| OUT |=. 1.30 Mbps |>. 2140 |=. 40% |=. 30% |=. 30% | |
|_/4.OpenVPN
Default cipher
Default auth |/4. openvpn 2.2.2 (2.3.4)
OpenSSL 1.0.1g (1.0.1.g) |/2. 1448 | IN |=. *17.9 Mbps*|>. 1548 |=. 55% |=. 20% |=. 25% | |
| OUT |=. 15.6 Mbps |>. 1345 |=. 53% |=. 23% |=. 23% | |
|/2. 76 | IN |=. 1.46 Mbps |>. *2395*|=. 40% |=. 25% |=. 35% | |
| OUT |=. 1.29 Mbps |>. 2116 |=. 40% |=. 30% |=. 30% | |
|_/4.Tinc
No cipher
Default digest |/4. tinc 1.0.21 (1.0.24)
OpenSSL 1.0.1g (1.0.1.g) |/2. 1448 | IN |=. 22.9 Mbps |>. 1975 |=. 45% |=. 27% |=. 27% | |
| OUT |=. 21.3 Mbps |>. 1842 |=. 40% |=. 35% |=. 25% | |
|/2. 76 | IN |=. 1.53 Mbps |>. 2511 |=. 35% |=. 30% |=. 35% | |
| OUT |=. 1.57 Mbps |>. 2574 |=. 35% |=. 35% |=. 30% | |
|_/4.OpenVPN
No cipher
Default auth |/4. openvpn 2.2.2 (2.3.4)
OpenSSL 1.0.1g (1.0.1.g) |/2. 1448 | IN |=. *26.8 Mbps*|>. 2313 |=. 35% |=. 30% |=. 35% | |
| OUT |=. 26.2 Mbps |>. 2264 |=. 35% |=. 30% |=. 30% | |
|/2. 76 | IN |=. 1.92 Mbps |>. *3153*|=. 30% |=. 30% |=. 40% | |
| OUT |=. 1.90 Mbps |>. 3130 |=. 30% |=. 35% |=. 35% | |
|_/4.Tinc
Default cipher
No digest |/4. tinc 1.0.21 (1.0.24)
OpenSSL 1.0.1g (1.0.1.g) |/2. 1448 | IN |=. *23.9 Mbps*|>. 2062 |=. 45% |=. 27% |=. 27% | |
| OUT |=. 21.9 Mbps |>. 1890 |=. 35% |=. 35% |=. 30% | |
|/2. 76 | IN |=. 1.95 Mbps |>. 3206 |=. 25% |=. 30% |=. 45% | |
| OUT |=. 1.96 Mbps |>. *3225*|=. 25% |=. 40% |=. 35% | |
|_/4.OpenVPN
Default cipher
No auth |/4. openvpn 2.2.2 (2.3.4)
OpenSSL 1.0.1g (1.0.1.g) |/2. 1448 | IN |=. 22.0 Mbps |>. 1899 |=. 50% |=. 20% |=. 30% | |
| OUT |=. 18.9 Mbps |>. 1632 |=. 50% |=. 20% |=. 25% | |
|/2. 76 | IN |=. 1.71 Mbps |>. 2819 |=. 35% |=. 30% |=. 35% | |
| OUT |=. 1.46 Mbps |>. 2403 |=. 40% |=. 30% |=. 30% | |
|_/4.Tinc
No cipher
No digest |/4. tinc 1.0.21 (1.0.24)
OpenSSL 1.0.1g (1.0.1.g) |/2. 1448 | IN |=. *42.2 Mbps*|>. 3639 |=. 10% |=. 45% |=. 45% | |
| OUT |=. 36.7 Mbps |>. 3167 |=. 10% |=. 50% |=. 40% | |
|/2. 76 | IN |=. 2.60 Mbps |>. 4276 |=. 10% |=. 40% |=. 50% | |
| OUT |=. 2.59 Mbps |>. 4257 |=. 10% |=. 45% |=. 45% | |
|_/4.OpenVPN
No cipher
No auth |/4. openvpn 2.2.2 (2.3.4)
OpenSSL 1.0.1g (1.0.1.g) |/2. 1448 | IN |=. *42.8 Mbps*|>. 3693 |=. 15% |=. 35% |=. 50% | |
| OUT |=. 41.8 Mbps |>. 3607 |=. 10% |=. 45% |=. 45% | |
|/2. 76 | IN |=. 2.68 Mbps |>. *4411*|=. 15% |=. 35% |=. 50% | |
| OUT |=. 2.66 Mbps |>. 4380 |=. 15% |=. 40% |=. 45% | |

*Analysis:*

* Without surprise, kernelspace tunnels are much faster than userspace tunnels
* IPIP is slightly faster than GRE (but does not support IPv6)
* L2TPv2 is slightly slower than GRE or IPIP, and has a higher packet overhead; however, it can be simpler to deploy (see [[VPN#PPPL2TPv2]])
* *but* don't use L2TPv2 if you expect very high throughput, as control messages will get completely overlooked by our busy router and the session will drop
* OpenVPN is slightly faster than Tinc, _except_ when encrypting packets without authenticating them (this is kind of funny). But basically, use the one you like best, there is no real difference.
* PPS performance is definitely not great: 4K in userspace, 19K in kernelspace. However, remember that this is TCP, so the router is also busy forwarding ACKs.
* Unless you need high throughput, Tinc or OpenVPN without crypto have quite acceptable performance.