Menu
▾
▴
Re: [Openvpn-users] latency issues on larger scale OpenVPN setup
|
From: <J.W...@mi...> - 2012-03-07 15:30:06
|
See below: -----Original Message----- From: David Sommerseth [mailto:ope...@to...] Sent: Wednesday, February 22, 2012 3:47 PM To: Jason Haar Cc: ope...@li... Subject: Re: [Openvpn-users] latency issues on larger scale OpenVPN setup -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Probably many things. But I suspect the biggest impact might be if it has separate threads to do the key negotiation/exchange (KEX). This way the threads which takes care of the traffic flow will more easily be able to flow freely and not being blocked by the KEX. Another factor might be if it is a complete hardware/software box which also got a built-in RSA/SSL accelerator - which can offload the main CPU from doing much of the heavy lifting the KEX process requires. OpenVPN is a *single threaded* application, which basically runs no faster than what OpenSSL is able to churn - where each client is processed sequentially. This is definitely a drawback with many clients and high activity on the VPN. And if you wonder ... yes, we'd like to make use of some multi-threaded approaches. It just takes time to do that right, and the code needs plenty of cleaning up first before we dare looking into that. But this is really on the roadmap for a future OpenVPN 3 base. But it's not going to happen this year or next year, that's pretty sure :) ... unfortunately. kind regards, David Sommerseth ------------------------------------------------------------------------------ Hi David, What puzzles me, is that is if re-keying is blocking everything (all users) within that server-process, I would expect that during that time, those processes would get 100% CPU. But they don't. I've seen other processes (like mysql) getting a cpu-burst, but all the vpn-processes are on average between 5 and 15 % cpu. I got a hifn crypto-processors, but never installed, as I got the impression that modern CPU's were capable enough. Btw, in our box we got dual quad-core Intel E5440 Hans ______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. |
