openvpn - unable to max out tc rate limit, CPU not pegged (~10% at most)

psycroptic · 11-10-2013, 01:44 AM

i have an intel core i3-2120 3.3GHz openvpn server and a Win7 core i7-2630qm 2GHz laptop as a client. Testing for this purpose was done using ethernet directly from the server to the laptop. Both have gigabit nics, and iperf can get the full ~948mbit transfer from both. VPN subnet is 10.11.12.0/24, machine IPs are in x.x.x.8/29.

Iperf over the VPN gives the following:

Code:

------------------------------------------------------------
Client connecting to 10.11.12.6, TCP port 5001
TCP window size: 21.8 KByte (default)
------------------------------------------------------------
[  3] local 10.11.12.1 port 48177 connected with 10.11.12.6 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   165 MBytes   138 Mbits/sec

Not bad.

Now I try limiting the upload from the server w/htb, setting the default class as :11 (prio 2) while classifying port 1194 as :10 (prio 1). "external" is the interface name:

Code:

tc qdisc add dev external root handle 1: htb default 11
tc class add dev external parent 1: classid 1:1 htb rate 23.7mbit ceil 23.7mbit burst 8k
tc class add dev external parent 1:1 classid 1:10 htb rate 15.7mbit ceil 23.7mbit prio 1 burst 8k
tc class add dev external parent 1:1 classid 1:11 htb rate 6mbit ceil 23.7mbit prio 2 burst 8k
tc class add dev external parent 1:1 classid 1:12 htb rate 1mbit ceil 23.7mbit prio 3 burst 8k
tc class add dev external parent 1:1 classid 1:13 htb rate 1mbit ceil 5mbit prio 4 burst 8k

tc filter add dev external protocol ip parent 1: prio 1 u32 match ip sport 1194 0xffff flowid 1:10

This works mostly as expected, with normal non-VPN'd traffic reaching the 23.2mbps ceil:

Code:

------------------------------------------------------------
Client connecting to x.x.x.11, TCP port 5001
TCP window size: 22.9 KByte (default)
------------------------------------------------------------
[  3] local x.x.x.10 port 39034 connected with x.x.x.11 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.1 sec  27.9 MBytes  23.2 Mbits/sec

But openvpn never makes it to 23, and has a loss of 1.6mbps compared to everything else:

Code:

------------------------------------------------------------
Client connecting to 10.11.12.6, TCP port 5001
TCP window size:  416 KByte
------------------------------------------------------------
[  3] local 10.11.12.1 port 48173 connected with 10.11.12.6 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.1 sec  26.0 MBytes  21.6 Mbits/sec

This happens very consistently, no matter what I set the htb rate. Openvpn always takes a hit of ~5-10%. CPU usage never rises above 10% on either machine.

So why, if openvpn can maximally run at ~138mbps, is it unable to manage ~23 under my tc rules?

server conf:

Code:

port 1194
proto udp
dev tun
passtos

ca /etc/openvpn/ca.crt
cert /etc/openvpn/x.crt
key /etc/openvpn/x.key
dh /etc/openvpn/dh2048.pem

server 10.11.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 30 150

push "route 172.16.0.0 255.255.0.0"
push "route 10.172.172.0 255.255.255.0"
push "route 192.168.192.0 255.255.255.0"
push "route 10.100.100.0 255.255.255.0"
push "route 10.200.200.0 255.255.255.0"

client-to-client
tls-auth /etc/openvpn/ta.key 0
cipher AES-256-CBC

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 4
reneg-sec 10800
mute-replay-warnings

thanks

JJJCR · 11-10-2013, 07:36 AM

check out this link:
http://openvpn.net/index.php/access-...art-guide.html

psycroptic · 11-10-2013, 07:45 AM

not really sure how that's helpful at all.... i'm not using the commercial service, i'm running my own binary provided with my distribution on a local server, and that link is just the landing page for setup of said service. appears to have nothing to do with my question, specifically about speeds not matching defined tc rates.... ?