How to make an OpenVPN 90% as fast as a WireGuard There are a lot of articles on the Internet about improving OpenVPN speed, and often they are all focused on the settings of the server-client itself, packet sizes, encryption algorithms or disabling them. Everyone compares OpenVPN to a WireGuard. WireGuard works in kernel space and that’s what determines everything. Compared to userspace for openvpn. But that’s not quite true.
Here I must immediately clarify, that the given method of solving the problem is specific for virtual machines with small memory size, from 1Gb to 8Gb, in other cases you need to compare memory, link bandwidth and speed.
Here is a list of dynamically set values relative to the system memory size:
sysctl net.core.rmem_defaultsysctl net.core.rmem_maxsysctl net.core.wmem_defaultsysctl net.core.wmem_maxsysctl net.core.somaxconnsysctl net.core.netdev_max_backlogsysctl net.core.optmem_maxsysctl net.ipv4.udp_memsysctl net.ipv4.udp_rmem_minsysctl net.ipv4.udp_wmem_minsysctl net.ipv4.tcp_memsysctl net.ipv4.tcp_rmemsysctl net.ipv4.tcp_wmemsysctl net.ipv4.tcp_synack_retriessysctl net.ipv4.tcp_keepalive_timesysctl net.ipv4.tcp_max_tw_buckets Recommended values sysctl nano /etc/sysctl.conf and append to the end of the file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
net.core.rmem_default = 16777216
net.core.rmem_max = 33554432
net.core.wmem_default = 16777216
net.core.wmem_max = 33554432
net.core.somaxconn = 8192
net.core.netdev_max_backlog = 32768
net.core.optmem_max = 25165824
net.ipv4.udp_mem = 131072 1048576 25165824
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
net.ipv4.tcp_mem = 262144 1048576 16777216
net.ipv4.tcp_rmem = 16384 262144 8388608
net.ipv4.tcp_wmem = 16384 262144 8388608
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_keepalive_time = 3600
net.ipv4.tcp_max_tw_buckets = 524288
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 25
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 45
Setting sysctl using console for a running system 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/usr/sbin/sysctl net.core.somaxconn= 8192
/usr/sbin/sysctl net.core.rmem_default= 16777216
/usr/sbin/sysctl net.core.rmem_max= 33554432
/usr/sbin/sysctl net.core.wmem_default= 16777216
/usr/sbin/sysctl net.core.wmem_max= 33554432
/usr/sbin/sysctl net.core.somaxconn= 8192
/usr/sbin/sysctl net.core.netdev_max_backlog= 32768
/usr/sbin/sysctl net.core.optmem_max= 25165824
/usr/sbin/sysctl net.ipv4.udp_mem= '131072 1048576 25165824'
/usr/sbin/sysctl net.ipv4.udp_rmem_min= 16384
/usr/sbin/sysctl net.ipv4.udp_wmem_min= 16384
/usr/sbin/sysctl net.ipv4.tcp_mem= '262144 1048576 16777216'
/usr/sbin/sysctl net.ipv4.tcp_rmem= '16384 262144 8388608'
/usr/sbin/sysctl net.ipv4.tcp_wmem= '16384 262144 8388608'
/usr/sbin/sysctl net.ipv4.tcp_synack_retries= 2
/usr/sbin/sysctl net.ipv4.tcp_rfc1337= 1
/usr/sbin/sysctl net.ipv4.tcp_syncookies= 1
/usr/sbin/sysctl net.ipv4.tcp_fin_timeout= 25
/usr/sbin/sysctl net.ipv4.tcp_keepalive_time= 3600
/usr/sbin/sysctl net.ipv4.tcp_keepalive_probes= 5
/usr/sbin/sysctl net.ipv4.tcp_keepalive_intvl= 45
/usr/sbin/sysctl net.ipv4.tcp_max_tw_buckets= 524288
/usr/sbin/sysctl net.ipv4.tcp_tw_reuse= 1
Server config 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
dev tun0
topology subnet
server 10.10.100.0 255.255.255.0
mode server
port 1234
proto udp
user nobody # openvpn
group nogroup # openvpn
# data-ciphers AES-256-CBC
data-ciphers AES-256-GCM
# data-ciphers AES-128-GCM
# data-ciphers CHACHA20-POLY1305
data-ciphers-fallback AES-256-CBC
auth sha256
engine aesni
tun-mtu 1408
sndbuf 2097152
rcvbuf 2097152
txqueuelen 10000
push "sndbuf 2097152" # 1048576 | 2097152
push "rcvbuf 2097152" # 1048576 | 2097152
# mssfix 0
# fragment 0
# txqueuelen 5000
keepalive 10 30
# reneg-sec 120
# ping 10
# ping-restart 60
persist-key
persist-tun
tls-server
tls-timeout 360
hand-window 360
auth-nocache
key /etc/openvpn/server/keys/server_key.pem
askpass /etc/openvpn/server/keys/server_key.passwd
cert /etc/openvpn/server/keys/server_cert.pem
ca /etc/openvpn/server/keys/CA_cert.pem
tls-auth /etc/openvpn/server/keys/shared.key 0 # legacy ta.key
# tls-crypt-v2 /etc/openvpn/server/keys/v2crypt-server.key # new tls key
dh /etc/openvpn/server/keys/dh8192_v2.pem
crl-verify /etc/openvpn/server/crl/crl.pem
# ifconfig-pool-persist /etc/openvpn/server/ipp.txt
client-to-client
client-config-dir /etc/openvpn/server/ccd
# ccd-exclusive # client ccd config must be set
script-security 1
# push "route 10.7.10.0 255.255.255.0"
# route 192.168.24.0 255.255.255.0
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
Client config 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
client
dev tun5
proto udp
port 1234
remote 8.8.8.8
key-direction 1
tls-client
remote-cert-tls server
tls-auth /etc/openvpn/shared.key 1 # legacy ta.key
# tls-crypt-v2 /etc/openvpn/v2crypt-client.key # new tls key
ca /etc/openvpn/CA_cert.pem
cert /etc/openvpn/kvm_cert.pem
key /etc/openvpn/kvm_key.pem
askpass /etc/openvpn/kvm_key.passwd
persist-key
persist-tun
# data-ciphers AES-256-CBC
# data-ciphers-fallback AES-256-CBC
txqueuelen 10000
user nobody # openvpn
group nogroup # openvpn
auth sha256
route-method exe
route-delay 10
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
verb 3
Speed test On VPS iperf3 -s -4
OpenVPN IP iperf3 -c 10.10.100.1 -b 100M --time 25 -l 4096
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Connecting to host 10.10.100.1, port 5201
[ 5] local 10.10.100.25 port 38680 connected to 10.10.100.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 10.8 MBytes 90.4 Mbits/sec 109 291 KBytes
[ 5] 1.00-2.00 sec 9.69 MBytes 81.3 Mbits/sec 0 315 KBytes
[ 5] 2.00-3.00 sec 11.5 MBytes 96.6 Mbits/sec 0 334 KBytes
[ 5] 3.00-4.00 sec 9.37 MBytes 78.6 Mbits/sec 45 262 KBytes
[ 5] 4.00-5.00 sec 9.46 MBytes 79.4 Mbits/sec 0 302 KBytes
[ 5] 5.00-6.00 sec 9.41 MBytes 79.0 Mbits/sec 0 327 KBytes
[ 5] 6.00-7.00 sec 10.3 MBytes 86.0 Mbits/sec 0 340 KBytes
[ 5] 7.00-8.00 sec 12.0 MBytes 100 Mbits/sec 0 347 KBytes
[ 5] 8.00-9.00 sec 10.7 MBytes 90.0 Mbits/sec 0 365 KBytes
[ 5] 9.00-10.00 sec 11.1 MBytes 93.4 Mbits/sec 0 387 KBytes
[ 5] 10.00-11.00 sec 11.1 MBytes 93.1 Mbits/sec 0 408 KBytes
[ 5] 11.00-12.00 sec 10.2 MBytes 85.9 Mbits/sec 1 334 KBytes
[ 5] 12.00-13.00 sec 10.2 MBytes 85.3 Mbits/sec 0 369 KBytes
[ 5] 13.00-14.00 sec 12.6 MBytes 106 Mbits/sec 0 391 KBytes
[ 5] 14.00-15.00 sec 8.32 MBytes 69.8 Mbits/sec 2 302 KBytes
[ 5] 15.00-16.00 sec 9.84 MBytes 82.6 Mbits/sec 0 320 KBytes
[ 5] 16.00-17.00 sec 10.4 MBytes 86.9 Mbits/sec 0 336 KBytes
[ 5] 17.00-18.00 sec 11.1 MBytes 92.9 Mbits/sec 0 359 KBytes
[ 5] 18.00-19.00 sec 10.5 MBytes 88.2 Mbits/sec 0 380 KBytes
[ 5] 19.00-20.00 sec 11.1 MBytes 93.0 Mbits/sec 0 401 KBytes
[ 5] 20.00-21.00 sec 10.8 MBytes 90.6 Mbits/sec 14 313 KBytes
[ 5] 21.00-22.00 sec 10.9 MBytes 91.4 Mbits/sec 0 358 KBytes
[ 5] 22.00-23.00 sec 11.5 MBytes 96.7 Mbits/sec 0 387 KBytes
[ 5] 23.00-24.00 sec 9.81 MBytes 82.3 Mbits/sec 0 403 KBytes
[ 5] 24.00-25.00 sec 11.3 MBytes 94.8 Mbits/sec 0 411 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-25.00 sec 264 MBytes 88.6 Mbits/sec 171 sender
[ 5] 0.00-25.03 sec 263 MBytes 88.2 Mbits/sec receiver
WireGuard IP iperf3 -c 10.10.101.1 -b 100M --time 25 -l 4096
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Connecting to host 10.10.101.1, port 5201
[ 5] local 10.10.101.25 port 53980 connected to 10.10.101.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 11.9 MBytes 99.9 Mbits/sec 1025 279 KBytes
[ 5] 1.00-2.00 sec 10.6 MBytes 89.0 Mbits/sec 0 309 KBytes
[ 5] 2.00-3.00 sec 11.5 MBytes 96.6 Mbits/sec 0 327 KBytes
[ 5] 3.00-4.00 sec 12.3 MBytes 103 Mbits/sec 0 354 KBytes
[ 5] 4.00-5.00 sec 12.5 MBytes 105 Mbits/sec 0 379 KBytes
[ 5] 5.00-6.00 sec 11.7 MBytes 98.3 Mbits/sec 1 295 KBytes
[ 5] 6.00-7.00 sec 11.6 MBytes 97.2 Mbits/sec 0 339 KBytes
[ 5] 7.00-8.00 sec 12.4 MBytes 104 Mbits/sec 0 367 KBytes
[ 5] 8.00-9.00 sec 12.5 MBytes 104 Mbits/sec 0 383 KBytes
[ 5] 9.00-10.00 sec 11.2 MBytes 94.3 Mbits/sec 1 289 KBytes
[ 5] 10.00-11.00 sec 11.4 MBytes 95.7 Mbits/sec 0 311 KBytes
[ 5] 11.00-12.00 sec 12.6 MBytes 106 Mbits/sec 0 338 KBytes
[ 5] 12.00-13.00 sec 12.4 MBytes 104 Mbits/sec 0 365 KBytes
[ 5] 13.00-14.00 sec 12.2 MBytes 102 Mbits/sec 3 275 KBytes
[ 5] 14.00-15.00 sec 11.1 MBytes 93.4 Mbits/sec 0 323 KBytes
[ 5] 15.00-16.00 sec 12.2 MBytes 103 Mbits/sec 0 354 KBytes
[ 5] 16.00-17.00 sec 12.3 MBytes 103 Mbits/sec 0 374 KBytes
[ 5] 17.00-18.00 sec 12.0 MBytes 101 Mbits/sec 0 383 KBytes
[ 5] 18.00-19.00 sec 11.9 MBytes 100 Mbits/sec 6 281 KBytes
[ 5] 19.00-20.00 sec 11.1 MBytes 93.4 Mbits/sec 0 329 KBytes
[ 5] 20.00-21.00 sec 12.7 MBytes 107 Mbits/sec 0 361 KBytes
[ 5] 21.00-22.00 sec 11.9 MBytes 100 Mbits/sec 0 379 KBytes
[ 5] 22.00-23.00 sec 11.9 MBytes 100 Mbits/sec 2 278 KBytes
[ 5] 23.00-24.00 sec 10.6 MBytes 89.1 Mbits/sec 0 305 KBytes
[ 5] 24.00-25.00 sec 10.7 MBytes 89.7 Mbits/sec 0 325 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-25.00 sec 295 MBytes 99.1 Mbits/sec 1038 sender
[ 5] 0.00-25.02 sec 294 MBytes 98.6 Mbits/sec receiver
Results 88.6 Mbits/sec for OpenVPN99.1 Mbits/sec for WireGuard 2023-01-27 11:37 +0000
