How to make an OpenVPN 90% as fast as a WireGuard
There are a lot of articles on the Internet about improving OpenVPN speed, and often they are all focused on the settings of the server-client itself, packet sizes, encryption algorithms or disabling them. Everyone compares OpenVPN to a WireGuard. WireGuard works in kernel space and that’s what determines everything. Compared to userspace for openvpn. But that’s not quite true.
Here I must immediately clarify, that the given method of solving the problem is specific for virtual machines with small memory size, from 1Gb to 8Gb, in other cases you need to compare memory, link bandwidth and speed.
Here is a list of dynamically set values relative to the system memory size:
sysctl net.core.rmem_defaultsysctl net.core.rmem_maxsysctl net.core.wmem_defaultsysctl net.core.wmem_maxsysctl net.core.somaxconnsysctl net.core.netdev_max_backlogsysctl net.core.optmem_maxsysctl net.ipv4.udp_memsysctl net.ipv4.udp_rmem_minsysctl net.ipv4.udp_wmem_minsysctl net.ipv4.tcp_memsysctl net.ipv4.tcp_rmemsysctl net.ipv4.tcp_wmemsysctl net.ipv4.tcp_synack_retriessysctl net.ipv4.tcp_keepalive_timesysctl net.ipv4.tcp_max_tw_buckets
Recommended values sysctl
nano /etc/sysctl.conf and append to the end of the file
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | net.core.rmem_default = 16777216 net.core.rmem_max = 33554432 net.core.wmem_default = 16777216 net.core.wmem_max = 33554432 net.core.somaxconn = 8192 net.core.netdev_max_backlog = 32768 net.core.optmem_max = 25165824 net.ipv4.udp_mem = 131072 1048576 25165824 net.ipv4.udp_rmem_min = 16384 net.ipv4.udp_wmem_min = 16384 net.ipv4.tcp_mem = 262144 1048576 16777216 net.ipv4.tcp_rmem = 16384 262144 8388608 net.ipv4.tcp_wmem = 16384 262144 8388608 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_keepalive_time = 3600 net.ipv4.tcp_max_tw_buckets = 524288 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_fin_timeout = 25 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_keepalive_intvl = 45 |
Setting sysctl using console for a running system
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | /usr/sbin/sysctl net.core.somaxconn=8192 /usr/sbin/sysctl net.core.rmem_default=16777216 /usr/sbin/sysctl net.core.rmem_max=33554432 /usr/sbin/sysctl net.core.wmem_default=16777216 /usr/sbin/sysctl net.core.wmem_max=33554432 /usr/sbin/sysctl net.core.somaxconn=8192 /usr/sbin/sysctl net.core.netdev_max_backlog=32768 /usr/sbin/sysctl net.core.optmem_max=25165824 /usr/sbin/sysctl net.ipv4.udp_mem='131072 1048576 25165824' /usr/sbin/sysctl net.ipv4.udp_rmem_min=16384 /usr/sbin/sysctl net.ipv4.udp_wmem_min=16384 /usr/sbin/sysctl net.ipv4.tcp_mem='262144 1048576 16777216' /usr/sbin/sysctl net.ipv4.tcp_rmem='16384 262144 8388608' /usr/sbin/sysctl net.ipv4.tcp_wmem='16384 262144 8388608' /usr/sbin/sysctl net.ipv4.tcp_synack_retries=2 /usr/sbin/sysctl net.ipv4.tcp_rfc1337=1 /usr/sbin/sysctl net.ipv4.tcp_syncookies=1 /usr/sbin/sysctl net.ipv4.tcp_fin_timeout=25 /usr/sbin/sysctl net.ipv4.tcp_keepalive_time=3600 /usr/sbin/sysctl net.ipv4.tcp_keepalive_probes=5 /usr/sbin/sysctl net.ipv4.tcp_keepalive_intvl=45 /usr/sbin/sysctl net.ipv4.tcp_max_tw_buckets=524288 /usr/sbin/sysctl net.ipv4.tcp_tw_reuse=1 |
Server config
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | dev tun0 topology subnet server 10.10.100.0 255.255.255.0 mode server port 1234 proto udp user nobody # openvpn group nogroup # openvpn # data-ciphers AES-256-CBC data-ciphers AES-256-GCM # data-ciphers AES-128-GCM # data-ciphers CHACHA20-POLY1305 data-ciphers-fallback AES-256-CBC auth sha256 engine aesni tun-mtu 1408 sndbuf 2097152 rcvbuf 2097152 txqueuelen 10000 push "sndbuf 2097152" # 1048576 | 2097152 push "rcvbuf 2097152" # 1048576 | 2097152 # mssfix 0 # fragment 0 # txqueuelen 5000 keepalive 10 30 # reneg-sec 120 # ping 10 # ping-restart 60 persist-key persist-tun tls-server tls-timeout 360 hand-window 360 auth-nocache key /etc/openvpn/server/keys/server_key.pem askpass /etc/openvpn/server/keys/server_key.passwd cert /etc/openvpn/server/keys/server_cert.pem ca /etc/openvpn/server/keys/CA_cert.pem tls-auth /etc/openvpn/server/keys/shared.key 0 # legacy ta.key # tls-crypt-v2 /etc/openvpn/server/keys/v2crypt-server.key # new tls key dh /etc/openvpn/server/keys/dh8192_v2.pem crl-verify /etc/openvpn/server/crl/crl.pem # ifconfig-pool-persist /etc/openvpn/server/ipp.txt client-to-client client-config-dir /etc/openvpn/server/ccd # ccd-exclusive # client ccd config must be set script-security 1 # push "route 10.7.10.0 255.255.255.0" # route 192.168.24.0 255.255.255.0 log /var/log/openvpn/openvpn.log status /var/log/openvpn/openvpn-status.log |
Client config
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | client dev tun5 proto udp port 1234 remote 8.8.8.8 key-direction 1 tls-client remote-cert-tls server tls-auth /etc/openvpn/shared.key 1 # legacy ta.key # tls-crypt-v2 /etc/openvpn/v2crypt-client.key # new tls key ca /etc/openvpn/CA_cert.pem cert /etc/openvpn/kvm_cert.pem key /etc/openvpn/kvm_key.pem askpass /etc/openvpn/kvm_key.passwd persist-key persist-tun # data-ciphers AES-256-CBC # data-ciphers-fallback AES-256-CBC txqueuelen 10000 user nobody # openvpn group nogroup # openvpn auth sha256 route-method exe route-delay 10 log /var/log/openvpn/openvpn.log status /var/log/openvpn/openvpn-status.log verb 3 |
Speed test
On VPS iperf3 -s -4
OpenVPN IP iperf3 -c 10.10.100.1 -b 100M --time 25 -l 4096
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | Connecting to host 10.10.100.1, port 5201 [ 5] local 10.10.100.25 port 38680 connected to 10.10.100.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 10.8 MBytes 90.4 Mbits/sec 109 291 KBytes [ 5] 1.00-2.00 sec 9.69 MBytes 81.3 Mbits/sec 0 315 KBytes [ 5] 2.00-3.00 sec 11.5 MBytes 96.6 Mbits/sec 0 334 KBytes [ 5] 3.00-4.00 sec 9.37 MBytes 78.6 Mbits/sec 45 262 KBytes [ 5] 4.00-5.00 sec 9.46 MBytes 79.4 Mbits/sec 0 302 KBytes [ 5] 5.00-6.00 sec 9.41 MBytes 79.0 Mbits/sec 0 327 KBytes [ 5] 6.00-7.00 sec 10.3 MBytes 86.0 Mbits/sec 0 340 KBytes [ 5] 7.00-8.00 sec 12.0 MBytes 100 Mbits/sec 0 347 KBytes [ 5] 8.00-9.00 sec 10.7 MBytes 90.0 Mbits/sec 0 365 KBytes [ 5] 9.00-10.00 sec 11.1 MBytes 93.4 Mbits/sec 0 387 KBytes [ 5] 10.00-11.00 sec 11.1 MBytes 93.1 Mbits/sec 0 408 KBytes [ 5] 11.00-12.00 sec 10.2 MBytes 85.9 Mbits/sec 1 334 KBytes [ 5] 12.00-13.00 sec 10.2 MBytes 85.3 Mbits/sec 0 369 KBytes [ 5] 13.00-14.00 sec 12.6 MBytes 106 Mbits/sec 0 391 KBytes [ 5] 14.00-15.00 sec 8.32 MBytes 69.8 Mbits/sec 2 302 KBytes [ 5] 15.00-16.00 sec 9.84 MBytes 82.6 Mbits/sec 0 320 KBytes [ 5] 16.00-17.00 sec 10.4 MBytes 86.9 Mbits/sec 0 336 KBytes [ 5] 17.00-18.00 sec 11.1 MBytes 92.9 Mbits/sec 0 359 KBytes [ 5] 18.00-19.00 sec 10.5 MBytes 88.2 Mbits/sec 0 380 KBytes [ 5] 19.00-20.00 sec 11.1 MBytes 93.0 Mbits/sec 0 401 KBytes [ 5] 20.00-21.00 sec 10.8 MBytes 90.6 Mbits/sec 14 313 KBytes [ 5] 21.00-22.00 sec 10.9 MBytes 91.4 Mbits/sec 0 358 KBytes [ 5] 22.00-23.00 sec 11.5 MBytes 96.7 Mbits/sec 0 387 KBytes [ 5] 23.00-24.00 sec 9.81 MBytes 82.3 Mbits/sec 0 403 KBytes [ 5] 24.00-25.00 sec 11.3 MBytes 94.8 Mbits/sec 0 411 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-25.00 sec 264 MBytes 88.6 Mbits/sec 171 sender [ 5] 0.00-25.03 sec 263 MBytes 88.2 Mbits/sec receiver |
WireGuard IP iperf3 -c 10.10.101.1 -b 100M --time 25 -l 4096
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | Connecting to host 10.10.101.1, port 5201 [ 5] local 10.10.101.25 port 53980 connected to 10.10.101.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 11.9 MBytes 99.9 Mbits/sec 1025 279 KBytes [ 5] 1.00-2.00 sec 10.6 MBytes 89.0 Mbits/sec 0 309 KBytes [ 5] 2.00-3.00 sec 11.5 MBytes 96.6 Mbits/sec 0 327 KBytes [ 5] 3.00-4.00 sec 12.3 MBytes 103 Mbits/sec 0 354 KBytes [ 5] 4.00-5.00 sec 12.5 MBytes 105 Mbits/sec 0 379 KBytes [ 5] 5.00-6.00 sec 11.7 MBytes 98.3 Mbits/sec 1 295 KBytes [ 5] 6.00-7.00 sec 11.6 MBytes 97.2 Mbits/sec 0 339 KBytes [ 5] 7.00-8.00 sec 12.4 MBytes 104 Mbits/sec 0 367 KBytes [ 5] 8.00-9.00 sec 12.5 MBytes 104 Mbits/sec 0 383 KBytes [ 5] 9.00-10.00 sec 11.2 MBytes 94.3 Mbits/sec 1 289 KBytes [ 5] 10.00-11.00 sec 11.4 MBytes 95.7 Mbits/sec 0 311 KBytes [ 5] 11.00-12.00 sec 12.6 MBytes 106 Mbits/sec 0 338 KBytes [ 5] 12.00-13.00 sec 12.4 MBytes 104 Mbits/sec 0 365 KBytes [ 5] 13.00-14.00 sec 12.2 MBytes 102 Mbits/sec 3 275 KBytes [ 5] 14.00-15.00 sec 11.1 MBytes 93.4 Mbits/sec 0 323 KBytes [ 5] 15.00-16.00 sec 12.2 MBytes 103 Mbits/sec 0 354 KBytes [ 5] 16.00-17.00 sec 12.3 MBytes 103 Mbits/sec 0 374 KBytes [ 5] 17.00-18.00 sec 12.0 MBytes 101 Mbits/sec 0 383 KBytes [ 5] 18.00-19.00 sec 11.9 MBytes 100 Mbits/sec 6 281 KBytes [ 5] 19.00-20.00 sec 11.1 MBytes 93.4 Mbits/sec 0 329 KBytes [ 5] 20.00-21.00 sec 12.7 MBytes 107 Mbits/sec 0 361 KBytes [ 5] 21.00-22.00 sec 11.9 MBytes 100 Mbits/sec 0 379 KBytes [ 5] 22.00-23.00 sec 11.9 MBytes 100 Mbits/sec 2 278 KBytes [ 5] 23.00-24.00 sec 10.6 MBytes 89.1 Mbits/sec 0 305 KBytes [ 5] 24.00-25.00 sec 10.7 MBytes 89.7 Mbits/sec 0 325 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-25.00 sec 295 MBytes 99.1 Mbits/sec 1038 sender [ 5] 0.00-25.02 sec 294 MBytes 98.6 Mbits/sec receiver |
Results
- 88.6 Mbits/sec for OpenVPN
- 99.1 Mbits/sec for WireGuard
Original post on SecOps.it Blog • How to make an OpenVPN 90% as fast as a WireGuard