Як досягти швидкості OpenVPN в 89% від швидкості WireGuard В інтернеті маса публікацій на тему покращення швидкості OpenVPN, і часто всі вони зосереджені на налаштуваннях самого сервер-клієнта, розмірів пакетів, алгоритми шифрування або їх відключення. Усі приводять у порівняння WireGuard, мовляв, він працює в kernel space, у той час як openvpn у userspace. А це не зовсім так.
Тут я відразу маю уточнити, що наведений спосіб вирішення проблеми специфічний для віртуалок з малим об’ємом пам’яті, від 1Gb до 8Gb, в інших випадках треба зіставляти пам’ять, канал та швидкість.
Ось список значень, що динамічно встановлюються відповідно до обсягу пам’яті системи:
sysctl net.core.rmem_defaultsysctl net.core.rmem_maxsysctl net.core.wmem_defaultsysctl net.core.wmem_maxsysctl net.core.somaxconnsysctl net.core.netdev_max_backlogsysctl net.core.optmem_maxsysctl net.ipv4.udp_memsysctl net.ipv4.udp_rmem_minsysctl net.ipv4.udp_wmem_minsysctl net.ipv4.tcp_memsysctl net.ipv4.tcp_rmemsysctl net.ipv4.tcp_wmemsysctl net.ipv4.tcp_synack_retriessysctl net.ipv4.tcp_keepalive_timesysctl net.ipv4.tcp_max_tw_buckets Рекомендовані значення sysctl nano /etc/sysctl.conf і додаємо в кінець файлу
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
net.core.rmem_default = 16777216
net.core.rmem_max = 33554432
net.core.wmem_default = 16777216
net.core.wmem_max = 33554432
net.core.somaxconn = 8192
net.core.netdev_max_backlog = 32768
net.core.optmem_max = 25165824
net.ipv4.udp_mem = 131072 1048576 25165824
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
net.ipv4.tcp_mem = 262144 1048576 16777216
net.ipv4.tcp_rmem = 16384 262144 8388608
net.ipv4.tcp_wmem = 16384 262144 8388608
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_keepalive_time = 3600
net.ipv4.tcp_max_tw_buckets = 524288
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 25
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 45
Варіант встановлення параметрів у консолі для працюючої системи 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/usr/sbin/sysctl net.core.somaxconn= 8192
/usr/sbin/sysctl net.core.rmem_default= 16777216
/usr/sbin/sysctl net.core.rmem_max= 33554432
/usr/sbin/sysctl net.core.wmem_default= 16777216
/usr/sbin/sysctl net.core.wmem_max= 33554432
/usr/sbin/sysctl net.core.somaxconn= 8192
/usr/sbin/sysctl net.core.netdev_max_backlog= 32768
/usr/sbin/sysctl net.core.optmem_max= 25165824
/usr/sbin/sysctl net.ipv4.udp_mem= '131072 1048576 25165824'
/usr/sbin/sysctl net.ipv4.udp_rmem_min= 16384
/usr/sbin/sysctl net.ipv4.udp_wmem_min= 16384
/usr/sbin/sysctl net.ipv4.tcp_mem= '262144 1048576 16777216'
/usr/sbin/sysctl net.ipv4.tcp_rmem= '16384 262144 8388608'
/usr/sbin/sysctl net.ipv4.tcp_wmem= '16384 262144 8388608'
/usr/sbin/sysctl net.ipv4.tcp_synack_retries= 2
/usr/sbin/sysctl net.ipv4.tcp_rfc1337= 1
/usr/sbin/sysctl net.ipv4.tcp_syncookies= 1
/usr/sbin/sysctl net.ipv4.tcp_fin_timeout= 25
/usr/sbin/sysctl net.ipv4.tcp_keepalive_time= 3600
/usr/sbin/sysctl net.ipv4.tcp_keepalive_probes= 5
/usr/sbin/sysctl net.ipv4.tcp_keepalive_intvl= 45
/usr/sbin/sysctl net.ipv4.tcp_max_tw_buckets= 524288
/usr/sbin/sysctl net.ipv4.tcp_tw_reuse= 1
Config файл сервера 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
dev tun0
topology subnet
server 10.10.100.0 255.255.255.0
mode server
port 1234
proto udp
user nobody # openvpn
group nogroup # openvpn
# data-ciphers AES-256-CBC
data-ciphers AES-256-GCM
# data-ciphers AES-128-GCM
# data-ciphers CHACHA20-POLY1305
data-ciphers-fallback AES-256-CBC
auth sha256
engine aesni
tun-mtu 1408
sndbuf 2097152
rcvbuf 2097152
txqueuelen 10000
push "sndbuf 2097152" # 1048576 | 2097152
push "rcvbuf 2097152" # 1048576 | 2097152
# mssfix 0
# fragment 0
# txqueuelen 5000
keepalive 10 30
# reneg-sec 120
# ping 10
# ping-restart 60
persist-key
persist-tun
tls-server
tls-timeout 360
hand-window 360
auth-nocache
key /etc/openvpn/server/keys/server_key.pem
askpass /etc/openvpn/server/keys/server_key.passwd
cert /etc/openvpn/server/keys/server_cert.pem
ca /etc/openvpn/server/keys/CA_cert.pem
tls-auth /etc/openvpn/server/keys/shared.key 0 # legacy ta.key
# tls-crypt-v2 /etc/openvpn/server/keys/v2crypt-server.key # new tls key
dh /etc/openvpn/server/keys/dh8192_v2.pem
crl-verify /etc/openvpn/server/crl/crl.pem
# ifconfig-pool-persist /etc/openvpn/server/ipp.txt
client-to-client
client-config-dir /etc/openvpn/server/ccd
# ccd-exclusive # client ccd config must be set
script-security 1
# push "route 10.7.10.0 255.255.255.0"
# route 192.168.24.0 255.255.255.0
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
Config файл клієнта 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
client
dev tun5
proto udp
port 1234
remote 8.8.8.8
key-direction 1
tls-client
remote-cert-tls server
tls-auth /etc/openvpn/shared.key 1 # legacy ta.key
# tls-crypt-v2 /etc/openvpn/v2crypt-client.key # new tls key
ca /etc/openvpn/CA_cert.pem
cert /etc/openvpn/kvm_cert.pem
key /etc/openvpn/kvm_key.pem
askpass /etc/openvpn/kvm_key.passwd
persist-key
persist-tun
# data-ciphers AES-256-CBC
# data-ciphers-fallback AES-256-CBC
txqueuelen 10000
user nobody # openvpn
group nogroup # openvpn
auth sha256
route-method exe
route-delay 10
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
verb 3
Перевірка швидкості На VPS iperf3 -s -4
Перевірка до IP openvpn iperf3 -c 10.10.100.1 -b 100M --time 25 -l 4096
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Connecting to host 10.10.100.1, port 5201
[ 5] local 10.10.100.25 port 38680 connected to 10.10.100.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 10.8 MBytes 90.4 Mbits/sec 109 291 KBytes
[ 5] 1.00-2.00 sec 9.69 MBytes 81.3 Mbits/sec 0 315 KBytes
[ 5] 2.00-3.00 sec 11.5 MBytes 96.6 Mbits/sec 0 334 KBytes
[ 5] 3.00-4.00 sec 9.37 MBytes 78.6 Mbits/sec 45 262 KBytes
[ 5] 4.00-5.00 sec 9.46 MBytes 79.4 Mbits/sec 0 302 KBytes
[ 5] 5.00-6.00 sec 9.41 MBytes 79.0 Mbits/sec 0 327 KBytes
[ 5] 6.00-7.00 sec 10.3 MBytes 86.0 Mbits/sec 0 340 KBytes
[ 5] 7.00-8.00 sec 12.0 MBytes 100 Mbits/sec 0 347 KBytes
[ 5] 8.00-9.00 sec 10.7 MBytes 90.0 Mbits/sec 0 365 KBytes
[ 5] 9.00-10.00 sec 11.1 MBytes 93.4 Mbits/sec 0 387 KBytes
[ 5] 10.00-11.00 sec 11.1 MBytes 93.1 Mbits/sec 0 408 KBytes
[ 5] 11.00-12.00 sec 10.2 MBytes 85.9 Mbits/sec 1 334 KBytes
[ 5] 12.00-13.00 sec 10.2 MBytes 85.3 Mbits/sec 0 369 KBytes
[ 5] 13.00-14.00 sec 12.6 MBytes 106 Mbits/sec 0 391 KBytes
[ 5] 14.00-15.00 sec 8.32 MBytes 69.8 Mbits/sec 2 302 KBytes
[ 5] 15.00-16.00 sec 9.84 MBytes 82.6 Mbits/sec 0 320 KBytes
[ 5] 16.00-17.00 sec 10.4 MBytes 86.9 Mbits/sec 0 336 KBytes
[ 5] 17.00-18.00 sec 11.1 MBytes 92.9 Mbits/sec 0 359 KBytes
[ 5] 18.00-19.00 sec 10.5 MBytes 88.2 Mbits/sec 0 380 KBytes
[ 5] 19.00-20.00 sec 11.1 MBytes 93.0 Mbits/sec 0 401 KBytes
[ 5] 20.00-21.00 sec 10.8 MBytes 90.6 Mbits/sec 14 313 KBytes
[ 5] 21.00-22.00 sec 10.9 MBytes 91.4 Mbits/sec 0 358 KBytes
[ 5] 22.00-23.00 sec 11.5 MBytes 96.7 Mbits/sec 0 387 KBytes
[ 5] 23.00-24.00 sec 9.81 MBytes 82.3 Mbits/sec 0 403 KBytes
[ 5] 24.00-25.00 sec 11.3 MBytes 94.8 Mbits/sec 0 411 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-25.00 sec 264 MBytes 88.6 Mbits/sec 171 sender
[ 5] 0.00-25.03 sec 263 MBytes 88.2 Mbits/sec receiver
Перевірка до IP wireguard iperf3 -c 10.10.101.1 -b 100M --time 25 -l 4096
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Connecting to host 10.10.101.1, port 5201
[ 5] local 10.10.101.25 port 53980 connected to 10.10.101.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 11.9 MBytes 99.9 Mbits/sec 1025 279 KBytes
[ 5] 1.00-2.00 sec 10.6 MBytes 89.0 Mbits/sec 0 309 KBytes
[ 5] 2.00-3.00 sec 11.5 MBytes 96.6 Mbits/sec 0 327 KBytes
[ 5] 3.00-4.00 sec 12.3 MBytes 103 Mbits/sec 0 354 KBytes
[ 5] 4.00-5.00 sec 12.5 MBytes 105 Mbits/sec 0 379 KBytes
[ 5] 5.00-6.00 sec 11.7 MBytes 98.3 Mbits/sec 1 295 KBytes
[ 5] 6.00-7.00 sec 11.6 MBytes 97.2 Mbits/sec 0 339 KBytes
[ 5] 7.00-8.00 sec 12.4 MBytes 104 Mbits/sec 0 367 KBytes
[ 5] 8.00-9.00 sec 12.5 MBytes 104 Mbits/sec 0 383 KBytes
[ 5] 9.00-10.00 sec 11.2 MBytes 94.3 Mbits/sec 1 289 KBytes
[ 5] 10.00-11.00 sec 11.4 MBytes 95.7 Mbits/sec 0 311 KBytes
[ 5] 11.00-12.00 sec 12.6 MBytes 106 Mbits/sec 0 338 KBytes
[ 5] 12.00-13.00 sec 12.4 MBytes 104 Mbits/sec 0 365 KBytes
[ 5] 13.00-14.00 sec 12.2 MBytes 102 Mbits/sec 3 275 KBytes
[ 5] 14.00-15.00 sec 11.1 MBytes 93.4 Mbits/sec 0 323 KBytes
[ 5] 15.00-16.00 sec 12.2 MBytes 103 Mbits/sec 0 354 KBytes
[ 5] 16.00-17.00 sec 12.3 MBytes 103 Mbits/sec 0 374 KBytes
[ 5] 17.00-18.00 sec 12.0 MBytes 101 Mbits/sec 0 383 KBytes
[ 5] 18.00-19.00 sec 11.9 MBytes 100 Mbits/sec 6 281 KBytes
[ 5] 19.00-20.00 sec 11.1 MBytes 93.4 Mbits/sec 0 329 KBytes
[ 5] 20.00-21.00 sec 12.7 MBytes 107 Mbits/sec 0 361 KBytes
[ 5] 21.00-22.00 sec 11.9 MBytes 100 Mbits/sec 0 379 KBytes
[ 5] 22.00-23.00 sec 11.9 MBytes 100 Mbits/sec 2 278 KBytes
[ 5] 23.00-24.00 sec 10.6 MBytes 89.1 Mbits/sec 0 305 KBytes
[ 5] 24.00-25.00 sec 10.7 MBytes 89.7 Mbits/sec 0 325 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-25.00 sec 295 MBytes 99.1 Mbits/sec 1038 sender
[ 5] 0.00-25.02 sec 294 MBytes 98.6 Mbits/sec receiver
Результати 88.6 Mbits/sec для OpenVPN99.1 Mbits/sec для WireGuard 2023-01-25 15:17 +0000
