Як досягти швидкості OpenVPN в 89% від швидкості WireGuard
В інтернеті маса публікацій на тему покращення швидкості OpenVPN, і часто всі вони зосереджені на налаштуваннях самого сервер-клієнта, розмірів пакетів, алгоритми шифрування або їх відключення. Усі приводять у порівняння WireGuard, мовляв, він працює в kernel space, у той час як openvpn у userspace. А це не зовсім так.
Тут я відразу маю уточнити, що наведений спосіб вирішення проблеми специфічний для віртуалок з малим об’ємом пам’яті, від 1Gb до 8Gb, в інших випадках треба зіставляти пам’ять, канал та швидкість.
Ось список значень, що динамічно встановлюються відповідно до обсягу пам’яті системи:
sysctl net.core.rmem_defaultsysctl net.core.rmem_maxsysctl net.core.wmem_defaultsysctl net.core.wmem_maxsysctl net.core.somaxconnsysctl net.core.netdev_max_backlogsysctl net.core.optmem_maxsysctl net.ipv4.udp_memsysctl net.ipv4.udp_rmem_minsysctl net.ipv4.udp_wmem_minsysctl net.ipv4.tcp_memsysctl net.ipv4.tcp_rmemsysctl net.ipv4.tcp_wmemsysctl net.ipv4.tcp_synack_retriessysctl net.ipv4.tcp_keepalive_timesysctl net.ipv4.tcp_max_tw_buckets
Рекомендовані значення sysctl
nano /etc/sysctl.conf і додаємо в кінець файлу
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | net.core.rmem_default = 16777216 net.core.rmem_max = 33554432 net.core.wmem_default = 16777216 net.core.wmem_max = 33554432 net.core.somaxconn = 8192 net.core.netdev_max_backlog = 32768 net.core.optmem_max = 25165824 net.ipv4.udp_mem = 131072 1048576 25165824 net.ipv4.udp_rmem_min = 16384 net.ipv4.udp_wmem_min = 16384 net.ipv4.tcp_mem = 262144 1048576 16777216 net.ipv4.tcp_rmem = 16384 262144 8388608 net.ipv4.tcp_wmem = 16384 262144 8388608 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_keepalive_time = 3600 net.ipv4.tcp_max_tw_buckets = 524288 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_fin_timeout = 25 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_keepalive_intvl = 45 |
Варіант встановлення параметрів у консолі для працюючої системи
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | /usr/sbin/sysctl net.core.somaxconn=8192 /usr/sbin/sysctl net.core.rmem_default=16777216 /usr/sbin/sysctl net.core.rmem_max=33554432 /usr/sbin/sysctl net.core.wmem_default=16777216 /usr/sbin/sysctl net.core.wmem_max=33554432 /usr/sbin/sysctl net.core.somaxconn=8192 /usr/sbin/sysctl net.core.netdev_max_backlog=32768 /usr/sbin/sysctl net.core.optmem_max=25165824 /usr/sbin/sysctl net.ipv4.udp_mem='131072 1048576 25165824' /usr/sbin/sysctl net.ipv4.udp_rmem_min=16384 /usr/sbin/sysctl net.ipv4.udp_wmem_min=16384 /usr/sbin/sysctl net.ipv4.tcp_mem='262144 1048576 16777216' /usr/sbin/sysctl net.ipv4.tcp_rmem='16384 262144 8388608' /usr/sbin/sysctl net.ipv4.tcp_wmem='16384 262144 8388608' /usr/sbin/sysctl net.ipv4.tcp_synack_retries=2 /usr/sbin/sysctl net.ipv4.tcp_rfc1337=1 /usr/sbin/sysctl net.ipv4.tcp_syncookies=1 /usr/sbin/sysctl net.ipv4.tcp_fin_timeout=25 /usr/sbin/sysctl net.ipv4.tcp_keepalive_time=3600 /usr/sbin/sysctl net.ipv4.tcp_keepalive_probes=5 /usr/sbin/sysctl net.ipv4.tcp_keepalive_intvl=45 /usr/sbin/sysctl net.ipv4.tcp_max_tw_buckets=524288 /usr/sbin/sysctl net.ipv4.tcp_tw_reuse=1 |
Config файл сервера
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | dev tun0 topology subnet server 10.10.100.0 255.255.255.0 mode server port 1234 proto udp user nobody # openvpn group nogroup # openvpn # data-ciphers AES-256-CBC data-ciphers AES-256-GCM # data-ciphers AES-128-GCM # data-ciphers CHACHA20-POLY1305 data-ciphers-fallback AES-256-CBC auth sha256 engine aesni tun-mtu 1408 sndbuf 2097152 rcvbuf 2097152 txqueuelen 10000 push "sndbuf 2097152" # 1048576 | 2097152 push "rcvbuf 2097152" # 1048576 | 2097152 # mssfix 0 # fragment 0 # txqueuelen 5000 keepalive 10 30 # reneg-sec 120 # ping 10 # ping-restart 60 persist-key persist-tun tls-server tls-timeout 360 hand-window 360 auth-nocache key /etc/openvpn/server/keys/server_key.pem askpass /etc/openvpn/server/keys/server_key.passwd cert /etc/openvpn/server/keys/server_cert.pem ca /etc/openvpn/server/keys/CA_cert.pem tls-auth /etc/openvpn/server/keys/shared.key 0 # legacy ta.key # tls-crypt-v2 /etc/openvpn/server/keys/v2crypt-server.key # new tls key dh /etc/openvpn/server/keys/dh8192_v2.pem crl-verify /etc/openvpn/server/crl/crl.pem # ifconfig-pool-persist /etc/openvpn/server/ipp.txt client-to-client client-config-dir /etc/openvpn/server/ccd # ccd-exclusive # client ccd config must be set script-security 1 # push "route 10.7.10.0 255.255.255.0" # route 192.168.24.0 255.255.255.0 log /var/log/openvpn/openvpn.log status /var/log/openvpn/openvpn-status.log |
Config файл клієнта
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | client dev tun5 proto udp port 1234 remote 8.8.8.8 key-direction 1 tls-client remote-cert-tls server tls-auth /etc/openvpn/shared.key 1 # legacy ta.key # tls-crypt-v2 /etc/openvpn/v2crypt-client.key # new tls key ca /etc/openvpn/CA_cert.pem cert /etc/openvpn/kvm_cert.pem key /etc/openvpn/kvm_key.pem askpass /etc/openvpn/kvm_key.passwd persist-key persist-tun # data-ciphers AES-256-CBC # data-ciphers-fallback AES-256-CBC txqueuelen 10000 user nobody # openvpn group nogroup # openvpn auth sha256 route-method exe route-delay 10 log /var/log/openvpn/openvpn.log status /var/log/openvpn/openvpn-status.log verb 3 |
Перевірка швидкості
На VPS iperf3 -s -4
Перевірка до IP openvpn iperf3 -c 10.10.100.1 -b 100M --time 25 -l 4096
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | Connecting to host 10.10.100.1, port 5201 [ 5] local 10.10.100.25 port 38680 connected to 10.10.100.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 10.8 MBytes 90.4 Mbits/sec 109 291 KBytes [ 5] 1.00-2.00 sec 9.69 MBytes 81.3 Mbits/sec 0 315 KBytes [ 5] 2.00-3.00 sec 11.5 MBytes 96.6 Mbits/sec 0 334 KBytes [ 5] 3.00-4.00 sec 9.37 MBytes 78.6 Mbits/sec 45 262 KBytes [ 5] 4.00-5.00 sec 9.46 MBytes 79.4 Mbits/sec 0 302 KBytes [ 5] 5.00-6.00 sec 9.41 MBytes 79.0 Mbits/sec 0 327 KBytes [ 5] 6.00-7.00 sec 10.3 MBytes 86.0 Mbits/sec 0 340 KBytes [ 5] 7.00-8.00 sec 12.0 MBytes 100 Mbits/sec 0 347 KBytes [ 5] 8.00-9.00 sec 10.7 MBytes 90.0 Mbits/sec 0 365 KBytes [ 5] 9.00-10.00 sec 11.1 MBytes 93.4 Mbits/sec 0 387 KBytes [ 5] 10.00-11.00 sec 11.1 MBytes 93.1 Mbits/sec 0 408 KBytes [ 5] 11.00-12.00 sec 10.2 MBytes 85.9 Mbits/sec 1 334 KBytes [ 5] 12.00-13.00 sec 10.2 MBytes 85.3 Mbits/sec 0 369 KBytes [ 5] 13.00-14.00 sec 12.6 MBytes 106 Mbits/sec 0 391 KBytes [ 5] 14.00-15.00 sec 8.32 MBytes 69.8 Mbits/sec 2 302 KBytes [ 5] 15.00-16.00 sec 9.84 MBytes 82.6 Mbits/sec 0 320 KBytes [ 5] 16.00-17.00 sec 10.4 MBytes 86.9 Mbits/sec 0 336 KBytes [ 5] 17.00-18.00 sec 11.1 MBytes 92.9 Mbits/sec 0 359 KBytes [ 5] 18.00-19.00 sec 10.5 MBytes 88.2 Mbits/sec 0 380 KBytes [ 5] 19.00-20.00 sec 11.1 MBytes 93.0 Mbits/sec 0 401 KBytes [ 5] 20.00-21.00 sec 10.8 MBytes 90.6 Mbits/sec 14 313 KBytes [ 5] 21.00-22.00 sec 10.9 MBytes 91.4 Mbits/sec 0 358 KBytes [ 5] 22.00-23.00 sec 11.5 MBytes 96.7 Mbits/sec 0 387 KBytes [ 5] 23.00-24.00 sec 9.81 MBytes 82.3 Mbits/sec 0 403 KBytes [ 5] 24.00-25.00 sec 11.3 MBytes 94.8 Mbits/sec 0 411 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-25.00 sec 264 MBytes 88.6 Mbits/sec 171 sender [ 5] 0.00-25.03 sec 263 MBytes 88.2 Mbits/sec receiver |
Перевірка до IP wireguard iperf3 -c 10.10.101.1 -b 100M --time 25 -l 4096
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | Connecting to host 10.10.101.1, port 5201 [ 5] local 10.10.101.25 port 53980 connected to 10.10.101.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 11.9 MBytes 99.9 Mbits/sec 1025 279 KBytes [ 5] 1.00-2.00 sec 10.6 MBytes 89.0 Mbits/sec 0 309 KBytes [ 5] 2.00-3.00 sec 11.5 MBytes 96.6 Mbits/sec 0 327 KBytes [ 5] 3.00-4.00 sec 12.3 MBytes 103 Mbits/sec 0 354 KBytes [ 5] 4.00-5.00 sec 12.5 MBytes 105 Mbits/sec 0 379 KBytes [ 5] 5.00-6.00 sec 11.7 MBytes 98.3 Mbits/sec 1 295 KBytes [ 5] 6.00-7.00 sec 11.6 MBytes 97.2 Mbits/sec 0 339 KBytes [ 5] 7.00-8.00 sec 12.4 MBytes 104 Mbits/sec 0 367 KBytes [ 5] 8.00-9.00 sec 12.5 MBytes 104 Mbits/sec 0 383 KBytes [ 5] 9.00-10.00 sec 11.2 MBytes 94.3 Mbits/sec 1 289 KBytes [ 5] 10.00-11.00 sec 11.4 MBytes 95.7 Mbits/sec 0 311 KBytes [ 5] 11.00-12.00 sec 12.6 MBytes 106 Mbits/sec 0 338 KBytes [ 5] 12.00-13.00 sec 12.4 MBytes 104 Mbits/sec 0 365 KBytes [ 5] 13.00-14.00 sec 12.2 MBytes 102 Mbits/sec 3 275 KBytes [ 5] 14.00-15.00 sec 11.1 MBytes 93.4 Mbits/sec 0 323 KBytes [ 5] 15.00-16.00 sec 12.2 MBytes 103 Mbits/sec 0 354 KBytes [ 5] 16.00-17.00 sec 12.3 MBytes 103 Mbits/sec 0 374 KBytes [ 5] 17.00-18.00 sec 12.0 MBytes 101 Mbits/sec 0 383 KBytes [ 5] 18.00-19.00 sec 11.9 MBytes 100 Mbits/sec 6 281 KBytes [ 5] 19.00-20.00 sec 11.1 MBytes 93.4 Mbits/sec 0 329 KBytes [ 5] 20.00-21.00 sec 12.7 MBytes 107 Mbits/sec 0 361 KBytes [ 5] 21.00-22.00 sec 11.9 MBytes 100 Mbits/sec 0 379 KBytes [ 5] 22.00-23.00 sec 11.9 MBytes 100 Mbits/sec 2 278 KBytes [ 5] 23.00-24.00 sec 10.6 MBytes 89.1 Mbits/sec 0 305 KBytes [ 5] 24.00-25.00 sec 10.7 MBytes 89.7 Mbits/sec 0 325 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-25.00 sec 295 MBytes 99.1 Mbits/sec 1038 sender [ 5] 0.00-25.02 sec 294 MBytes 98.6 Mbits/sec receiver |
Результати
- 88.6 Mbits/sec для OpenVPN
- 99.1 Mbits/sec для WireGuard
Оригінальний пост на SecOps.it Blog • Як досягти швидкості OpenVPN в 89% від швидкості WireGuard