Hi,
we are currently planning to use SoftEther as a VPN solution in production environment. To be able to do this, we unfortunately need excellent performance and throughput. The overall architecture is very simple, we have separate servers all over the world, each one of them has a public IP and is not behind NAT of any kind. All servers have at least 1GB connection, most of them are connected using 10GB cards and sometimes there are several cards per server (bonded together). Also, the servers are quite powerful (16+ cores, 100+GB of RAM and about 20TB SSD drives is nothing special in our case). All our servers are running Debian 8. Windows GUI is used for management now but if we decide to deploy SoftEther we will be using vpncmd to automate the process.
Our current setup: One VPN server with 10G Internet connection with one Virtual Hub + two clients both with 1G Internet connection. Like I said, all of them have public IP addresses and there is no traffic at these servers except for our experiments. Client computers use Linux native SoftEther client program. LocalBridge at server is not required as the server should only act as a gateway and there is no network behind it that would need to be connected to VPN. In fact, there is no network behind any of the clients either. At each one of the clients there is new tun/tap interface created by SoftEther Client Manager. IP addresses are assigned to these interfaces appropriately. VPN server does not have any new interface after creating the Virtual Hub.
SoftEther settings: Surprisingly, the best performance is achieved with the default settings (LocalBridge not active, L3 routing disabled, SecureNAT disabled, password auth, RC4+MD5, ...). Increasing the number of TCP connections does not help the performance nor enabling the compression. Even more surprisingly, increasing TCP connections had only negative effect - lowering the speed. UDP acceleration is enabled and active in current setup. It should be noted that a log obtained using tshark capturing packets on physical ethernet interface shows that (almost) all the communication happens using udp - tcp connections do not seem to be used at all except for a few packets.
Testing: Throughput obtained using SoftEther's traffic testing tool between two clients when not using VPN was approx. 2Gbps. When sending data through virtual interfaces thus using VPN the performance dropped to approx. 450Mbps. None of the clients nor the server were under load greater then 1.5 while the traffic was flowing through VPN. Also, as mentioned before, almost no data were flowing using the tcp connections, only udp was used. Although several modifications have been done to the configuration (changing number of tcp connections, disabling udp acceleration, changing cipher to AES because of AES-NI instruction set, enabling compression, ...) none of them has helped the performance. In fact, all of them had only negative impact and resulted in decreasing the speed.
So my question therefore is - is this normal and should we not expect to get better throughput? Our current usage scenario requires speeds around 800Mbps minimum. And also, is it normal that the underlying tcp connections are not used? I can see them with state ESTABLISHED in netstat, but they are not being used for the actual transfer, only the udp is.
Thanks a lot for your help and btw the work behind SoftEther is astonishing, we really like what you did :)
Tomas
OS: Linux <hostname> 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux
Build: latest v4.19-9582-beta-2015.10.06
Can we get better performance?
-
tk77
- Posts: 4
- Joined: Sat Oct 17, 2015 3:52 pm
Can we get better performance?
You do not have the required permissions to view the files attached to this post.
-
thisjun
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: Can we get better performance?
I think bottle neck may be in tap device.
Please try bonding tap devices.
Please try bonding tap devices.
-
tk77
- Posts: 4
- Joined: Sat Oct 17, 2015 3:52 pm
Re: Can we get better performance?
Hi thisjun,
thanks a lot for your answer. Just to make sure we are on the same page - there is no tap interface on the VPN server itself, just on the clients. So are you suggesting creating multiple tap interfaces using the 'NicCreate' command, then bonding them together and then use the newly created device (call it tapbond0) as a device for the account created by 'AccountCreate' command? Therefore the configuration using vpncmd would look kind of like this:
NicCreate tap1
NicCreate tap2
NicCreate tap3
<bonding tap1 with tap2 and tap3 together into tapbond0>
AccountCreate GW_NAME /NICNAME:tapbond0 /USERNAME:....
Thanks a lot,
Tomas
thanks a lot for your answer. Just to make sure we are on the same page - there is no tap interface on the VPN server itself, just on the clients. So are you suggesting creating multiple tap interfaces using the 'NicCreate' command, then bonding them together and then use the newly created device (call it tapbond0) as a device for the account created by 'AccountCreate' command? Therefore the configuration using vpncmd would look kind of like this:
NicCreate tap1
NicCreate tap2
NicCreate tap3
<bonding tap1 with tap2 and tap3 together into tapbond0>
AccountCreate GW_NAME /NICNAME:tapbond0 /USERNAME:....
Thanks a lot,
Tomas