From owner-freebsd-stable@FreeBSD.ORG Wed Mar 18 22:40:39 2015 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4695E489 for ; Wed, 18 Mar 2015 22:40:39 +0000 (UTC) Received: from mail.xtaz.uk (tao.xtaz.uk [IPv6:2001:8b0:202::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 085287FA for ; Wed, 18 Mar 2015 22:40:38 +0000 (UTC) Received: by mail.xtaz.uk (Postfix, from userid 1001) id 230B2209AF1D; Wed, 18 Mar 2015 22:40:34 +0000 (GMT) Date: Wed, 18 Mar 2015 22:40:34 +0000 From: Matt Smith To: Mike Tancsa Subject: Re: 35-40% performance drop releng9 vs releng10 openvpn Message-ID: <20150318224034.GG1271@xtaz.uk> Mail-Followup-To: Matt Smith , Mike Tancsa , John-Mark Gurney , FreeBSD-STABLE Mailing List References: <5506250A.2000506@sentex.net> <20150316132055.GQ32288@funkthat.com> <5509D6C6.4050204@sentex.net> <20150318211457.GL51048@funkthat.com> <5509FC19.2020201@sentex.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <5509FC19.2020201@sentex.net> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: John-Mark Gurney , FreeBSD-STABLE Mailing List X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2015 22:40:39 -0000 On Mar 18 18:28, Mike Tancsa wrote: >On 3/18/2015 5:14 PM, John-Mark Gurney wrote: >>As I've never used OpenVPN before and their docs don't go into saying >>what it's using.. Is OpenVPN a kernel or userland VPN? Do they use >>IPSec in the kernel? or are they just using UDP or TCP for their >>connections? > >All in userland. I use UDP for the transport, and it uses OpenSSL in >the base for the crypto. In this case, AES-128-CBC. There is no >hardware assist on the APU either to offload the AES. > Isn't OpenSSL in the base on releng9 the 0.9.8 version whereas in releng10 it's the 1.0.1 version? This could make a significant difference. I've heard rumours before that the newer version is a lot slower but I've never had cause to believe it. It could be worth installing OpenSSL from the ports system on the releng9 box and reinstalling OpenVPN so that it links against it. Then they will both be on 1.0.1. Could be an interesting test? -- Matt