From owner-freebsd-hackers@freebsd.org Fri Apr 19 16:45:49 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F4CE1571C20 for ; Fri, 19 Apr 2019 16:45:49 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: from puchar.net (puchar.net [194.1.144.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5802986D1F for ; Fri, 19 Apr 2019 16:45:48 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: Received: from 127.0.0.1 (localhost [127.0.0.1]) by puchar.net (8.15.2/8.15.2) with ESMTPS id x3JGjhe1046266 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 19 Apr 2019 18:45:44 +0200 (CEST) (envelope-from puchar-wojtek@puchar.net) Received: from localhost (puchar-wojtek@localhost) by puchar.net (8.15.2/8.15.2/Submit) with ESMTP id x3JGjhSW046263; Fri, 19 Apr 2019 18:45:43 +0200 (CEST) (envelope-from puchar-wojtek@puchar.net) Date: Fri, 19 Apr 2019 18:45:43 +0200 (CEST) From: Wojciech Puchar To: Jim Thompson cc: Eugene Grosbein , Wojciech Puchar , freebsd-hackers@freebsd.org Subject: Re: openvpn and system overhead In-Reply-To: Message-ID: References: <0cc6e0ac-a9a6-a462-3a1e-bfccfd41e138@grosbein.net> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 X-Rspamd-Queue-Id: 5802986D1F X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of wojtek@puchar.net designates 194.1.144.90 as permitted sender) smtp.mailfrom=wojtek@puchar.net X-Spamd-Result: default: False [-5.72 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[puchar.net]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: puchar.net]; CTYPE_MIXED_BOGUS(1.00)[]; RCVD_IN_DNSWL_NONE(0.00)[90.144.1.194.list.dnswl.org : 127.0.10.0]; NEURAL_HAM_SHORT(-0.91)[-0.907,0]; IP_SCORE(-3.51)[ip: (-9.27), ipnet: 194.1.144.0/24(-4.63), asn: 43476(-3.71), country: PL(0.07)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:43476, ipnet:194.1.144.0/24, country:PL]; MID_RHS_MATCH_FROM(0.00)[] Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Apr 2019 16:45:49 -0000 >> >> You need either some netmap-based solution or kernel-side vpn like IPsec (maybe with l2tp). >> For me, IKE daemon plus net/mpd5 work just fine. mpd5 is userland daemon too, >> but it processes only signalling traffic like session establishment packets >> and then it setups kernel structures (netgraph nodes) so that payload traffic is processed in-kernel only. > > > Addendum to previous message to freebsd-hackers: > > We have (also) considered a netmap-enhanced (enabled?) OpenVPN. You still have the problem that the ‘stack’ inside OpenVPN is single-threaded/single packet at a time. > > Also, you’ll need to multiplex > 1 instance of OpenVPN, maybe using the programability of VALE (aka ‘mswitch’). > there is no problem that openvpn is single threaded. i can easily divide things over multiple openvpn processes. The problem is CPU load it produces. It will not be smart to use up whole 8 core machine just to provide 3-4Gbps of VPN traffic with no spare power to do actual work. i found that most of time openvpn executes system call, encryption takes little time. if FreeBSD would be able to provide multiple packets per read/write call from/to tun device, as well as send/recv would have multipacket version - it would mean speeding it up at least 4 times. From owner-freebsd-hackers@freebsd.org Fri Apr 19 17:01:14 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 393EC1572552 for ; Fri, 19 Apr 2019 17:01:14 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from hydra.pix.net (hydra.pix.net [IPv6:2001:470:e254:10::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.pix.net", Issuer "Pix.Com Technologies LLC CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E544087988 for ; Fri, 19 Apr 2019 17:01:13 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from torb.pix.net ([IPv6:2001:470:e254:10:fc26:6da6:2a7d:3ae5]) (authenticated bits=0) by hydra.pix.net (8.15.2/8.15.2) with ESMTPA id x3JH16iS002659; Fri, 19 Apr 2019 13:01:13 -0400 (EDT) (envelope-from lidl@FreeBSD.org) X-Authentication-Warning: hydra.pix.net: Host [IPv6:2001:470:e254:10:fc26:6da6:2a7d:3ae5] claimed to be torb.pix.net Subject: Re: openvpn and system overhead To: freebsd-hackers@freebsd.org References: <0cc6e0ac-a9a6-a462-3a1e-bfccfd41e138@grosbein.net> Reply-To: lidl@FreeBSD.org From: Kurt Lidl Message-ID: <8e238882-1779-41ed-92fd-33abf2667d18@FreeBSD.org> Date: Fri, 19 Apr 2019 13:01:06 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Apr 2019 17:01:14 -0000 On 4/19/19 12:45 PM, Wojciech Puchar wrote: >>> >>> You need either some netmap-based solution or kernel-side vpn like >>> IPsec (maybe with l2tp). >>> For me, IKE daemon plus net/mpd5 work just fine. mpd5 is userland >>> daemon too, >>> but it processes only signalling traffic like session establishment >>> packets >>> and then it setups kernel structures (netgraph nodes) so that payload >>> traffic is processed in-kernel only. >> >> >> Addendum to previous message to freebsd-hackers: >> >> We have (also) considered a netmap-enhanced (enabled?) OpenVPN.  You >> still have the problem that the ‘stack’ inside OpenVPN is >> single-threaded/single packet at a time. >> >> Also, you’ll need to multiplex > 1 instance of OpenVPN, maybe using >> the programability of VALE (aka ‘mswitch’). >> > there is no problem that openvpn is single threaded. i can easily divide > things over multiple openvpn processes. > > The problem is CPU load it produces. It will not be smart to use up > whole 8 core machine just to provide 3-4Gbps of VPN traffic with no > spare power to do actual work. > > i found that most of time openvpn executes system call, encryption takes > little time. > > if FreeBSD would be able to provide multiple packets per read/write call > from/to tun device, as well as send/recv would have multipacket version > - it would mean speeding it up at least 4 times. Well, FreeBSD does have sendmmsg()/recvmmsg(), which allows for sending/receiving multiple packets per system call. I do not know if the "tun" device allows for send/recv type processing, or just read/write. Don't get me wrong -- having in-kernel processing, like ipsec does, is far superior to doing it as a userland daemon, IMHO. Just pointing out that there is a multi-packet system call that could be used, possibly, to make the userland solution less horrible. -Kurt