4

My small ALIX machine is not coping with the new demand for OpenVPN throughput I have. So I'm looking to replace it. Problem is, I don't have any experience with hardware sizing for OpenVPN. I'm looking for something that satisfies this profile:

  • = 100Mbit/sec Througput

  • Cipher either AES-128-CBC or AES-256-CBC or Blowfish
  • Small power footprint

I've been looking into pairing a small Atom single-core with a PCI GigE nic, but have my doubts.

What works for you? What can you recommend?

Any answers like "I get x Mbit/sec with this rig" also very much appreciated to get a feeling for it.

Thanks in advance.

EEAA
  • 110,608
leto
  • 281

2 Answers2

2

Getting 100 Mbps throughput is easy, getting much more than 300 Mbps throughput is very hard (on Linux). This is due to the 'tun'/'tap' design in the Linux kernel.

Also, the blowfish algorithm is largely clockspeed bound, as I've found out when comparing hardware that ranged from brandnew to 8 yrs old.

AES128 and AES256 might benefit from Intel's AES-NI patch which seems to speed things up even on non-AES-NI capable hardware.

Anything running more than 800 MHz should be fine to get 100 Mbps throughput, with decent GigE cards (intel, broadcom, etc).

janjust
  • 592
  • 2
  • 5
1

You need at least:

  • decent GBit NICs. Cheap NICs generate too much interrupts per traffic, which hogs CPU.
  • when the machine doesn't do anything else, a 800MHz to 1GHz x86 (Atom) should do
  • look into a VIA CPU. They've integrated crypto, which lends itself very good to machines designated as VPN concentrator.
knitti
  • 720