OpenVPN faster with encryption than without it

encryptionopenvpn

I would've expected OpenVPN to achieve higher speeds when encryption is disabled, but the opposite is true.

When setting the cipher to AES-128-GCM, the speed between two of my computers is 580 to 613 Mbit/seconds:

Mon Jun 15 11:46:06 2020 Data Channel: using negotiated cipher 'AES-128-GCM'
Mon Jun 15 11:46:06 2020 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mon Jun 15 11:46:06 2020 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key

When setting the cipher to none, the speed between two of my computers is only 460 – 490 Mbit/seconds.

Mon Jun 15 11:45:11 2020 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Mon Jun 15 11:45:11 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jun 15 11:45:11 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun 15 11:45:11 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jun 15 11:45:11 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

From what I understand, the "control" channel is just used for really small data packets, while a second "data" channel is used for real information.

I'm trying to reach gigabit speeds through OpenVPN. Even when setting the server's CPU governor to performance, the maximum speed that I can achieve is 613 Mbit/seconds with the AES-128-GCM configuration. I'm still working through this guide.

When I change my protocol with the AES-128-GCM config to proto udp, the speed drops down to 414 Mbit/seconds…

After increasing tun-mtu on the client AND the server, the speed goes up to 700 Mbit/second. This change persists when using AES-256 encryption too…

When I also disable auth, the speed goes up to 818 Mbit/second.

When I connect directly (not through open vpn), the speed is around 914-980 Mbit/second.

Best Answer

The answer is simple: AES-128-GCM is faster for you than SHA1. Without an AEAD cipher OpenVPN will still use the configure --auth option (default sha1) to authenticate the packets.

Related Topic