I am planning an new network. All the traffic coming out of this network will be fowarded into a VPN in order to exit out onto the Internet on a distant server. This will be done via OpenVPN. There will be only one tunnel.
We're looking at a very high speed Internet connection with a downstream speed of 100 Mbit/s and an upstream speed of 5 Mbit/s.
What sort of hardware will I need to support such speeds ? Are there any thumb rules for hardware sizing of OpenVPN servers ?
Will an atom board be sufficient ? What about an AMD Geode 800Mhz ?
Thank you in advance for your help,
Best Answer
I would guess an Atom CPU will handle 100mbit of OpenVPN traffic. Under load you might find an Atom will introduce a little more latency than a faster CPU but this will probably not be significant when considered against the latency of any long distant links you have between the server and the clients.
Some unscientific test results, running data between my netbook with an Atom CPU to a local OpenVPN server (over a 1000mbit network, but the netbook only has a 100Mbit NIC):
where 192.168.43.1 is the server as seen just over the local network and 192.168.44.1 is the same machine as seen via an OpenVPN link over that network. The VPN is in bridged mode, using a UDP based connection.
htop showed the CPU being taxed more during the VPN test than the user+sys counts from
time
indicate becausetime
is only countingdd
's CPU activity not the VPN's. It showed cpu0 at ~70% and cpu1 at ~30% all through the test which would suggest the CPU is close to the limit it can transfer via OpenVPN in that test (that Atom was single core but with hyperthreading) - though it still managed to shuffle along at 9.5Mbyte/sec.As an indication of the latency added by the VPN (which will be a combination of overheads from CPU work encrypting data and overhead from the tunnelling method), pinging with small (default, 56 byte payload) packets:
and larger (2048 byte payload) ones:
Obviously you'll get different results with the VPN handling multiple connections exhibiting real-world traffic patterns, so you might want to perform some more detailed tests yourself. You might be able to squeeze more out with some tweaking - my OpenVPN set is pretty much running on out-of-the box defaults.