For an OpenVPN server, with AES-256-CBC encryption, LZ4 compression, and forwarding traffic to internet, official requirements states:
As a rule of thumb you should assume that on a modern CPU with AES-NI chipset, for every megabit per second of data traffic (in one direction) you need about 20MHz
this means that for 6Gbps (two directions), hardware requirements for the server are a total of:
6Gbps x 2 = 12Gbps
12 x 1000 / 20 = 600GHz (assume 1Gb = 1000Mb).
The example from OpenVPN is (250 active users with 10Mbps each):
2500Mbps times 20MHz is about 50000MHz or 50GHz. Processors with 3.5GHz for example in dual octa-core setup would get you over those requirements.
Which means OpenVPN will use 16 CPU cores of 3.5GHz to get a total of 50GHz.
It breaks every "internet forum rule" as per 'OpenVPN uses only a single core'.
What is the explanation to this clear guideline in OpenVPN official hardware requirements saying multiple CPU cores, solve scaling issue?
They call 2.5 Gbps: "A reasonably demanding setup", with no word about having to split the load to multiple VPN instances on different ports.
How can that be?
Best Answer
It's not a strict thing it's a rule of thumb, a guestimate.
You won't be able to get that kind of throughput with a single OpenVPN instance. You will need to run multiple instances, each listening on a different port and have your firewall redirect new connections randomly to them from your main inbound port. This may not be useful if you want a single client connection but should work well for multiple clients.
You may want to take a look at WireGuard which is built into recent Linux kernels and is available as a kernel module for many distros with kernels >= 3.10. WireGuard is very CPU efficient and can easily saturate a 1Gbps link (and more).