Folks,

I want to know which VPN should be applied to my RB450G
Right now i have 7PPTP VPN and 5 OVPN with 12 Mbps average bandwidth and 7000pps
CPU Usage 40 - 50 %

I want to reduce this CPU Usage. Please suggest on VPN or other ways to reduce the CPU Usage.

Thank you so much.

- Rio.Martin -

Hi there,

There are several things you could try.
If the data transferred is not too sensitive, drop encryption on the PPTP vpn.
Definitely drop compression if you're using it.
Also, if you are using only mikrotik to mikrotik vpn, try L2TP instead of PPTP, as it doesn't use GRE which is pretty CPU intensive when shifting a lot of packets.

Since I don't use OpenVPN I can't really comment on ways to make it more effective or if there is a better alternative.

Hello Hedele,

i drop the encryption on PPTP
i also changed the MTU to 512 instead of 1480

effect so far = reduce CPU Usage 10 - 15 %

I will try to migrate all the PPTP to L2TP if my ISP didnt blocked the protocol.

Thanks

Reducing down MTU is not good idea it will not get you down cpu usage. You will see connectivity problems - packet drops.

Exactly - reducing MTU is not something you would generally want to do for several reasons.
One is that you can't exactly be sure that MTU path discovery is working correctly in all situations,
which leads to all kinds of nasty side-effects (webpages not loading correctly, etc...),
the other one is that now your Router will have to fragment/assemble many more packets than previously -
which actually increases CPU load.

So I think you should be putting the MTU back to 1460

Why on earth would a provider block L2TP? It's just another thingy using some UDP port...
Actually I had more problems getting PPTP to work in a lot of situations, as it requires that all devices are
aware of PPTP/GRE and handle it correctly. L2TP is just another UDP application for most routers and easily traverses
NAT Firewalls.

Hedele,

Thanks. Finally i got 50% reduce from earlier state. CPU usage now only 20 - 30% average.

About L2TP getting blocked by my provider, that would be just a business reason i guess. They dont want their cheap bandwidth pricing used improperly for tunnel transport to another provider.
Since their service is just burstable best effort. If i use Internet port only, it only consumed their 50 - 60% capacity. But if i use VPN L2TP or PPTP i can use 100% of their bandwidth ... ha ha h aha ... :p

I think L2TP is unique. They dont use UDP for initiate protocol. Because i tried to test L2TP UDP port from another nodes, it always connected. I think my provider only block the first initiate protocol, which is not the UDP protocol.

Yesterday i did some reasearch and try to move all the PPTP accounts to OVPN.
Its weird enough on Mikrotik.
3 years ago i managed all VPN account (around 20 nodes) with capacity 500Kbps until 2Mbps each account, its very good in performance.
I wonder why the Mikrotik Guy didnt want to add feature to OVPN transport to use UDP Protocol. Its very light and its so simple to configure.

I waist my 20 hours spending on configuration how to connect from Linux Client to connect to MT OVPN Server. Huh..
OVPN with MT is not so simple to use. Their method is very complicated with certificates. ha ha h aha ...

- Rio.Martin -