Finally hacked my way through setting up OpenVPN in ethernet/TAP mode.
However, after doing so, and running JPerf/IPerf on machines at either end, I get really poor throughput.
I’m using SHA-1 / AES-256-CBC on a RB450G - and I get at max throughput around 10Mb/s, but then have drops down to 2Mb/s for a second or two. Average throughput is under 10Mb/s - which really is quite bad, IMO.
CPU use, is under 50% though, which tells me something is wrong.
So - what’s going on that is crippling performance so badly and gives such erratic throughput?
[I’ve tested PPTP and IPSec and both give better than 25Mb/s on the same hardware - and both show CPU use at those throughput speeds of 100% - which all makes sense. So, why doesn’t OpenVPN as implemented on RoS really utilize the CPU fully?]
But testing using IPSec, also using SHA1/AES-256, I get more than DOUBLE the throughput with all other factors being identical. [~25Mb/s on a RB450G @ 100% CPU utilization.]
Using SHA1/AES-256 and OpenVPN I get <10Mb/s @ <50% CPU utilization, AND wild fluctuations in throughput from 2Mb/s to a little over 10Mb/s.
Perhaps there’s some reason the IPSec implementation on RoS is better, but I don’t think AES-256 is the explanation, since my testing used AES-256 on both.
[And even if it were, it still doesn’t explain why we’re only at <50% CPU utilization and that performance is so erratic. (i.e. 10Mb/s one second, and 2Mb/s the next, back to 8Mb/s and back to 5.)]
The most probable explanation is that mikrotik implementation of openvpn tunneling software is, at least, deficient and slow while unmaintained for ages.
Another one could be (to be confirmed) that an openvpn tunnel software is doing crypto computing in userland, while an ipsec implementation could rely on kernel crypto API. I’m not sure of this last possibility.
What I find odd is that while the throughput was half what I expected, the CPU utilization was also half.
So, say, <10Mb/s throughput, but the CPU was also only at 50%.
While doing crypto in userland could explain low throughput at high CPU utilization, I’m still just baffled at the results. It’s like there’s a governor on the CPU utilization on RoS’s OpenVPN processes that prevents them from exceeding 50%.
Perhaps, going back to the bad design implementation theme. Perhaps the implementation is so bad and CPU utilization can so easily get out of hand, that the userland code to do OpenVPN has a resource management “hypervisor” that prevents it from killing the system because it’s such junk…
Dunno - it’s all total speculation - but the whole thing seems to stink like a week old Salmon, left in the backseat of the car in the middle of summer.
But we do agree on one thing. IMO, OpenVPN on RoS is a really bad, ugly joke from any contact I’ve had with it. Joke as in: You’d laugh/ridicule at it too.