OpenWrt Forum Archive

Topic: Hardware advice for an OpenVPN router

The content of this topic has been archived on 4 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
cruiser12
13 Oct 2009, 17:49

Hello guys,

encryption with OpenVPN needs alot of CPU, so if there is a constant stream of 200kB/s
and i also want to have a minimum of delay.

Which routers, that are supported by OpenWRT have a strong CPU or are the best choice for this kind of usage.

Thanks in advance.

Chris

(Last edited by cruiser12 on 14 Oct 2009, 00:13)

Post #2
dajhard
14 Oct 2009, 08:32

Not sure about OpenVPN encryption, but AR71xx @ 680 MHz is a good choice.

Try Mikrotik RB433AH / UAH (128MB RAM on board) or Ubiquiti RouterStation (64MB RAM). AR7100 CPU @ 680 MHz, 3x miniPCI, 2x USB, 64MB NAND.
I am running RB433AH with 2 x SuperA wireless links, got 8 MB/s on each. Now trying to get some Ubiquiti RS, they ship with OpenWRT preinstalled. Also will test 802.11n when i get some N Atheros cards.

BF

Post #3
leonardogyn
14 Oct 2009, 16:52

200kB/s is barely nothing. You can easily go with Routerboard 450 (no MiniPCI slots) or Routerboard 433/433AH (with MiniPCI slots).

there's also the new ones 433AHU and 450G, but seems network support is not fully implemented as i'm writing this post.

i have lots of RB450 running, most of them with 2 OpenVPN instances (TLS mode) with no problem at all. Pretty stable and reasonably cheap.

i have already done some benchmarks with RB450 and OpenVPN ... using AES-256 which is the most cpu intensive criptography algorithm, i could maintain 7-9Mbit/s before reaching 100% of CPU. And RB450 is only 300MHz. In real life, using blowfish, throughput would be even higher.

(Last edited by leonardogyn on 14 Oct 2009, 16:54)

Post #4
Dogge
14 Oct 2009, 16:55

Or the Ubiquiti RouterStation.

Post #5
leonardogyn
14 Oct 2009, 17:25

just for curiosity, some numbers from a Routerboard 450 @ 300MHz (this is the RB450 not newest RB450G)

OpenVPN uses OpenSSL for criptographic/hashing routines, so here's openssl speed numbers:

OpenSSL 0.9.8j 07 Jan 2009
built on: Sun Feb  8 22:19:37 BRST 2009
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr) 
compiler: mips-openwrt-linux-uclibc-gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/solutti/openwrt2/trunk/staging_dir/target-mips_uClibc-0.9.30/usr/include -I/home/solutti/openwrt2/trunk/staging_dir/target-mips_uClibc-0.9.30/include -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_ERR -DOPENSSL_NO_HW -DTERMIO -Os -pipe -mips32r2 -mtune=mips32r2 -funit-at-a-time -fhonour-copts -fpic -fomit-frame-pointer -Wall
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   2048 bytes
md2                  0.00         0.00         0.00         0.00         0.00 
mdc2                 0.00         0.00         0.00         0.00         0.00 
md4               1124.71k     3999.98k    11977.64k    23897.09k    28654.25k
md5                827.07k     2910.49k     8522.75k    16461.82k    19488.77k
hmac(md5)         1266.29k     4176.68k    10955.35k    18438.14k    20809.05k
sha1               681.53k     1868.84k     3839.57k     5217.28k     5550.76k
rmd160               0.00         0.00         0.00         0.00         0.00 
rc4              12849.72k    14513.71k    15000.66k    15125.85k    15148.37k
des cbc           2413.23k     2551.27k     2589.78k     2598.91k     2600.96k
des ede3           905.53k      926.42k      930.56k      931.84k      932.52k
idea cbc             0.00         0.00         0.00         0.00         0.00 
seed cbc             0.00         0.00         0.00         0.00         0.00 
rc2 cbc           2350.54k     2441.54k     2465.54k     2471.59k     2472.62k
rc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00 
blowfish cbc      4976.94k     5390.59k     5520.55k     5551.10k     5556.22k
cast cbc          4229.83k     4559.06k     4650.41k     4673.54k     4677.63k
aes-128 cbc       3236.31k     3389.27k     3429.63k     3441.32k     3443.37k
aes-192 cbc       2832.93k     2961.68k     2983.08k     2991.45k     2993.49k
aes-256 cbc       2523.28k     2614.85k     2640.04k     2646.70k     2648.06k
camellia-128 cbc        0.00         0.00         0.00         0.00         0.00 
camellia-192 cbc        0.00         0.00         0.00         0.00         0.00 
camellia-256 cbc        0.00         0.00         0.00         0.00         0.00 
sha256             753.85k     1771.86k     3176.70k     3961.51k     4132.18k
sha512             204.39k      820.63k     1190.31k     1638.06k     1747.63k
aes-128 ige       3324.92k     3545.26k     3603.46k     3621.89k     3622.91k
aes-192 ige       2905.75k     3081.03k     3115.09k     3127.64k     3127.30k
aes-256 ige       2578.67k     2707.20k     2742.36k     2761.38k     2752.51k
                  sign    verify    sign/s verify/s
rsa  512 bits 0.013975s 0.001220s     71.6    819.6
rsa 1024 bits 0.075338s 0.003841s     13.3    260.4
rsa 2048 bits 0.472727s 0.013514s      2.1     74.0
rsa 4096 bits 3.245000s 0.049458s      0.3     20.2
                  sign    verify    sign/s verify/s
dsa  512 bits 0.012181s 0.014000s     82.1     71.4
dsa 1024 bits 0.037879s 0.044933s     26.4     22.3
dsa 2048 bits 0.132105s 0.159365s      7.6      6.3
root@sede:~#
Post #6
dajhard
15 Oct 2009, 09:08

Well, regarding the number of interfaces (and type) he needs there is 450G or 433(U)AH. But a AR71xx 680MHz CPU performing great.

Post #7
cruiser12
19 Oct 2009, 20:07

hello,

i was checking the list with supported devices, but at most of the routerboards i saw (WIP) work in progress.... ?

Is it supported in the meantime

chris

The discussion might have continued from here.