OpenWrt Forum Archive

Topic: OpenVPN Multi-threaded

The content of this topic has been archived on 4 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
siris
16 Dec 2009, 18:16

Hello all,

I am currently using OpenVPN on two WRT54GL's and notice a Sine curve like traffic fluctuation.  What I mean to say is, there seems to be cyclical delays during traffic sends.  It is almost a galloping.  In efforts to try and combat this I am wondering if anyone has modified OpenVPN to be compiled using threads.  The default configure from OpenWRT for v2.0_rc15 is:

efine Build/Configure
        $(call Build/Configure/Default, \
                --disable-pthread \
                --disable-debug \
                --disable-plugins \
                --enable-management \
                --disable-socks \
                --enable-password-save \
                ,\
                ac_cv_func_epoll_create=no \
        )
endef

I am tempted to remove the --disable-pthread and see what happens.  Does anyone know of any implications for stability if doing so?  Also, has anyone seen this traffic galloping, and if so what did you do?

Thanks,

Erik

Post #2
siris
16 Dec 2009, 20:20

Hello all, it appears there is no multi-threaded support for OpenVPN 2.0:

OpenVPN 2.0 has no multithreading support, this is the only feature present in
1.x which has been removed from 2.0.

Reasons for removing it:

The original rationale for having the TLS thread optimization was to improve
latency during the TLS key negotiation which is very CPU intensive.  The 1.x
pthread implementation uses pthreads only for this very special case, which
does not improve overall efficiency on multiprocessor machines, but helps to
keep tunnel-forwarding latency down during the TLS negotiation.

I did some testing on 2.0 to determine the worst-case latency caused by the
TLS negotiation in single threaded mode.  On a 2GHz x86, the worst-case
latency was about 160 milliseconds for a 2048 bit key and 40 milliseconds for
a 1024 bit key.  Even with 100 users hitting a TLS renegotiate once per hour,
the probability that two or more of these 160 millisecond latency periods
would overlap to make a bigger latency is still quite small.

I think these latency numbers are too small to justify the extra level of
complexity entailed by multithreading.  Not to mention whole classes of
potential bugs which arise when you attempt to multithread code, and
incompatibilities that exist between multithread implementations on different
OSes.  Bottom line is that I don't think multithreading in OpenVPN is worth
the trouble.

Having said all that, I understand that certain applications which are
extremely latency dependent, such as VoIP, might hiccup with the above
latency numbers.  Especially if you're running VoIP on a slow server with big
RSA keys.  Probably everyone else wouldn't even notice whether or not the TLS
negotiation is multithreaded.

Keep in mind that people use multithreading to:

(1) improve latency, or
(2) improve performance on multithreaded machines

OpenVPN 1.x only tried to hit (1).

With OpenVPN 2.0, my decision was basically that (1) didn't justify the
complexification that pthread support would entail and that (2) is satisfied
by different means.

So how do you improve performance on multithreaded machines, to take advantage
of all processors, i.e. if (1) is not worth the effort, then how to
accomplish (2)?

Answer:  Run multiple server mode daemons on different ports, and have the
client load balance between them by using multiple "remote" entries in the
client side config.  This is actually more efficient than multithreading
because each OpenVPN daemon gets its own private virtual memory address
space, so there is no bus contention from multiple processors over the same
address space, as would occur with a multi-threaded execution model.

James

The discussion might have continued from here.