Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

22Mar/1616

OpenVPN performance on the Pi

Setting up an OpenVPN router on the Pi is pretty straight forward but what about performance? How much performance do we lose by using the Raspberry Pi or the Banana Pi? I have been testing a few different models to see what the overall performance difference is. I also wanted to compare them against each other. OpenVPN is heavy on the CPU due to it's encryption, there are a lot of guides out there about turning the encryption of but why even use a VPN then? It all depends on what you use your VPN tunnel for and what kind of through put you actually need. In this test I have used all three main versions of the Raspberry Pi and a Banana Pi.

Background

A good VPN gateway of any kind needs two things, CPU and bandwidth! Here the earlier models of the Raspberry is at a disadvantage, both when it comes to CPU and the network since they only have 100Mbit nics. The Banana Pi has the advantage of 1Gbit nic but lacks computing power same as the earlier Raspberry Pi models. It all comes down to what use case you need. In my implementation I want a default gateway on my network that can provide me with a "Swedish" internet connection for play channels from home. To be able to stream news and series that are only available to a Swedish ip address. So I don't really need the entire bandwidth of my internet connection. But at the same time performance is always nice!

The other disadvantage you have with a VPN tunnel is latency, or ping as the gamers call it. The time it takes for a package to go to a server and for you two receive the confirmation package back. This is very important for TCP based protocols that verifies all data transfers. For UDP, used for streaming, bandwidth is more important. So a VPN connection, even with a high latency, that have decent bandwidth can still perform well for streaming or torrents. You can read more about how to setup an OpenVPN gateway on the Pi.

How did I do the test

I used speedtest.net using the closest test server to my exit point and the same each time. I ran this on my laptop connected to my local LAN via cable using the Pi as the default gateway to access the internet. The reason why I did this was to simulate what performance I would actually get in the real implementation. I also installed speedtest-cli on the Pi to run a few tests but more on that later in this article. You can easily install it with:

sudo apt-get install speedtest-cli

And then just run it with:

speedtest-cli

I ran the test a few times and took the best "score" produced for each model. As you can see in the results there are pretty big margin of error in the tests them self's.

Test results

Internet connection, without any VPN:
Down: 180.38 Mb/s
Up: 12.18 Mb/s

Laptop running the OpenVPN client (Dell Precision M4800, 2.5Ghz 8 cores, 32Gb memory, Gbit-nic)
Down: 19.13 Mb/s
Up: 10.02

Raspberry Pi Model B (700Mhz single core, 512Mb memory, 100Mbit-nic)
Down: 9.02 Mb/s
Up: 3.13 Mb/s

Raspberry Pi 2 Model B (900Mhz quad core, 1Gb memory, 100Mbit-nic)
Down: 10.67 Mb/s
Up: 4.49 Mb/s

Raspberry Pi 3 Model B (1.2Ghz quad core, 1Gb memory, 100Mbit-nic)
Down: 12.16 Mb/s
Up: 3.59 Mb/s

Banana Pi M1 (1Ghz dual core, 1Gb memory, Gbit-nic)
Down: 8.99 Mb/s
Up: 2.81 Mb/s

I also ran a few tests with speedtest-cli on the Pi's them self's without the VPN running. Here I could see a huge difference with the Nic speed! The Raspberries leveled out between 35-45Mb/s while the Banana Pi got 170 Mb/s! So yes Nic speed does matter!

Conclusion

First conclusion is that my VPN provider sucks! It's not really a geo-location VPN but used for privacy back home, had the account since before that's why I still use it. I think this numbers would be very different with a faster VPN provider. You can however see the difference between the CPU speeds. If the VPN baseline from my laptop would have been higher I would have taken the time to install an Odroid C1 which has both the CPU horsepower as well as the Gbit nic. But I will defiantly revisit this when I have a better VPN to try with so I can floor out the CPU's on all these boxes.

When I started these tests my daily driver OpenVPN gateway was a Raspberry Pi Model B, it still is. The performance is enough for what I'm using it for and the difference in speed is to little for me to sacrifice a Raspberry Pi 2 or 3 that can be used for other projects at this time. But as I said I will revisit this one when I have better VPN to run on!

Comments (16) Trackbacks (0)
  1. Nice post. Thanks

  2. I’ve found pfsense makes a faaar better VPN server/gateway than a Pi, because you can run it on any hardware you want. For eg my current pfsense firewall is running on a Dell P4 desktop with two extra NIC’s, one for LAN and one for a wifi AP – the on-board NIC is WAN. Very efficient. OpenVPN is ez to configure in pfsense.

  3. Pfsense is great but exactly the same technology we are using here with a nicer WUI. Of course it’s better since it has more computing power but it will also be more expensive, draw more power and be noisier. I would say that you couldn’t compare the two since they aim at two very different use cases.

  4. pfsense isn’t what has more computing power…it’s the hardware. The Pi, while it can do some amazing things considering cost and size, just isn’t powerful enough to handle VPN very well. The Dell P4 I mentioned was free, given to me by someone who upgraded a home PC and didn’t need it anymore. FreeBSD can make use of Intel SpeedStep, so when load is low it reduces power draw substantially. I’d love a low-power, low-cost, small firewall, but that’s just not possible…can’t have it all. The BananaPi does a bit better, I think, although to be fair I haven’t tried mine yet.

  5. Realize that I was a bit blurry there, sorry. Yes of course it’s the hardware that is the difference. Either if you got it for free or not it’s originally more expensive hardware. The comparison between the hardware is like a compact and a pickup truck.

  6. The odroid C1 also has an HW encryption engine which might help a lot (if you trust the chinese cryptography)
    Also , maybe you could test with a local VPN server, Anyway.. i get somewhat the same results locally for a pi B+

  7. Don’t know if openVPN actually utilizes the hardware acceleration or not. But that might be interesting to look into!

  8. Hi think openvpn encryption run only on one core.. So bandwidth is limited by the speed of one core. It’s suck a lot with a raspberry, on all VPN provider 🙁

  9. I think you are right. That would explain the small variance in the results!

  10. Hi, what performance do you run the OpenVPN connection without crypto? I have something similar setup for a friend with an old RPi1 model B and a VPS running in Germany. While streaming German TV at HD quality the rpi is using 25% CPU. It uses a little bit more during initial buffering when the movie is starting. I am in Argentina so my main issue is the 250 msec round trip to Germany which makes interactive operations such as scrolling in the menues a bit slow. I am only paying €1 per month for a Ubuntu 16.04.1 VPS on Vmware (single core, 1GB RAM, 20GB disk, 500GB data transfer), which is very reasonable. I wonder if mtu and mss could be configured to improve total bandwidth and reduce fragmentation.

  11. I have never looked into running the VPN without crypto. It more or less defeats the whole purpose. Essentially what you are looking at then is something a proxy would do much more efficient then the VPN server can.

  12. I agree a proxy would be better, I am much more familiar with OpenVPN and not willing to spend the time to learn how to set up a proxy server on Ubuntu, proxy client on OpenWRT, and to get my rpi to act as gateway over the proxy.

  13. Thanks for the article. I am using a rPi 2 model B as a media center running Kodi-OSMC. Recently I started using ExpressVPN, which works great… at least for the rest of the computers at home.

    They use AES-256, and it seems to be a bit of an overkill for the Pi. I am getting almost symmetric 60 Mbit/s without VPN, but when I connect to the VPN it goes down to 2 – 3 Mbit / s

    ExpressVPN does not allow for different encryption levels, so I was wondering if any of you have some suggestion on how to optimize the OpenVPN performance on my Pi. Thanks in advance!

  14. The performance drop seems a bit big to me. Have you tested the VPN on another computer so you have numbers to compare? My suggestion is to run it on a dedicated Pi and use it as a gateway.

  15. The VPN runs quite well in any other computer at home. I did not think about using a dedicated Pi acting as a gateway, I think that is a very good point. Having the Pi dealing with video decoding, huge amount of traffic plus VPN encryption might be too much.
    I was also considering a router supporting a VPN client, although quite pricy compared with the pi alternative. I will give it a try. Thanks 😉


Leave a Reply

No trackbacks yet.