OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: narfight on November 16, 2017, 11:42:35 am
-
Hi,
I use an old Watchguard XTM505 with :
- OPNsense 17.7.6-amd64
- Intel(R) Celeron(R) CPU 440 @ 2.00GHz (1 cores)
- 3Go of RAM
I have a problem with the openvpn. My users (4 users connected simultaneously) tell me that the VPN is very slow. When I look to the CPU load, i see this :
last pid: 47564; load averages: 1.45, 1.54, 1.41 up 6+22:30:52 11:37:19
163 processes: 4 running, 118 sleeping, 41 waiting
CPU: 41.4% user, 0.0% nice, 51.7% system, 6.9% interrupt, 0.0% idle
Mem: 43M Active, 1038M Inact, 320M Wired, 135M Buf, 1523M Free
Swap:
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU COMMAND
70144 root 87 0 1063M 7468K RUN 9:10 57.62% openvpn
24578 root 48 0 1051M 3016K RUN 206:45 35.85% syslogd
12 root -92 - 0K 656K WAIT 203:40 2.37% intr{irq257:
12 root -92 - 0K 656K WAIT 89:59 2.18% intr{irq261:
12 root -92 - 0K 656K WAIT 26:43 0.73% intr{irq273:
22407 root 20 0 20032K 4092K RUN 0:00 0.27% top
12 root -92 - 0K 656K WAIT 33:03 0.21% intr{irq258:
12 root -92 - 0K 656K WAIT 8:53 0.20% intr{irq262:
12 root -60 - 0K 656K WAIT 10:48 0.15% intr{swi4: c
7 root -16 - 0K 16K - 12:49 0.13% rand_harvest
12 root -92 - 0K 656K WAIT 1:53 0.08% intr{irq274:
14493 root 20 0 1091M 6804K select 0:00 0.03% sshd
6 root -16 - 0K 16K pftm 4:42 0.03% pf purge
12 root -92 - 0K 656K WAIT 268:29 0.02% intr{irq277:
90908 root 20 0 1049M 2764K select 2:25 0.02% apinger
12 root -72 - 0K 656K WAIT 3:31 0.01% intr{swi1: p
12 root -92 - 0K 656K WAIT 0:29 0.01% intr{irq20:
53819 squid 20 0 1067M 4576K select 0:04 0.01% pinger
75491 squid 20 0 1723M 605M kqread 877:05 0.01% squid
40796 dhcpd 20 0 1057M 8292K select 0:47 0.01% dhcpd
37732 squid 20 0 1067M 4572K select 0:18 0.00% pinger
31640 squid 20 0 1067M 4572K select 0:34 0.00% pinger
77885 squid 20 0 1067M 4572K select 0:34 0.00% pinger
(...)
Can you help me to reduce the CPU load ?
Thk in advance
-
As a measure, "very slow" doesn't tell us much. How much bandwidth are these 4 people using?
You can very easily max out CPU with openvpn with several users with sorta quick connections.
Especially a CPU as weak as this one. I'm not sure how much bandwidth to tell you to expect, but its not going to be extremely fast by any means. How much total bandwidth do you need?
-
100% off CPU = 4Mb/s on OpnVPN interface
The capacity of my line is 40Mb/s.
Can I change something to reduce the CPU charge ?
For exemple "Change DH parameters Lenght" from 4096 to 2048 or change "Encryption algorithm" from "AES-256-CBC (256 bit key, 128 bit block)" to lowers option ?
-
@narfight I notice a high load on syslogd, so there may just be an issue. Did you check the logs?
-
the load of syslogd and openvpn are closely related.
Nothing strange in the content of the logs.
Lisintg of log file
root@wan:/var/log # ls -l
total 8713
-rw-r----- 1 root wheel 1617 Nov 16 00:00 acme.sh.log
lrwxr-xr-x 1 root wheel 26 Nov 9 13:06 bsdinstaller -> /root/var/log/bsdinstaller
-rw------- 1 root wheel 511488 Nov 16 13:55 dhcpd.log
-rw------- 1 root wheel 94441 Nov 16 03:01 dmesg.today
-rw------- 1 root wheel 90168 Nov 15 03:01 dmesg.yesterday
-rw------- 1 root wheel 511488 Nov 9 13:07 dnsmasq.log
-rw------- 1 root wheel 511488 Nov 16 13:55 filter.log
-rw------- 1 root wheel 511488 Nov 14 03:01 gateways.log
-rw------- 1 root wheel 511488 Nov 9 13:07 ipsec.log
-rw-r--r-- 1 root wheel 0 Nov 9 13:07 lastlog
-rw------- 1 root wheel 511488 Nov 9 13:07 lighttpd.log
-rw------- 1 root wheel 189 Nov 10 03:01 mount.today
drwxr-xr-x 2 root wheel 0 Nov 9 13:09 ntp
-rw------- 1 root wheel 511488 Nov 10 03:01 ntpd.log
-rw------- 1 root wheel 511488 Nov 16 13:55 openvpn.log
-rw------- 1 root wheel 511488 Nov 9 13:07 portalauth.log
-rw------- 1 root wheel 511488 Nov 9 13:07 ppps.log
-rw------- 1 root wheel 511488 Nov 16 13:53 resolver.log
-rw------- 1 root wheel 511488 Nov 9 13:07 routing.log
-rw------- 1 root wheel 2783 Nov 10 03:01 setuid.today
drwxr-x--- 2 squid squid 960 Nov 16 00:00 squid
-rw------- 1 root wheel 511488 Nov 9 13:07 squid.syslog.log
-rw------- 1 root wheel 511488 Nov 9 13:07 suricata.syslog.log
-rw------- 1 root wheel 511488 Nov 16 13:55 system.log
-rw------- 1 root wheel 1088 Nov 9 13:09 userlog
-rw-r--r-- 1 root wheel 197 Nov 16 13:30 utx.lastlogin
-rw-r--r-- 1 root wheel 189 Nov 16 13:30 utx.log
-rw------- 1 root wheel 511488 Nov 9 13:07 vpn.log
-rw------- 1 root wheel 511488 Nov 9 13:07 wireless.log
-
I would use the lowest encryption settings I could get away with. Then, I'd find a tech museum and donate the Watchguard. After that, I'd get either a new box for opnsense or a used piece of hardware. What you need for the speeds you mentioned earlier isn't an expensive rig. Most likely you can get it for free. Heck, I'm using one like that right now. VERY old retired dual core AMD x2 processor.
You just need a couple of reasonably quick cores on an older converted desktop, or else you could buy a new small device. Its up to you.
-
Thank you for your recommendations.
Can you tell me what can I change server side without having to deploy a new file to my users?
-
In my opinion, there isn't much you can do to make your box fast with openvpn. However, this is one of those rare times when I would say give ipsec a try if you are intent on keeping your watchguard.