# BeagleBone Black OpenVPN Performance

UPDATE (later that day…)

I re-ran the test, this time using the BBB as the server and the OpenVPN client was running in an Ubuntu VM on my Mac.  The two devices were connected directly via Ethernet.  As expected, the numbers are much better when they don’t travel across the world.

And the bandwidth results:

Over OpenVPN:

```iperf -c 10.1.0.1 -t 20
------------------------------------------------------------
Client connecting to 10.1.0.1, TCP port 5001
TCP window size: 21.8 KByte (default)
------------------------------------------------------------
[  3] local 10.1.0.2 port 58840 connected with 10.1.0.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-20.1 sec  79.2 MBytes  33.1 Mbits/sec
```

Over raw TCP. Interestingly, this was slower. However, I only ran the test once.

```iperf -c 192.168.2.10 -t 20
------------------------------------------------------------
Client connecting to 192.168.2.10, TCP port 5001
TCP window size: 22.9 KByte (default)
------------------------------------------------------------
[  3] local 10.0.2.15 port 59179 connected with 192.168.2.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-20.1 sec  68.4 MBytes  28.6 Mbits/sec
```

Original Post follows

A visitor asked about OpenVPN performance on the BeagleBone Black (BBB).  It wasn’t too bad to set up OpenVPN on a server; I followed this tutorial. The test setup is as follows:

• OpenVPN client: BBB, located in the middle of the United States
• OpenVPN server: My Virtual Private Server, located in Europe

For various reasons I didn’t want to run the server on my local computer. I mention this because the measured bandwidth is not very impressive. However, the inquirer seemed more interested in CPU performance, so I think this test setup should be fine.

After I connect the client and server via the VPN, I ran iperf to gather the statistics. On the client, I used this clever script to capture CPU performance and prep the data for gnuplot. Gnuplot is one of those programs that I use once in blue-moon, so I’m posting the commands, mainly so I remember them next time 😉

```set title "BeagleBone Black OpenVPN AES-128-CBC Performance"
set ylabel "Idle CPU (percent)"
set xlabel "Time (seconds)"
set terminal postscript eps
set output 'out.eps'
plot "openvpn.txt" using 1:2 title 'OpenVPN' with lines, "no_vpn.txt" using 1:2 title "No VPN" with lines
```

Anyway, here are the results.

The CPU was about $50\%$ idle with OpenVPN, which is not that bad. For comparison, the normal iperf test, without any encryption, keeps the CPU about $90\%$ idle.

(for this first I accidental ran it for 200 seconds, so I interrupted the test after 30 seconds or so. The key number is the bandwidth metric).

With OpenVPN using AES-128-CBC:

```debian@arm:~/easy-rsa\$ iperf -c 10.1.0.1 -t 200 -p 5001 &
------------------------------------------------------------
Client connecting to 10.1.0.1, TCP port 5001
TCP window size: 19.9 KByte (default)
------------------------------------------------------------
[  3] local 10.1.0.2 port 53215 connected with 10.1.0.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-132.3 sec  80.6 MBytes  5.11 Mbits/sec
```

Without (just TCP):

```debian@arm:~/easy-rsa\$ iperf -c remote_server -t 20 -p 5001 &
------------------------------------------------------------
Client connecting to remote_server, TCP port 5001
TCP window size: 21.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.2.10 port 43301 connected with XXX.XXX.XXX.XXX port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-20.5 sec  13.5 MBytes  5.54 Mbits/sec
```

Yes, 5.11 Mbits/sec is slow, but without OpenVPN I was only getting 5.54 Mbits/sec.

I tried to use OpenSSL with crypto acceleration, but I ran into a bunch of issues when OpenVPN tries to statically link the libraries.  The above tests are just using the BBB’s CPU.  I’m continually impressed with this platform and surprised that people keep insisting on using the Raspberry Pi.  😉  Update: I shouldn’t be so smug seeing how the BBB CPU was floored on the second test.

Also, SparkFun is now selling the BBB (although they appear to be out of stock as of 27 November 2013).

## 7 thoughts on “BeagleBone Black OpenVPN Performance”

1. Martin says:

thanks for the results,
it is not exactly what I wanted but thanks for your time and effort anyway.

I was thinking of running OpenVPN server on BBB directly and see how much traffic you can push through the VPN (of course more than 5mbps, maybe test it on LAN to remove WAN as bottleneck)

and thanks for mentioning cryptodev + openssl + openvpn not working out of box very well.
I was hoping to replace my RPI with BBB and run OpenVPN server on it utilizing HW crypto engine to achieve better throughput (RPI@900MHz gives me ~15Mbps) and I am looking to at least 2-3 times better results (with AES-128-CBC)

if BBB could deliver this, it would be awesome
otherwise I will have to opt for more expensive Intel i3 setup ans use AES-NI that will give me performance in hundreds of Mbps

or is there any other board similar to BBB with HW crypto engine with similar (or a bit higher) price range?

Thanks

1. Ah, ok. Maybe in a day or two I can setup a local setup. But, locally, with a BBB as a client, I was only pushing 94Mbps.

The BBB is the only one that I know of. The Pi and Cubieboard both do not have processors that use crypto acceleration.

Intel Haswell’s chip has it: pdf. But I don’t know of any embedded platforms, like the BBB, that are using it. Maybe in a year? 🙂

2. I just tried to setup the BBB as a server and my mac as the open vpn client. Unfortunately, I was able to get it working. I get all sorts of issues on my mac with OpenVPN and then I tried a VM with Ubuntu. Well, I’m using Internet sharing and my VM can’t talk to the BBB.

Anyway, sorry about that. I’m very annoyed that I can talk from my VMs to the BBB at my desk. I think I just need to get a Linux computer 🙂

3. Martin,

I re-ran the test so that it matches your use case a bit more. The BBB CPU did indeed go to 11 ;), I mean, 100% usage (0% idle) during the test. I just updated the post, so if your browser reloads the page you should see the new graph. I would be very interested in knowing if that hardware acceleration helped, but I was running into all sorts of compile problems.

Another visitor was able to get hardware acceleration using Squid. He states he gets 18Mbps.

2. Martin says:

thank you very much for adjusting the test scenario to exactly match my needs.
the results seem pretty good considering that it is all done in CPU and not using HW crypto engine.
Could you talk a bit more about those compile problems?
If we could iron them out and benefit from HW crypto, that would be awesome.
I never used crypto engine but compiled openssl and openvpn from sources couple of times

thank you very much,
Martin

1. I can’t seem to find the links at the moment, but here the summary of the issue:

OpenVPN wants to statically link OpenSSL, which is fine. On configure, you can point OpenVPN, via CFLAGS and LDFLAGS, to a custom version of OpenSSL. To enable crypto acceleration with cryptodev, you must build OpenSSL from scratch [1]. I configured OpenVPN to point to that version of OpenSSL.

When I tried to make, it complained that the version of OpenSSL was in an unreadable format. I can’t seem to find this now, but I thought I read that OpenVPN wants OpenSSL to be built for a generic architecture and mine is built for armhf. It’s not clear to me how to fix this. Admittedly, I only tried once 🙂

3. Martin says:

it’s hard to give any advice without the exact message,
this would probably be too easy to work https://community.openvpn.net/openvpn/ticket/305, I see it was merged into master branch but I am not sure if it was also repackaged into downloadable source package (unless you are compiling source from git master branch)

another option I would try would be to compile openvpn 2.2.2 as it handles openssl a bit differently and I had much more success compiling against custom-built but not installed openssl