I like to secure my home network with a VPN, so I have used single board computers for years for that. I started with the Raspberry PI 1, upgraded to BananaPi 1, then upgraded to an ODROID C2, tried out the new Raspberry PI 3, before ending up with my current ODROID N2. I upgraded frequently, as running encryption on these small computers maxes out their CPU capability with ease, and OpenVPN only uses 1 CPU Core, so having a multi-core CPU does not help a lot in this use case. Also, even though my ODROID N2 has hardware accelerated AES encryption, unfortunately, the SHA512 hash algorithm used by my VPN provider is not hardware accelerated. In addition to the VPN, I use the ODROID as PiHole to filter ads and trackers on a DNS network level and also as a network backup server that emulates an Apple Time Capsule.
In this post I talk about how I was able to get better VPN performance.
It has happened several times to me that openvpn was slow, and not delivering more then 40 MBit/s on the connection. Instead I saw a rather high cpu/interrupt load for ksoftirqd/0. After a lot of searching, I figured out that it was using one of the 2 “little” ARM A53 cores instead of the faster ARM A73 cores. On the ODROID N2 the little cores are cores 0-1, the big cores are 2-5 (for some details on the processor architecture, see https://www.hardkernel.com/blog-2/odroid-n2/).
The solution? Setting the CPU affinity, meaning the preference where the openvpn process runs, to the faster CPU cores by changing the startup script (/etc/init.d/openvpn) to startup the openvpn process using taskset:
DAEMON="taskset --cpu-list 2-5 /usr/sbin/openvpn"
Depending on your system, you may also want to change the Systemd service to execute the openvpn process with taskset, too. You can prepend the taskset command from above in the service definition file in:
/lib/systemd/system/[email protected]
and then run:
systemctl daemon-reload systemctl restart openvpn
After a short speedtest, I now reach more than 300 MBit/s with OpenVPN running with AES-256-GCM and SHA-512 encryption.