It wouldn't matter benchmarking it. It will not be significantly different. From what you describe the crypto capacity of cpu is at least 10-fold what you see on the wire. So the issue is somewhere else. On December 30, 2019 10:08:28 AM UTC, Carles Pina i Estany <carles@xxxxxxxx> wrote: > >Hi, > >On Dec/30/2019, David Woodhouse wrote: >> On Sat, 2019-12-28 at 22:53 +0100, Carles Pina i Estany wrote: >> > Hi openconnect, >> > >> > I have a question regarding CPU usage, network speed and >openconnect. >> > >> > I'm using openconnect from Debian (Debian package version 8.02-1) >> > connecting to a Cisco AnyConnect. I'm using NetworkManager but I'm >happy >> > to use the command line if this would help. >> >> A few months ago we had a similar thread, and some performance >> improvements went into the 8.03 release. Please could you update to >git >> master and try? > >on Saturday I tried with v8.05. I couldn't see any big improvement. >Since then I reverted back to use the Debian package (v8.02-1) >integrated with the NetworkManager. > >> There's also an experimental perfhacks branch: >> >http://git.infradead.org/users/dwmw2/openconnect.git/shortlog/refs/heads/perfhacks >> >> Most of that is for ESP support, not DTLS, but the 'reuse packets >> instead of free/malloc' bought us a few percent and I'd like to >> eventually fix up all the buffer sizing inconsistencies and merge it >> (or just move to using rings). > >I'll try to test the perfhack branch today. > >> > I see that openconnect uses about 35 to 40% of CPU (measured with >top) >> > in my 4 cores laptop. >> > >> > When using openconnect the connection is about 5 to 8 MB/s >otherwise >> > more than twice this speed. >> > >> > The system administrators on the other side don't seem to be aware >of >> > any speed limitation or throttling. >> > >> > The internet connection or even the upload speed to the other side >is >> > higher if no OpenConnect is used. >> > >> > My question is: do you know of any way to make the VPN faster? >> > >> > Any experience compiling openconnect (I might try this anyway) >instead >> > of using the Debian precompiled version? Any parameters that could >be >> > used, faster cyphering, etc.? >> >> You can try forcing it to use different ciphers with the >--dtls-ciphers >> option. > >I haven't succeeded forcing gnutls-cli to do benchmarks for >AES-256-CBC. >I've tried: >gnutls-cli --benchmark-ciphers --priority=PERFORMANCE >gnutls-cli --benchmark-ciphers --priority=SECURE256 > >--dtls-ciphers is not an option on my gnutls-cli (version 3.6.7) > >> Please could you set it running, then use 'perf record -a >netperf....' >> to record the *full* system activity (including kernel and >openconnect) >> for each of a large upload, and a large download. Use your own >existing >> benchmark or workload if that's easier than netperf. >> >> Let's see where it's actually spending the time, and what we can do >> about it. > >I'll do it. > >Thanks! -- Sent from my mobile. Please excuse my brevity. _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
