Very slow network speed using Tinc

Guus Sliepen guus at tinc-vpn.org
Mon Oct 21 16:59:54 CEST 2013 

On Mon, Oct 21, 2013 at 04:08:26PM +0200, Florent Bautista wrote:

> Between 2 nodes, we have 150 Mbit/s network speed without Tinc (public
> IPv4 to public IPv4 using iperf), and only 3 Mbit/s using Tinc (private
> IPv4 to private IPv4).

Which options did you use when running iperf?

> Here is the configuration of Tinc we use :
[...]
> MACExpire = 30

Why did you lower this value?

> And for each host :
[...]
> Cipher = ECDHE-RSA-AES256-SHA384

That is an invalid name for an encryption cipher, instead that is a name for a
cipher suite. If you want to use AES256 as a cipher use "Cipher = aes-256-cbc".

> Compression = 3

Compression may or may not increase performance. Try leaving it out first.

> Each node is Intel Core i7/Xeon powered.

This should indeed be able to handle more than 100 Mbit/s.

> Some precisions :
> 
> physical interfaces MTU is 1500.
> 
> virtual interfaces MTU is also 1500 (we need it for compatibility).
> 
> Can IP fragmentation be that bottleneck ? How can I be sure of that ?

Yes, that can be a bottleneck. However, normally tinc will automatically detect
the optimal path MTU between nodes, and will send ICMP messages on the VPN or
modify the MSS header of TCP packets so that the sender will reduce the size of
packets so they will not be fragmented. However, if you send UDP packets larger
than the path MTU with the DF bit unset, then tinc has no choice but to
fragment those packets.

My own tests show that iperf over a tinc VPN saturates a 100 Mbit/s link.
However, if you run iperf in UDP mode, it limits the UDP bandwidth to 1 Mbit/s by default.
You can increase it, but the order of the command line options is important:

iperf -c host -u -b 150M

If you use another order it ignores your bandwidth setting.

> If you need some other configuration values, let me know.

It might be best to start with the default configuration parameters first. Use
only Mode, Name, Address and ConnectTo variables. If that works fine, try
adding other configuration statements until the performance drops.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20131021/9dfc1bd7/attachment.sig>

More information about the tinc mailing list