Throughput on KVM guest - ideas for making it faster

Jürgen Walter juwalter at mailbox.org
Tue Mar 4 18:59:43 CET 2014 

Hi all,

thanks for making Tinc available - it works well and I managed to get a decent configuration going in only a few hours, great :)

I am building a VPN for my cloud servers (hosted at DigitalOcean, they use Linux and KVM). I am on Ubuntu 12.04 with Kernel 3.0.8-36, and tinc is at version 1.0.16.

From a functional point of view, everything works like a charm! But I am wondering, if there is a way to improve the throughput? I used “iperf” to gather some rough data; when I connect iperf to the public or private interface (DigitalOcean has a private network option, however it is only private to *all* of their customers, not only me, hence I opted for tinc), I get roughly 200MB/s throughput, when I connect through tinc’s tun0 interface, I get only 20MB/s. I also noticed that tinc is fully saturating the CPU. 

I was wondering if you have any suggestions to get more throughput, e.g. do you think it is worthwhile to try and compile the latest, pre-release version of tinc, or maybe apply some kernel tuning options when running inside a VM?

Many thanks, Jürgen


my configs:
==========
tinc.conf
-------------
Name = bob
AddressFamily = ipv4
BindToInterface = eth1
DirectOnly = yes
Mode = switch
Broadcast = no
Forwarding = off
LocalDiscovery = yes
Interface = tun0
ConnectTo = alice
# I also tried a minimal config, with only “Name”, “AddressFamily” and “Interface” - it did not make any difference

hosts/alice
---------------
Address = 10.128.x.y
Subnet = 192.168.188.1

hosts/bob
---------------
Subnet = 192.168.188.2

cat tinc-up
--------------
#!/bin/sh
ifconfig $INTERFACE 192.168.188.1 netmask 255.255.255.0

Startup logs:
==========
tincd -D -d5 -n myvpn
------------------------------
tincd 1.0.16 (Jul 27 2011 12:56:56) starting, debug level 5
/dev/net/tun is a Linux tun/tap device (tap mode)
Executing script tinc-up
Listening on 0.0.0.0 port 655
Ready
Read packet of 90 bytes from Linux tun/tap device (tap mode)
…
Sending MTU probe length 1459 to bob (10.128.a.b port 655)
Sending MTU probe length 1459 to bob (10.128.a.b port 655)
Got MTU probe length 1459 from bob (10.128.a.b port 655)
...
Received packet of 90 bytes from bob (10.128.a.b port 655)
Broadcasting packet of 90 bytes from bob (10.128.a.b port 655)
Writing packet of 90 bytes to Linux tun/tap device (tap mode)
Fixing MTU of bob (10.128.a.b port 655) to 1459 after 8 probes

-------------- n?chster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde abgetrennt...
Dateiname   : smime.p7s
Dateityp    : application/pkcs7-signature
Dateigr??e  : 4885 bytes
Beschreibung: nicht verf?gbar
URL         : <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140304/c6a36399/attachment.bin>

More information about the tinc mailing list