I recently bought a RockPi 4 to replace my Raspberry Pi as VPN gateway. The reason is that the performance numbers of OpenSSL/OpenVPN impressed me. Today I received my device and set it up, first with Ubuntu Server and then with Armbian Buster. In both cases I can reproduce good performance indicators when using the usual testing methods:
root@rockpi:~# openssl speed -evp aes-256-cbc -elapsed
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-256-cbc for 3s on 16 size blocks: 60081162 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 31535221 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 10636732 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 2871501 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 373949 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 16384 size blocks: 186738 aes-256-cbc's in 3.00s
OpenSSL 1.1.1 11 Sep 2018
built on: Tue Nov 12 16:58:35 2019 UTC
options:bn(64,64) rc4(char) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-J6qvxk/openssl-1.1.1=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-256-cbc 320432.86k 672751.38k 907667.80k 980139.01k 1021130.07k 1019838.46k
and
root@rockpi:~# openvpn --genkey --secret /tmp/secret
0 --tun-mtu 20000 --cipher aes-256-cbc--test-crypto --secret /tmp/secret --verb 0
Thu Jan 2 18:25:45 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real 0m1.973s
user 0m1.960s
sys 0m0.008s
both these tests showed much lower number on a RPI (1/10th openssl, 12s openvpn) which is giving me approx. 7MB/s download speed via VPN. Unfortunately when checking the VPN throughput of RockPI4 I am getting approx. 2MB/s and I do not understand why. Based on the tests the RockPI must be 10 times faster than the RPI, but in fact it is (much!) slower. Is there a specific configuration necessary to make the RockPI perform better in OpenVPN environment? I have tried several things but nothing worked. I cannot believe that this is the max the RockPI can deliver! Help is much appreciated!
First, I’m not an expert in this, so think about it as general recommendation
Second, if it’s intended to run on CPU - don’t forget to use taskset to use hi-freq cores
Third, be sure to install all rockchips’ packages which Radxa provides in their repos (to be precise look for GPU’s driver section there https://wiki.radxa.com/Rockpi4/Sgminer).
Fourth, when it comes to software optimization - remeber, that RasPi have a whole other level of being accepted in “big project”'s society, just think, there is special OpenVPN package called PiVPN. RockPi on otherside only starts to be accepted. On raw scales RockPi have highground, but in terms of software development (which highly depends on users) - nothing beats RasPi (as for now at least).
thanks for your suggestions. I have tried to set CPU affinity to every CPU core available, but it does not change anything. The installation guide you showed is not working with Ubuntu Server, there those GPU drivers are not available.
In general the thing is that when using openssl/openvpn with the commands shown in my first thread the performance is nice, so the question is why this changes suddenly when it comes to throughput via VPN connection. I assume there are some settings to be configured to optimize the traffic, but at the moment I have no idea where those might be…
By the way, the reason why the crypto speed is so high in the test commands is that RockPI 4 is capable of crypto hardware support, so there shouldn’t be a need to change a particular CPU core…
Erm, please be sure, that you added radxa repository in this case, because they are available. And for hardware support of anything you first need to have correct driver for if. Please do this
I had the stable radxa repo in apt source lists. Now I changed it to testing and installed the GPU drivers. After reboot tried VPN again, same speeds, no change…
Scripts has nothing to do with speed, optimisations or hw crypto optimisation which is what @Talkabout is interested in. Those are just install scripts. Ofc they are useful and handy, but they optimise nothing but install process.
A stereotype turned into religion to earn millions and have full control over millions of computers running Linux in a closed sourced virtual machine owned by Microsoft. Linux is here since 90", Unix before that …
Once you have a good communication with the hardware (kernel), you are done. Everything that works on RPi , works here or your desktop PC. Ofc there are grey areas, but in principle that’s it.
Works here too. If by any chance not on Radxa Debian, then on Armbian.
So you have to tell OVPN or Wireguard to use that somehow … Its common Rockchip problem. I would search widely.
So you have to tell OVPN or Wireguard to use that somehow … Its common Rockchip problem. I would search widely.
and this is exactly what I do not understand. When running the tests (first post) in both cases (openssl and openvpn) the hardware crypto is used, because otherwise the numbers would have been much smaller. You can check out this page for reference:
Here the RockPI 4 has one of the highest results, which was the reason I decided to try it. I also have a Rock64 lying around where I also tried to use it as VPN Gateway. The throughput was good, also the VPN speed was what I was expecting, but unfortunately I was not able to make it run stable with Armbian. I faced crashes all the time which is not good for a gateway to the internet But the speed, also with Rockchip hardware, was good enough. So now the question is what is the difference between those two (Rock64 and RockPi 4)?
One more thing that is more than strange: if the RPI is not using hardware crypto and is able to deliver a bandwidth of approx. 7MB/s via VPN, how can it be that the RockPI 4 with a much faster processor is giving approx 2MB/s? It seems to be the case that the bandwidth is limited somewhere else and not by OpenVPN…
I have tried all the available distributions (armbian ubuntu/debian, ubuntu bionic server), in all cases results are the same. I am not able to get the speed above 3MB/s.
Yes, I tried Armbian with kernel 5.4 and 4.4, there is no change in behavior. Searching the net was not successful, I have not found anybody with exact this problem on RockPI 4. There are some posts about general performance tweaks like using a specific and isolated CPU core. I have tried all of them, no success. I have also tried several tweaks in the OpenVPN client configuration file (sndbuf/rcvbuf…) but still no change. That is why I think the limiting factor is not OpenVPN, especially because the crypto tests were showing very promising numbers. Even without hardware crypto RockPI should give higher numbers than a Raspberry PI, but it is not. That is why I was hoping to find a solution in this forum…
thanks for the suggestion but there is no difference in speed with or without the module. I have loaded it manually (modprobe rk_crypto) and added it to /etc/modules (then reboot) and still nothing changed, speed < 2MB/s…
I have done a lot of research already, also on the pages mentioned by you. None of them provided a solution to the problem. Assuming that this is the forum of the RockPI’s vendor, I was hoping to get some more help here, maybe also somebody trying out if the issue is reproducible or simply an issue with only my device…
Yesterday I was playing around with the CPU frequencies and realized that those are throttled. Maybe this is one of the problems… I also realized that RockPI 4 is not supported by Armbian, they have a section in their forums claiming support for this device being still “in development”.
It seems to me the device itself is not that mature yet…
Probably not, but you can get hints how to approach to the problem. Not everything can be found on the internet just like that. Especially if you are not searching for proper targets.
They are producing a board with RK3399 (or whatever) chip. Hardware crypto functions were developed by Rockchip. If there is a manual, you should look there http://opensource.rock-chips.com/wiki_Linux_SDK
Support for RK3399 is in very good shape, but forums are still in the “Development” areas for no apparent reasons. Its simply due lack of time to moderate forum. Most of users just demand things and give nothing in return (perhaps help on moderating forum).
The problem you have is unrelated to Radxa, Rockchip and Armbian but it is called “VPN with hw supported chippers” which I have no special knowledge and can’t give you better clues.
But the speed, also with Rockchip hardware, was good enough. So now the question is what is the difference between those two (Rock64 and RockPi 4)?