VPN Performance Tuning at LiquidVPN

David Cox, CEO of LiquidVPN Inc. At LiquidVPN

Earlier this month LiquidVPN completed its first monthly VPN performance audit. The audit uncovered a number of ways for us to improve VPN performance. This included adding new VPN nodes in locations that did not support the Intel Advanced Encryption Standard New Instructions, adding two new OpenVPN and 1 new PPTP/L2TP node in the netherlands mitigating the performance bottleneck during peak hours and patching a bug that was causing our OpenVPN stack not to use AES-NI when it should have been fully supported in Romania.

What is AES-NI?

The Intel Advanced Encryption Standard New Instructions or AES-NI for short is a feature on modern Intel desktop and server processors. It was introduced in 2010 on select Intel Westmere processors and AMD Bulldozer based processors. It vastly improves the speed at which our servers and your device can perform encryption and decryption. Without getting into too much technical detail we have found that a 1000 Mbps VPN tunnel using AES-256-CBC with AES-NI support at both ends will be up to 45% faster then a VPN tunnel where only 1 end supports AES-NI. A 100 Mbps VPN tunnel will see around %20 more bandwidth if both sides support AES-NI. Considering almost all of our servers are 1000 Mbps AES-NI is a requirement. Users with fast residential connections that are concerned with VPN performance could benefit immensely by upgrading their processors.

Testing VPN Encryption and Decryption

You can see how fast your processor can handle encryption and decryption by typing the following into a terminal window or DOS prompt as long as you have OpenSSL installed.

[dt_code]openssl speed -elapsed -evp aes-256-cbc[/dt_code] If your processor supports AES-NI OpenSSL will use it by default. To test encryption and decryption with AES-NI turned off terminal users can use the following.

[dt_code] OPENSSL_ia32cap=”~0x200000200000000″ openssl speed -elapsed -evp aes-256-cbc

The VPN Performance Enhancements Performed on our Network

Our UK 1 and Netherlands 1 do not have AES-NI support. We have replaced both locations with new more modern hardware that supports AES-NI. You can access the new UK 2, NL 2 and NL 3 VPN nodes now.  The old hardware will stay online until we can completely phase them out. Just keep in mind these older VPN nodes in their current state are not really capable of running our preferred level of encryption. The two new Netherlands OpenVPN nodes will also relieve the VPN performance bottleneck we were seeing during peak hours.

OpenSSL in Romania was not using AES-NI. The processor supports AES-NI and the kernel correctly shows AES support but testing showed that OpenSSL was not properly utilizing it. OpenSSL has been tweaked and compiled again. Romania now fully utilizes AES-NI. High bandwidth users with processors that support AES-NI should see a nice performance boost there going forward.