tinc - May 2020 - tinc performance relatively slow

------- TL;DR -------

Performance seems slow (around 300-400Mbit peak).
How to improve?

------- The Long Version -------

I tried to test tinc performance for an upcoming project that may need
to use NFS over a VPN. Our current tinc network seems to be able to
transmit at around 30-40 MB/s. (I used an 1GB random testfile to copy
to/from /dev/shm/; using netcat and http.) In comparison, HTTP and scp
are 300MB/s and 200MB/s respectively (over 10Gb link; over 1Gb link,
both are around 112MB/s).

By observing _top_ output, it seems that the CPU usage is around 90% for
the tinc process on at least one of the transmitting machines.

I tried to change the cipher to aes-128-cbc, but it did not have any
significant effect on transmit speed.

How can I know tinc operation eats up my CPU? Are there any simple best
practices to achieve better performance?

Thanks in advance:
	PP

P.s.: With regards to my memory problems last month: since then, I have
no problems with memory usage at all: usage remains constantly under
10MB per daemon. CNR. :(

On Mon, 4 May 2020, Pallinger Péter wrote:
> ------- TL;DR -------
> 
> Performance seems slow (around 300-400Mbit peak).
> How to improve?
Not sure if that could be the case for you, my links are not that fast:

Make sure to disable compression, that is a known CPU hog.

Greetings,
Haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

On Mon, 4 May 2020 18:45:19 +0200 (CEST)
Sven-Haegar Koch <haegar at sdinet.de> wrote:
> On Mon, 4 May 2020, Pallinger Péter wrote:
> 
> > ------- TL;DR -------
> > 
> > Performance seems slow (around 300-400Mbit peak).
> > How to improve?  
> 
> Not sure if that could be the case for you, my links are not that
> fast:
> 
> Make sure to disable compression, that is a known CPU hog.
Compression was disabled. I've successfully slowed down my connection by
enabling compression (at least I know the configuration option is
used :) ) . I managed to get speeds of up to ~500Mb by using the
configuration below. Sometimes. It varies between 350 and 500 Mb.

Cipher = aes-128-cbc
Digest = none
# these did not really have any significant impact
#ClampMSS = no|yes
#Compression = 0

I don't want to use insecure cipher and no digest in production (I
cannot even set cipher=none, as tinc segfaults), but this shows that
the digest slows things down somewhat, but not that significantly.

I am using tinc version 1.0.31, from debian 9 (for this test).

The main test servers are bare metal and connected by a gigabit
switch in the same rack. One of the servers has 10Gb links too, and I
tried to connect to a remote VM with 10Gb link, to which the top HTTP
speed was ~3Gb.

My main gripe is that scp can transfer at about 200MB/s on the network,
and 300 and 450MB/s locally, so encryption should not really be a
problem and tinc should be able to saturate a gigabit link easily.

I read more of the mailing list, and found a suggestion that tinc 1.1
should be significantly faster. How stable is the 1.1 branch? Is is
feasible to use it in production?

Any further suggestions are welcome!

Thanks in advance:
	PP