On Mon, 4 May 2020 18:45:19 +0200 (CEST) Sven-Haegar Koch <haegar at sdinet.de> wrote:> On Mon, 4 May 2020, Pallinger Péter wrote: > > > ------- TL;DR ------- > > > > Performance seems slow (around 300-400Mbit peak). > > How to improve? > > Not sure if that could be the case for you, my links are not that > fast: > > Make sure to disable compression, that is a known CPU hog.Compression was disabled. I've successfully slowed down my connection by enabling compression (at least I know the configuration option is used :) ) . I managed to get speeds of up to ~500Mb by using the configuration below. Sometimes. It varies between 350 and 500 Mb. Cipher = aes-128-cbc Digest = none # these did not really have any significant impact #ClampMSS = no|yes #Compression = 0 I don't want to use insecure cipher and no digest in production (I cannot even set cipher=none, as tinc segfaults), but this shows that the digest slows things down somewhat, but not that significantly. I am using tinc version 1.0.31, from debian 9 (for this test). The main test servers are bare metal and connected by a gigabit switch in the same rack. One of the servers has 10Gb links too, and I tried to connect to a remote VM with 10Gb link, to which the top HTTP speed was ~3Gb. My main gripe is that scp can transfer at about 200MB/s on the network, and 300 and 450MB/s locally, so encryption should not really be a problem and tinc should be able to saturate a gigabit link easily. I read more of the mailing list, and found a suggestion that tinc 1.1 should be significantly faster. How stable is the 1.1 branch? Is is feasible to use it in production? Any further suggestions are welcome! Thanks in advance: PP
On Tue, 5 May 2020 10:56:01 +0200 Pallinger Péter <pallinger at dsd.sztaki.hu> wrote:> On Mon, 4 May 2020 18:45:19 +0200 (CEST) > Sven-Haegar Koch <haegar at sdinet.de> wrote: > > On Mon, 4 May 2020, Pallinger Péter wrote: > > > > Make sure to disable compression, that is a known CPU hog. > > Compression was disabled. I've successfully slowed down my connection > by enabling compression (at least I know the configuration option is > used :) ) . I managed to get speeds of up to ~500Mb by using the > configuration below. Sometimes. It varies between 350 and 500 Mb. > > Cipher = aes-128-cbc > Digest = none > # these did not really have any significant impact > #ClampMSS = no|yes > #Compression = 0 >Hi, I didn't study the internals but maybe changing DirectOnly, Forwarding and IndirectData will have an impact on per packet performance and speed stability by disabling some of the meshing features? Although it probably just hit the CPU limits again did you try Compression 0 vs 1 vs 10? Sorry that it's just speculation, these are just things I never got around to investigating back when I used to have a fast NAS and network. Regards
On Tue, 5 May 2020 13:32:50 +0100 Jonathan Plews <SRS0=286U=6T=yahoo.co.uk=pl3w5y at mijnuvt.nl> wrote:> I didn't study the internals but maybe changing DirectOnly, Forwarding > and IndirectData will have an impact on per packet performance and > speed stability by disabling some of the meshing features?I will definitely try those.> Although it probably just hit the CPU limits again did you try > Compression 0 vs 1 vs 10?I tried compression levels 0,1,9,10 and 1,9 did slow down transmission by 20-40% (360Mbps to 250-300Mbps), 0,10 were about the same. I do not think compression could greatly benefit me, as most transmitted data will already be compressed. If tinc is not fast enough, I was thinking about using a second VPN like wireguard point-to-point between each server where possible (even an SSH tunnel would get nice performance). Tinc is still great for stability and robustness (as long as I have one server with public IP working, the network works as a whole), so I intend to keep it for administrative and similar low-bandwith tasks. If anyone has experience using tinc over 10Gbps or even 1Gbps networks with at least 1Gbps performance, I would still very much like to hear about it (I read some claim about being able to saturate an 1Gb link on this mailing list). Also, my question about the stability of tinc 1.1 still stands. Is it ready for production? Thanks, PP