Time to Retire OpenVPN

Recently I setup a test instance of Shadowsocks on my RT-AC56U (Cortex-A9 clocked at 800Mhz). I did quick benchmarks to compare its throughput against my other VPN builds. Here are the three contestants on the server side:

  1. IKEv2 IPsec VPN on ER-X; AES128 + SHA1; hardware accelerated
  2. OpenVPN on RT-AC56U; AES128 + SHA1; not hardware accelerated
  3. Shadowsocks on RT-AC56U; ChaCha20; not hardware accelerated

Test client is an iPhone 6 with LTE 150Mbps max. ER-X and RT-AC56U have 100/100Mbps Internet connectivity. Throughputs are measured with Dslreport speedtest on the client.

Results

*left: IKEv2 IPsec VPN; middle: OpenVPN; right:Shadowsocks*

The numbers say it all. IPsec on ER-X (880MHz 1024Kc MIPS) takes the crown. Not surprising to me but it's for a three-year-old iPhone with enough processing power to saturate the 100Mbps WAN connection. I would want to confirm if AES128 and SHA1 in IKEv2 IPsec are hardware accelerated on iOS.

For OpenVPN, a Cortex-A9 could max up to 50Mbps at 800MHz and 70Mbps at 1400MHz. Its performance seen here upsets everyone. Both OpenVPN and Shadowsocks run in user space. Here are my guesses that may justify the huge performance difference between the two. Shadowsocks has a much simpler architecture that proves itself more efficient. ChaCha20 encryption optimised for mobile processors helps quite a bit (need to check if ChaCha20 is hardware accelerated on iOS). AES128 and SHA1 used in the iOS OpenVPN client are not hardware accelerated.

Shadowsocks has its protocol designed to be resilient to deep packet inspection. It's the de facto standard to penetrate Great Firewall of China at the moment. OpenVPN since v2.4 has tls-crypt to help on this regard. Perhaps too little too late. The speed difference was a moment of eureka, and I killed off my OpenVPN server without hesitation. :-)

comments powered by Disqus