[eduVPN-deploy] Question re connections per process

Tue Apr 7 11:09:53 CEST 2020

Thanks François.

A scenario that we might face is a client with 1,000 users, and a single eduVPN server listening on two ports (1194/udp and 443/tcp) and allocated a single /22 IP range. 

With a suitable server (16 x CPU cores, 6GB RAM), theoretically we could run just two OpenVPN processes. But, in terms of performance, would this be a good idea i.e. would each OpenVPN process really be capable of handling a load of up to 500 simultaneous connections? 

Or would the server perform better if we configured its network interface with 16 public IP addresses, and listened on 2 ports per IP address (allocating a /26 IP range per port), so that each OpenVPN process would have to handle a max of 64 simultaneous connections? 

I have some further questions related to this, which may influence our choice of architecture:

* If the server has reached the max number of simultaneous connections on a port, when the next eduVPN client tries to connect, will it automatically failover to the next port defined in the profile? I know the failover happens successfully when a port is unreachable, but I haven’t tested what happens when a port is reachable but “full”.

* If I build a server with 16 interface IP addresses, listening on 2 ports per IP, is it possible to have eduVPN clients failover across the 16 IP addresses i.e. is it possible to create a single/common profile for all end-users with this architecture?

Thanks a lot,
Louis.

-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040   louis.twomey at heanet.ie  www.heanet.ie
Registered in Ireland, No. 275301.  CRA No. 20036270

> On 6 Apr 2020, at 21:24, François Kooman <fkooman at tuxed.net> wrote:
> 
> CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe.
> 
> 
> On 4/6/20 6:05 PM, Louis Twomey wrote:
>> Hi,
> 
> Hi Louis!
> 
>> Apologies if this is a dumb question(s), but when looking at how to
>> scale an eduVPN service for a client to handle thousands of users, I’m a
>> little confused by the potential constraints. The recommendation of a
>> max of 64 simultaneous connections per CPU core makes perfect sense to
>> me, but I’m not clear on whether there is a limitation (other than IP
>> pool size) on simultaneous connections per OpenVPN *process*.
> 
> No there is not. The maximum number of clients is determined by the
> total IP space you have configuerd in "range" and the number of OpenVPN
> processes you define through vpnProtoPorts.
> 
> If you use 10.0.0.0/24 for "range" and ["udp/1194", "tcp/1194"] for
> "vpnProtoPorts" you get ~128 clients per OpenVPN process.
> 
>> The following page states "Depending on your address space the ideal
>> number of simultaneous clients per process is at most 64”:
>> 
>>  https://github.com/eduvpn/documentation/blob/v2/PROFILE_CONFIG.md#openvpn-processes
>> 
>> Does that text mean that I need to run one OpenVPN process for every 64
>> users/connections e.g. have 16 OpenVPN processes in order to handle
>> 1,000 simultaneous connections? Or am I mis-reading the text?
> 
> *ideal* is at most 64, it is not an (enforced) limit in any way.
> 
>> And if I am interpreting the text correctly, in order to support 1,000
>> simultaneous connections I guess I would have to either listen on 16
>> different ports on the same IP address, or configure the server with 16
>> IP addresses and listen on the same port on all of them?
> 
> Exactly! Typically you start at 1194 udp/tcp and then number up. One can
> also add udp/443 and tcp/443 as "last resort" options for clients that
> are in restricted networks.
> 
> Hope this makes it more clear! Let me know if you have more questions!
> 
> Regards,
> François