[eduVPN-deploy] Question re connections per process
Louis Twomey
louis.twomey at heanet.ie
Tue Apr 7 18:40:54 CEST 2020
Thank you very much François, and Rogier, that is extremely helpful!
I had read most of the documents you both linked to, but somehow I had missed SCALING.md - reading that now has provided further useful information.
Thanks, and regards,
Louis.
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040 louis.twomey at heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270
> On 7 Apr 2020, at 10:45, François Kooman <fkooman at tuxed.net> wrote:
>
> CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe.
>
>
> On 4/7/20 11:09 AM, Louis Twomey wrote:
>> Thanks François.
>
> Hi Louis,
>
>> A scenario that we might face is a client with 1,000 users, and a
>> single eduVPN server listening on two ports (1194/udp and 443/tcp)
>> and allocated a single /22 IP range.
>
> That is not ideal as OpenVPN is not multi-threaded. So in this setup
> you'd be able to use a maximum of 2 cores only.
>
>> With a suitable server (16 x CPU cores, 6GB RAM), theoretically we
>> could run just two OpenVPN processes. But, in terms of performance,
>> would this be a good idea i.e. would each OpenVPN process really be
>> capable of handling a load of up to 500 simultaneous connections?
>
> RAM is not a bottleneck as far as I can tell! So doesn't have to be
> excessive :)
>
> With 16 cores you want >= 16 OpenVPN processes...
>
>> Or would the server perform better if we configured its network
>> interface with 16 public IP addresses, and listened on 2 ports per IP
>> address (allocating a /26 IP range per port), so that each OpenVPN
>> process would have to handle a max of 64 simultaneous connections?
>
> Either that, or better listen on different ports starting at 1194, 1195,
> 1196, ... and have udp/443 and tcp/443 as "fallback" ports there as
> well. That's how we do it to avoid needing multiple public IP addresses
> for the server(s) and keep IPv6 support for clients with native IPv6
> network.
>
>> * If the server has reached the max number of simultaneous
>> connections on a port, when the next eduVPN client tries to connect,
>> will it automatically failover to the next port defined in the
>> profile? I know the failover happens successfully when a port is
>> unreachable, but I haven’t tested what happens when a port is
>> reachable but “full”
>
> This requires more extensive testing on especially iOS and macOS as they
> use a different OpenVPN client (Tunnelkit).
>
> Due to the "load balancing" as implemented in eduVPN the clients will
> automatically be distributed over the OpenVPN processes... so the
> OpenVPN processes will be full more or less at the same time...
>
>> * If I build a server with 16 interface IP addresses, listening on 2
>> ports per IP, is it possible to have eduVPN clients failover across
>> the 16 IP addresses i.e. is it possible to create a single/common
>> profile for all end-users with this architecture?
>
> The problem with this approach is that it indeed would require a profile
> for every public IP address, which is sub-optimal. It *can* work though
> with round robin DNS, but I would definitely not recommend this. You'll
> also lose listening on IPv6 (or IPv4). Unfortunately this is due to the
> way OpenVPN works, not much we can do about it at this time. Maybe in
> future versions of OpenVPN. Your proposed solution would be appropriate
> if you have multiple VMs/physical servers to distribute the load.
>
> For more info see
> https://github.com/eduvpn/documentation/blob/v2/SCALING.md and
> https://github.com/eduvpn/documentation/blob/v2/PORT_SHARING.md.
>
> Let me know if you have any more questions!
>
> Regards,
> François
More information about the eduVPN-deploy
mailing list