Bonding, aggregating, load balancing multiple softether

[shaglord]

Hi

This is maybe more a feature request but it would be nice to have a discussion about the subject of using multiple vpn connections in the softether client to increase total throughput. (Same server)

After many weeks of experimenting I've found l2tp/ipsec+softether/443tcp to be most successful. However not without flaws.

In the evening hours l2tp has significantly less throughput than softether/443tcp and vice versa. To the point managing the vpn connection is a daily task, which is annoying.

It's these flaws that would be helped tremendously if the softether client could create connections on multiple protocols simultaneously like it already can make mulyiple same-protocol connections for one profile.

I've been thinking about bonding multiple virtual adapters of openvpn connections which could maybe be run on an openwrt router. Seems farfetched though.

Any thoughts? /s

[dajhorn]

> This is maybe more a feature request but it would be nice to have a
> discussion about the subject of using multiple vpn connections in the
> softether client to increase total throughput. (Same server)

This is the fundamental purpose of the "Number of TCP Connections" option for native SoftEther sessions. Other VPN protocols are not designed for things like CPU concurrency or channel bonding.

Note that tunneling a single TCP connection through a VPN session is a poor benchmark for SoftEther, and that optimizing for such usage is uninteresting to the kind of software developers that are likely to contribute to SoftEther.


> In the evening hours l2tp has significantly less throughput than
> softether/443tcp and vice versa. To the point managing the vpn connection
> is a daily task, which is annoying.

A time-of-day correlation is almost always a network performance issue. Check whether the ISP or anything between SoftEther and the Internet is doing DPA or traffic shaping.


> It's these flaws that would be helped tremendously if the softether client
> could create connections on multiple protocols simultaneously like it
> already can make mulyiple same-protocol connections for one profile.

This will probably never happen, and most software developers will instantly ignore any enhancement request that is characterized as a "flaw".

[momchil]

dajhorn wrote:
> This is the fundamental purpose of the "Number of TCP Connections" option
> for native SoftEther sessions. Other VPN protocols are not designed for things like
> CPU concurrency or channel bonding.


No! This is NOT same!
If you have 10 TCP connections with SoftEther VPN only one TCP connection is active and others 9 waiting for fail-over.
I tested this with download manager with 10 connections but always one TCP connection of SoftEther VPN is active(UDP accelation is disabled).
I check this with Task manager -> Resource Monitor -> Network -> check vpnclient_64.exe -> TCP connections

If SoftEther has a bonding option with TCP parallels connections this is has been the best vpn solution in the world. :)

[Nemesiz]

Create 2 hubs. Make a bond in both sides and enjoin.

In VPN you loose performance in encapsulation. 2, 3 or more TCP connection is the same as single connection if your ISP or computer handle it ok.

[momchil]

Nemesiz wrote:
> Make a bond in both sides and enjoin.


How with Windows?

[Nemesiz]

https://www.google.com/search?q=windows+nic+teaming

[UkrZilla]

Windows Server 2012 has native support of VLAN and bonding.

[dajhorn]

momchil wrote:
>
> No! This is NOT same!
> If you have 10 TCP connections with SoftEther VPN only one TCP connection is active
> and others 9 waiting for fail-over.
> I tested this with download manager with 10 connections but always one TCP connection
> of SoftEther VPN is active(UDP accelation is disabled).
> I check this with Task manager -> Resource Monitor -> Network -> check
> vpnclient_64.exe -> TCP connections

Three problems here:

1. Try connecting with the SoftEther server build on both sides of the VPN connection.
2. The SoftEther process is multi-threaded, so remember to use a process monitor that can recognize and separate that kind of CPU usage.
3. Use a many-to-many network topology for benchmarking SoftEther session performance.


> If SoftEther has a bonding option with TCP parallels connections this is has been the best vpn solution in the world. :)

Optimizations for small installations would certainly be a nice to have, but are unlikely to happen unless somebody pays for the work.

[momchil]

@dajhorn,

1. Computer 1 with SoftEther VPN Client(10 TCP w/o UDP) -> SoftETher VPN Server <- Computer 2 with SoftEther VPN Client(10 TCP w/o UDP). This is my configuration.
2. I think this is NOT problem because processes monitor recognize without problem all TCP connections of SoftEther VPN Benchmark test. ;) You can check this.
3. I don't understand you. I lost many night for testing of many topology but without success. :(

@Nemesiz, this(NIC teaming) is only for Windows 2012. I have Windows 7 and Windows 2008 R2. What can you propose me?

[UkrZilla]

Hi momchil,
You can create bonding between Intel or DLink netcards on Windows XP/7/2008.

[momchil]

Heh... I have NVIDIA and Realtek. :)

Please, explain how I can build bonding connection with Intel or DLink cards?

[Nemesiz]

http://blogs.technet.com/b/josebda/arch ... 08-r2.aspx

You want to bond inside private lan ? Or something bigger like two the same ISP cables ? Or just SoftEther NIC ?

[momchil]

I think this is not bonding or link aggregation. This is only failover feature(and only for File Server) but I'm not sure.

[Man333]

dajhorn wrote:
>This is the fundamental purpose of the "Number of TCP Connections" option for native SoftEther sessions.
>Other VPN protocols are not designed for things like CPU concurrency or channel bonding.
>
>Note that tunneling a single TCP connection through a VPN session is a poor benchmark for SoftEther, and
>that optimizing for such usage is uninteresting to the kind of software developers that are likely to contribute
>to SoftEther.
>

Strange that You say it. Why, then, there is this commercial project is $ 19 per month.
_http://www.connectify.me/dispatch/

[thisjun]

1. Connect these site twice with VPN client for each provider.
2. Bond the virtual NICs by OS bonding function.
3. Connect site-to-site VPN on the bonding without encryption.

[Man333]

[quote]1. Connect these site twice with VPN client for each provider.
2. Bond the virtual NICs by OS bonding function.
3. Connect site-to-site VPN on the bonding without encryption.[/quote]

Thank you. Is it possible to get more detailed notes and hints for the Windows?

[thisjun]

Which part do you want to know?
http://www.techunboxed.com/2015/06/how- ... ndows.html

[Man333]

thisjun wrote:
> Which part do you want to know?
> http://www.techunboxed.com/2015/06/how- ... ndows.html

This link is about the "NIC Teaming" this technology cannot replace www.connectify.me/dispatch/
"NIC Teaming" will be effective for the torrent client, but if there is only one TCP connect then it is useless.

[maltyx]

thisjun wrote:
> 1. Connect these site twice with VPN client for each provider.
> 2. Bond the virtual NICs by OS bonding function.
> 3. Connect site-to-site VPN on the bonding without encryption.

So, it would be kind of vpn tunnel (no encrypted) in 2-VPN tunnel sessions (encrypted), right?
Too much packets for payload to encapsulate this kind of connection .. dont you think? Hve you tested that configuration ever?

[thisjun]

I didn't try it.
However, I think overhead isn't problem except for mass short packet.

[highthroughputvpn]

All,

From everything mentioned here it appears SoftEther can do a "work around" by using multiple "hubs" and doing NIC bonding / teaming of the multiple "hubs". Such a solution "should" provide greater overall throughput for traffic loads with many connections, but would be lacking for single stream instances.

I have not (yet) tested <thisjun>'s suggestion of doing bonding at the OS level and utilizing round robin. This might work for my use case but not the use case (as I understand it) described by <Man333>.

I concur with <Man333> as he points to www.connectify.me and the concept of SoftEther making multiple tunnels to support greater overall throughput. Unlike www.connectify.me my usecase involves a single high speed ISP link (> 1Gbps).

As Gbps links become more and more common there is a growing need for VPN at Gbps throughput. The question is how to make Gbps throughput a reality without purchasing dedicated hardware appliances costing huge sums of money.

Does anyone have any ideas or solution for this, please?

Thank you!

[moatazelmasry]

Hi there,

I think the discussion is more fundamental than that. Basically with Gbps more data are being passed, which means encryption takes longer, which means faster hardware is needed.

If security is not an issue, maybe an L2TP connection can be used with minimum encryption or disable encryption altogether.

Obviously, this is not a good solution.
I read here and there about optimized hardware for specific purposes., for example like the one used for hash mining / block chains etc..
I also know of 1,2 projects that use the GPU for encryption

I think solving this kind of problem will save tons of work on workaround like Bonding, Aggregating etc..

Cheers

[highthroughputvpn]

<moatazelmasry>

Thank you for replying. I did try the tunnel with no encryption and was surprised I only gained maybe 10% to 20% additional throughput (I was expecting much more and I failed to put that in my summary of http://www.vpnusers.com/viewtopic.php?f=7&t=7270). Therefore, I am not convinced that encryption is the bottleneck.

Many modern CPU's have a built in encryption engine but I have no idea if SoftEther uses it. (https://www-ssl.intel.com/content/www/u ... ology.html)

What projects are using the GPU, please?

[moatazelmasry]

SoftEther is just using Openssl, so.. software encryption.

There's Gkrypt, but I'm not sure whether they support many encryption algorithms
http://gkrypt.com/

There's of course some academic work on the subject, for example:
https://www.scss.tcd.ie/John.Waldron/ow ... ocrypt.pdf
But the speed gain is not that large.

I also know that both AMD and Intel offer a special unit in their CPUs that can be used for AES, but I think AES is insecure nowadays anyway

Finally some googling will show a bunch of other papers and projects, that try to implement RSA using CUDA

But still it is interesting to know that encryption is not really the bottleneck. I didn't expect that tbh

Cheers

[highthroughputvpn]

Not so sure on AES being "insecure"... yet. ;-)

https://www.schneier.com/blog/archives/ ... a_bre.html
https://en.wikipedia.org/wiki/Advanced_ ... d#Security
http://csrc.nist.gov/groups/ST/toolkit/ ... SS15FS.pdf (unless this has been superceded).

I, too, was surprised encryption appears to NOT be the bottleneck for SoftEther. I do wish I could find someone from the actual project to talk with about this and verify if the SoftEther code is making use of the native encryption engines within modern CPU's.