Bonding, aggregating, load balancing multiple softether
-
- Posts: 11
- Joined: Tue Feb 17, 2015 6:34 am
Bonding, aggregating, load balancing multiple softether
Hi
This is maybe more a feature request but it would be nice to have a discussion about the subject of using multiple vpn connections in the softether client to increase total throughput. (Same server)
After many weeks of experimenting I've found l2tp/ipsec+softether/443tcp to be most successful. However not without flaws.
In the evening hours l2tp has significantly less throughput than softether/443tcp and vice versa. To the point managing the vpn connection is a daily task, which is annoying.
It's these flaws that would be helped tremendously if the softether client could create connections on multiple protocols simultaneously like it already can make mulyiple same-protocol connections for one profile.
I've been thinking about bonding multiple virtual adapters of openvpn connections which could maybe be run on an openwrt router. Seems farfetched though.
Any thoughts? /s
This is maybe more a feature request but it would be nice to have a discussion about the subject of using multiple vpn connections in the softether client to increase total throughput. (Same server)
After many weeks of experimenting I've found l2tp/ipsec+softether/443tcp to be most successful. However not without flaws.
In the evening hours l2tp has significantly less throughput than softether/443tcp and vice versa. To the point managing the vpn connection is a daily task, which is annoying.
It's these flaws that would be helped tremendously if the softether client could create connections on multiple protocols simultaneously like it already can make mulyiple same-protocol connections for one profile.
I've been thinking about bonding multiple virtual adapters of openvpn connections which could maybe be run on an openwrt router. Seems farfetched though.
Any thoughts? /s
-
- Posts: 137
- Joined: Mon Mar 24, 2014 3:59 am
Re: Bonding, aggregating, load balancing multiple softether
> This is maybe more a feature request but it would be nice to have a
> discussion about the subject of using multiple vpn connections in the
> softether client to increase total throughput. (Same server)
This is the fundamental purpose of the "Number of TCP Connections" option for native SoftEther sessions. Other VPN protocols are not designed for things like CPU concurrency or channel bonding.
Note that tunneling a single TCP connection through a VPN session is a poor benchmark for SoftEther, and that optimizing for such usage is uninteresting to the kind of software developers that are likely to contribute to SoftEther.
> In the evening hours l2tp has significantly less throughput than
> softether/443tcp and vice versa. To the point managing the vpn connection
> is a daily task, which is annoying.
A time-of-day correlation is almost always a network performance issue. Check whether the ISP or anything between SoftEther and the Internet is doing DPA or traffic shaping.
> It's these flaws that would be helped tremendously if the softether client
> could create connections on multiple protocols simultaneously like it
> already can make mulyiple same-protocol connections for one profile.
This will probably never happen, and most software developers will instantly ignore any enhancement request that is characterized as a "flaw".
> discussion about the subject of using multiple vpn connections in the
> softether client to increase total throughput. (Same server)
This is the fundamental purpose of the "Number of TCP Connections" option for native SoftEther sessions. Other VPN protocols are not designed for things like CPU concurrency or channel bonding.
Note that tunneling a single TCP connection through a VPN session is a poor benchmark for SoftEther, and that optimizing for such usage is uninteresting to the kind of software developers that are likely to contribute to SoftEther.
> In the evening hours l2tp has significantly less throughput than
> softether/443tcp and vice versa. To the point managing the vpn connection
> is a daily task, which is annoying.
A time-of-day correlation is almost always a network performance issue. Check whether the ISP or anything between SoftEther and the Internet is doing DPA or traffic shaping.
> It's these flaws that would be helped tremendously if the softether client
> could create connections on multiple protocols simultaneously like it
> already can make mulyiple same-protocol connections for one profile.
This will probably never happen, and most software developers will instantly ignore any enhancement request that is characterized as a "flaw".
-
- Posts: 8
- Joined: Wed Feb 18, 2015 10:33 pm
Re: Bonding, aggregating, load balancing multiple softether
dajhorn wrote:
> This is the fundamental purpose of the "Number of TCP Connections" option
> for native SoftEther sessions. Other VPN protocols are not designed for things like
> CPU concurrency or channel bonding.
No! This is NOT same!
If you have 10 TCP connections with SoftEther VPN only one TCP connection is active and others 9 waiting for fail-over.
I tested this with download manager with 10 connections but always one TCP connection of SoftEther VPN is active(UDP accelation is disabled).
I check this with Task manager -> Resource Monitor -> Network -> check vpnclient_64.exe -> TCP connections
If SoftEther has a bonding option with TCP parallels connections this is has been the best vpn solution in the world. :)
> This is the fundamental purpose of the "Number of TCP Connections" option
> for native SoftEther sessions. Other VPN protocols are not designed for things like
> CPU concurrency or channel bonding.
No! This is NOT same!
If you have 10 TCP connections with SoftEther VPN only one TCP connection is active and others 9 waiting for fail-over.
I tested this with download manager with 10 connections but always one TCP connection of SoftEther VPN is active(UDP accelation is disabled).
I check this with Task manager -> Resource Monitor -> Network -> check vpnclient_64.exe -> TCP connections
If SoftEther has a bonding option with TCP parallels connections this is has been the best vpn solution in the world. :)
-
- Posts: 65
- Joined: Mon Nov 17, 2014 2:11 pm
Re: Bonding, aggregating, load balancing multiple softether
Create 2 hubs. Make a bond in both sides and enjoin.
In VPN you loose performance in encapsulation. 2, 3 or more TCP connection is the same as single connection if your ISP or computer handle it ok.
In VPN you loose performance in encapsulation. 2, 3 or more TCP connection is the same as single connection if your ISP or computer handle it ok.
-
- Posts: 8
- Joined: Wed Feb 18, 2015 10:33 pm
Re: Bonding, aggregating, load balancing multiple softether
Nemesiz wrote:
> Make a bond in both sides and enjoin.
How with Windows?
> Make a bond in both sides and enjoin.
How with Windows?
-
- Posts: 65
- Joined: Mon Nov 17, 2014 2:11 pm
-
- Posts: 65
- Joined: Sun Dec 15, 2013 8:34 am
Re: Bonding, aggregating, load balancing multiple softether
Windows Server 2012 has native support of VLAN and bonding.
-
- Posts: 137
- Joined: Mon Mar 24, 2014 3:59 am
Re: Bonding, aggregating, load balancing multiple softether
momchil wrote:
>
> No! This is NOT same!
> If you have 10 TCP connections with SoftEther VPN only one TCP connection is active
> and others 9 waiting for fail-over.
> I tested this with download manager with 10 connections but always one TCP connection
> of SoftEther VPN is active(UDP accelation is disabled).
> I check this with Task manager -> Resource Monitor -> Network -> check
> vpnclient_64.exe -> TCP connections
Three problems here:
1. Try connecting with the SoftEther server build on both sides of the VPN connection.
2. The SoftEther process is multi-threaded, so remember to use a process monitor that can recognize and separate that kind of CPU usage.
3. Use a many-to-many network topology for benchmarking SoftEther session performance.
> If SoftEther has a bonding option with TCP parallels connections this is has been the best vpn solution in the world. :)
Optimizations for small installations would certainly be a nice to have, but are unlikely to happen unless somebody pays for the work.
>
> No! This is NOT same!
> If you have 10 TCP connections with SoftEther VPN only one TCP connection is active
> and others 9 waiting for fail-over.
> I tested this with download manager with 10 connections but always one TCP connection
> of SoftEther VPN is active(UDP accelation is disabled).
> I check this with Task manager -> Resource Monitor -> Network -> check
> vpnclient_64.exe -> TCP connections
Three problems here:
1. Try connecting with the SoftEther server build on both sides of the VPN connection.
2. The SoftEther process is multi-threaded, so remember to use a process monitor that can recognize and separate that kind of CPU usage.
3. Use a many-to-many network topology for benchmarking SoftEther session performance.
> If SoftEther has a bonding option with TCP parallels connections this is has been the best vpn solution in the world. :)
Optimizations for small installations would certainly be a nice to have, but are unlikely to happen unless somebody pays for the work.
-
- Posts: 8
- Joined: Wed Feb 18, 2015 10:33 pm
Re: Bonding, aggregating, load balancing multiple softether
@dajhorn,
1. Computer 1 with SoftEther VPN Client(10 TCP w/o UDP) -> SoftETher VPN Server <- Computer 2 with SoftEther VPN Client(10 TCP w/o UDP). This is my configuration.
2. I think this is NOT problem because processes monitor recognize without problem all TCP connections of SoftEther VPN Benchmark test. ;) You can check this.
3. I don't understand you. I lost many night for testing of many topology but without success. :(
@Nemesiz, this(NIC teaming) is only for Windows 2012. I have Windows 7 and Windows 2008 R2. What can you propose me?
1. Computer 1 with SoftEther VPN Client(10 TCP w/o UDP) -> SoftETher VPN Server <- Computer 2 with SoftEther VPN Client(10 TCP w/o UDP). This is my configuration.
2. I think this is NOT problem because processes monitor recognize without problem all TCP connections of SoftEther VPN Benchmark test. ;) You can check this.
3. I don't understand you. I lost many night for testing of many topology but without success. :(
@Nemesiz, this(NIC teaming) is only for Windows 2012. I have Windows 7 and Windows 2008 R2. What can you propose me?
-
- Posts: 65
- Joined: Sun Dec 15, 2013 8:34 am
Re: Bonding, aggregating, load balancing multiple softether
Hi momchil,
You can create bonding between Intel or DLink netcards on Windows XP/7/2008.
You can create bonding between Intel or DLink netcards on Windows XP/7/2008.
-
- Posts: 8
- Joined: Wed Feb 18, 2015 10:33 pm
Re: Bonding, aggregating, load balancing multiple softether
Heh... I have NVIDIA and Realtek. :)
Please, explain how I can build bonding connection with Intel or DLink cards?
Please, explain how I can build bonding connection with Intel or DLink cards?
-
- Posts: 65
- Joined: Mon Nov 17, 2014 2:11 pm
Re: Bonding, aggregating, load balancing multiple softether
http://blogs.technet.com/b/josebda/arch ... 08-r2.aspx
You want to bond inside private lan ? Or something bigger like two the same ISP cables ? Or just SoftEther NIC ?
You want to bond inside private lan ? Or something bigger like two the same ISP cables ? Or just SoftEther NIC ?
-
- Posts: 8
- Joined: Wed Feb 18, 2015 10:33 pm
Re: Bonding, aggregating, load balancing multiple softether
I think this is not bonding or link aggregation. This is only failover feature(and only for File Server) but I'm not sure.
-
- Posts: 3
- Joined: Fri Feb 12, 2016 4:41 am
Re: Bonding, aggregating, load balancing multiple softether
dajhorn wrote:
>This is the fundamental purpose of the "Number of TCP Connections" option for native SoftEther sessions.
>Other VPN protocols are not designed for things like CPU concurrency or channel bonding.
>
>Note that tunneling a single TCP connection through a VPN session is a poor benchmark for SoftEther, and
>that optimizing for such usage is uninteresting to the kind of software developers that are likely to contribute
>to SoftEther.
>
Strange that You say it. Why, then, there is this commercial project is $ 19 per month.
_http://www.connectify.me/dispatch/
>This is the fundamental purpose of the "Number of TCP Connections" option for native SoftEther sessions.
>Other VPN protocols are not designed for things like CPU concurrency or channel bonding.
>
>Note that tunneling a single TCP connection through a VPN session is a poor benchmark for SoftEther, and
>that optimizing for such usage is uninteresting to the kind of software developers that are likely to contribute
>to SoftEther.
>
Strange that You say it. Why, then, there is this commercial project is $ 19 per month.
_http://www.connectify.me/dispatch/
-
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: Bonding, aggregating, load balancing multiple softether
1. Connect these site twice with VPN client for each provider.
2. Bond the virtual NICs by OS bonding function.
3. Connect site-to-site VPN on the bonding without encryption.
2. Bond the virtual NICs by OS bonding function.
3. Connect site-to-site VPN on the bonding without encryption.
-
- Posts: 3
- Joined: Fri Feb 12, 2016 4:41 am
Re: Bonding, aggregating, load balancing multiple softether
[quote]1. Connect these site twice with VPN client for each provider.
2. Bond the virtual NICs by OS bonding function.
3. Connect site-to-site VPN on the bonding without encryption.[/quote]
Thank you. Is it possible to get more detailed notes and hints for the Windows?
2. Bond the virtual NICs by OS bonding function.
3. Connect site-to-site VPN on the bonding without encryption.[/quote]
Thank you. Is it possible to get more detailed notes and hints for the Windows?
-
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: Bonding, aggregating, load balancing multiple softether
Which part do you want to know?
http://www.techunboxed.com/2015/06/how- ... ndows.html
http://www.techunboxed.com/2015/06/how- ... ndows.html
-
- Posts: 3
- Joined: Fri Feb 12, 2016 4:41 am
Re: Bonding, aggregating, load balancing multiple softether
thisjun wrote:
> Which part do you want to know?
> http://www.techunboxed.com/2015/06/how- ... ndows.html
This link is about the "NIC Teaming" this technology cannot replace www.connectify.me/dispatch/
"NIC Teaming" will be effective for the torrent client, but if there is only one TCP connect then it is useless.
> Which part do you want to know?
> http://www.techunboxed.com/2015/06/how- ... ndows.html
This link is about the "NIC Teaming" this technology cannot replace www.connectify.me/dispatch/
"NIC Teaming" will be effective for the torrent client, but if there is only one TCP connect then it is useless.
-
- Posts: 65
- Joined: Wed Feb 25, 2015 6:53 am
Re: Bonding, aggregating, load balancing multiple softether
thisjun wrote:
> 1. Connect these site twice with VPN client for each provider.
> 2. Bond the virtual NICs by OS bonding function.
> 3. Connect site-to-site VPN on the bonding without encryption.
So, it would be kind of vpn tunnel (no encrypted) in 2-VPN tunnel sessions (encrypted), right?
Too much packets for payload to encapsulate this kind of connection .. dont you think? Hve you tested that configuration ever?
> 1. Connect these site twice with VPN client for each provider.
> 2. Bond the virtual NICs by OS bonding function.
> 3. Connect site-to-site VPN on the bonding without encryption.
So, it would be kind of vpn tunnel (no encrypted) in 2-VPN tunnel sessions (encrypted), right?
Too much packets for payload to encapsulate this kind of connection .. dont you think? Hve you tested that configuration ever?
-
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: Bonding, aggregating, load balancing multiple softether
I didn't try it.
However, I think overhead isn't problem except for mass short packet.
However, I think overhead isn't problem except for mass short packet.
-
- Posts: 22
- Joined: Wed Jan 25, 2017 8:40 pm
Re: Bonding, aggregating, load balancing multiple softether
All,
From everything mentioned here it appears SoftEther can do a "work around" by using multiple "hubs" and doing NIC bonding / teaming of the multiple "hubs". Such a solution "should" provide greater overall throughput for traffic loads with many connections, but would be lacking for single stream instances.
I have not (yet) tested <thisjun>'s suggestion of doing bonding at the OS level and utilizing round robin. This might work for my use case but not the use case (as I understand it) described by <Man333>.
I concur with <Man333> as he points to www.connectify.me and the concept of SoftEther making multiple tunnels to support greater overall throughput. Unlike www.connectify.me my usecase involves a single high speed ISP link (> 1Gbps).
As Gbps links become more and more common there is a growing need for VPN at Gbps throughput. The question is how to make Gbps throughput a reality without purchasing dedicated hardware appliances costing huge sums of money.
Does anyone have any ideas or solution for this, please?
Thank you!
From everything mentioned here it appears SoftEther can do a "work around" by using multiple "hubs" and doing NIC bonding / teaming of the multiple "hubs". Such a solution "should" provide greater overall throughput for traffic loads with many connections, but would be lacking for single stream instances.
I have not (yet) tested <thisjun>'s suggestion of doing bonding at the OS level and utilizing round robin. This might work for my use case but not the use case (as I understand it) described by <Man333>.
I concur with <Man333> as he points to www.connectify.me and the concept of SoftEther making multiple tunnels to support greater overall throughput. Unlike www.connectify.me my usecase involves a single high speed ISP link (> 1Gbps).
As Gbps links become more and more common there is a growing need for VPN at Gbps throughput. The question is how to make Gbps throughput a reality without purchasing dedicated hardware appliances costing huge sums of money.
Does anyone have any ideas or solution for this, please?
Thank you!
-
- Posts: 336
- Joined: Sat Aug 15, 2015 7:41 pm
Re: Bonding, aggregating, load balancing multiple softether
Hi there,
I think the discussion is more fundamental than that. Basically with Gbps more data are being passed, which means encryption takes longer, which means faster hardware is needed.
If security is not an issue, maybe an L2TP connection can be used with minimum encryption or disable encryption altogether.
Obviously, this is not a good solution.
I read here and there about optimized hardware for specific purposes., for example like the one used for hash mining / block chains etc..
I also know of 1,2 projects that use the GPU for encryption
I think solving this kind of problem will save tons of work on workaround like Bonding, Aggregating etc..
Cheers
I think the discussion is more fundamental than that. Basically with Gbps more data are being passed, which means encryption takes longer, which means faster hardware is needed.
If security is not an issue, maybe an L2TP connection can be used with minimum encryption or disable encryption altogether.
Obviously, this is not a good solution.
I read here and there about optimized hardware for specific purposes., for example like the one used for hash mining / block chains etc..
I also know of 1,2 projects that use the GPU for encryption
I think solving this kind of problem will save tons of work on workaround like Bonding, Aggregating etc..
Cheers
-
- Posts: 22
- Joined: Wed Jan 25, 2017 8:40 pm
Re: Bonding, aggregating, load balancing multiple softether
<moatazelmasry>
Thank you for replying. I did try the tunnel with no encryption and was surprised I only gained maybe 10% to 20% additional throughput (I was expecting much more and I failed to put that in my summary of http://www.vpnusers.com/viewtopic.php?f=7&t=7270). Therefore, I am not convinced that encryption is the bottleneck.
Many modern CPU's have a built in encryption engine but I have no idea if SoftEther uses it. (https://www-ssl.intel.com/content/www/u ... ology.html)
What projects are using the GPU, please?
Thank you for replying. I did try the tunnel with no encryption and was surprised I only gained maybe 10% to 20% additional throughput (I was expecting much more and I failed to put that in my summary of http://www.vpnusers.com/viewtopic.php?f=7&t=7270). Therefore, I am not convinced that encryption is the bottleneck.
Many modern CPU's have a built in encryption engine but I have no idea if SoftEther uses it. (https://www-ssl.intel.com/content/www/u ... ology.html)
What projects are using the GPU, please?
-
- Posts: 336
- Joined: Sat Aug 15, 2015 7:41 pm
Re: Bonding, aggregating, load balancing multiple softether
SoftEther is just using Openssl, so.. software encryption.
There's Gkrypt, but I'm not sure whether they support many encryption algorithms
http://gkrypt.com/
There's of course some academic work on the subject, for example:
https://www.scss.tcd.ie/John.Waldron/ow ... ocrypt.pdf
But the speed gain is not that large.
I also know that both AMD and Intel offer a special unit in their CPUs that can be used for AES, but I think AES is insecure nowadays anyway
Finally some googling will show a bunch of other papers and projects, that try to implement RSA using CUDA
But still it is interesting to know that encryption is not really the bottleneck. I didn't expect that tbh
Cheers
There's Gkrypt, but I'm not sure whether they support many encryption algorithms
http://gkrypt.com/
There's of course some academic work on the subject, for example:
https://www.scss.tcd.ie/John.Waldron/ow ... ocrypt.pdf
But the speed gain is not that large.
I also know that both AMD and Intel offer a special unit in their CPUs that can be used for AES, but I think AES is insecure nowadays anyway
Finally some googling will show a bunch of other papers and projects, that try to implement RSA using CUDA
But still it is interesting to know that encryption is not really the bottleneck. I didn't expect that tbh
Cheers
-
- Posts: 22
- Joined: Wed Jan 25, 2017 8:40 pm
Re: Bonding, aggregating, load balancing multiple softether
Not so sure on AES being "insecure"... yet. ;-)
https://www.schneier.com/blog/archives/ ... a_bre.html
https://en.wikipedia.org/wiki/Advanced_ ... d#Security
http://csrc.nist.gov/groups/ST/toolkit/ ... SS15FS.pdf (unless this has been superceded).
I, too, was surprised encryption appears to NOT be the bottleneck for SoftEther. I do wish I could find someone from the actual project to talk with about this and verify if the SoftEther code is making use of the native encryption engines within modern CPU's.
https://www.schneier.com/blog/archives/ ... a_bre.html
https://en.wikipedia.org/wiki/Advanced_ ... d#Security
http://csrc.nist.gov/groups/ST/toolkit/ ... SS15FS.pdf (unless this has been superceded).
I, too, was surprised encryption appears to NOT be the bottleneck for SoftEther. I do wish I could find someone from the actual project to talk with about this and verify if the SoftEther code is making use of the native encryption engines within modern CPU's.