Layer 2 tunnel performance in Linux
ofcthvsf3 min read
Want to create an L2 connection over a local network, but can't find benchmarks? I had that problem too.
I wanted something like TAP OpenVPN, but could not find how slow is it. My results (see the setup procedure below for the explanation of the values):
| SSH speed | |
| base (raw veth) | 111 MB/s |
| l2tp | 74.4 MB/s |
| TUN OpenVPN | 25.5 MB/s |
| TAP OpenVPN | 23.1 MB/s |
My measurement setup
To get the above numbers, I created some docker containers (network_tester image was a Debian with iproute2 openvpn openssh-server packages)
docker run --name=tc1 --hostname=tc1 -it --rm --net=none --entrypoint=/bin/bash --cap-add NET_ADMIN network_tester
docker run --name=tc2 --hostname=tc2 -it --rm --net=none --entrypoint=/bin/bash --cap-add NET_ADMIN network_tester
As root on the host, add a veth pair:
ip link add tc1eth type veth peer name tc2eth
tc1ns=$(docker inspect --format '{{.State.Pid}}' tc1)
tc2ns=$(docker inspect --format '{{.State.Pid}}' tc2)
ip link set netns ${tc1ns} dev tc1eth
ip link set netns ${tc2ns} dev tc2eth
In both containers, set up SSH:
cd
ssh-keygen
cat .ssh/id_rsa.pub >>.ssh/authorized_keys
/etc/init.d/ssh start
cat .ssh/id_rsa.pub # manually copy key to the other container
cat >>.ssh/authorized_keys
Inside the tc1/tc2 containers, set up the veth network:
ip l set up dev tc1eth
ip a add 192.168.1.1/24 dev tc1eth
ip l set up dev tc2eth
ip a add 192.168.1.2/24 dev tc2eth
And the l2tp network
ip l2tp add tunnel tunnel_id 2012902618 peer_tunnel_id 1742694365 encap udp local 192.168.1.1 remote 192.168.1.2 udp_sport 10878 udp_dport 12359
ip l2tp add session tunnel_id 2012902618 session_id 1242717084 peer_session_id 1825258445
ip link set up dev l2tpeth0
ip addr add 10.0.42.1/24 dev l2tpeth0
ip l2tp add tunnel tunnel_id 1742694365 peer_tunnel_id 2012902618 encap udp local 192.168.1.2 remote 192.168.1.1 udp_sport 12359 udp_dport 10878
ip l2tp add session tunnel_id 1742694365 session_id 1825258445 peer_session_id 1242717084
ip link set up dev l2tpeth0
ip addr add 10.0.42.2/24 dev l2tpeth0
And the OpenVPN
mkdir -p /dev/net && mknod /dev/net/tun c 10 200
openvpn --cipher none --dev tun1 --port 8524 --ifconfig 10.1.2.1 10.1.2.2 &
openvpn --cipher none --dev tun2 --port 8524 --ifconfig 10.1.2.2 10.1.2.1 --remote 192.168.1.1 &
openvpn --cipher none --dev tap1 --port 8254 &
openvpn --cipher none --dev tap2 --port 8254 --remote 192.168.1.1 &
ip l set up dev tap1 && ip a add 10.2.2.1/24 dev tap1
ip l set up dev tap2 && ip a add 10.2.2.2/24 dev tap2
And finally, test everything
for ip in 127.0.0.1 192.168.1.1 10.0.42.1 10.1.2.1 10.2.2.1 ; do ssh $ip dd if=/dev/zero bs=1M count=64 | dd of=/dev/null bs=1M ; done
In my SSH config I used custom Ciphers. The full file:
Ciphers aes256-gcm@openssh.com
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
0
Subscribe to my newsletter
Read articles from ofcthvsf directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by