IPsec/Benchmarks
< IPsec
Inspired by the WireGuard benchmarks[1], let's add a few of our own here. Our test setup are two VirtualBox VMs on the same host, both configured to use virtio-net as their network device, running at 1 Gbps.
Plain
sid0# iperf3 -fM -c ubuntu0
Connecting to host ubuntu0, port 5201
[ 5] local 192.168.56.130 port 35904 connected to 192.168.56.144 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 899 MBytes 898 MBytes/sec 7789 185 KBytes
[ 5] 1.00-2.00 sec 952 MBytes 952 MBytes/sec 9227 209 KBytes
[ 5] 2.00-3.00 sec 860 MBytes 860 MBytes/sec 5685 433 KBytes
[ 5] 3.00-4.00 sec 534 MBytes 534 MBytes/sec 6067 204 KBytes
[ 5] 4.00-5.00 sec 862 MBytes 863 MBytes/sec 7912 218 KBytes
[ 5] 5.00-6.00 sec 882 MBytes 882 MBytes/sec 10276 431 KBytes
[ 5] 6.00-7.00 sec 948 MBytes 947 MBytes/sec 8709 191 KBytes
[ 5] 7.00-8.00 sec 966 MBytes 966 MBytes/sec 8648 188 KBytes
[ 5] 8.00-9.00 sec 934 MBytes 934 MBytes/sec 8985 465 KBytes
[ 5] 9.00-10.00 sec 945 MBytes 945 MBytes/sec 12339 184 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 8.58 GBytes 878 MBytes/sec 85637 sender
[ 5] 0.00-10.00 sec 8.57 GBytes 878 MBytes/sec receiver
iperf Done.
Hm, what's with the retries number there?
ipsec-tools
setkey
Just with the SPD loaded:
sid0# iperf3 -fM -c ubuntu0 Connecting to host ubuntu0, port 5201 [ 5] local 192.168.56.130 port 42070 connected to 192.168.56.144 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.01 sec 31.8 MBytes 31.4 MBytes/sec 0 325 KBytes [ 5] 1.01-2.03 sec 33.5 MBytes 33.1 MBytes/sec 0 360 KBytes [ 5] 2.03-3.04 sec 33.0 MBytes 32.7 MBytes/sec 0 453 KBytes [ 5] 3.04-4.03 sec 31.8 MBytes 32.0 MBytes/sec 0 549 KBytes [ 5] 4.03-5.04 sec 32.5 MBytes 32.3 MBytes/sec 0 549 KBytes [ 5] 5.04-6.03 sec 31.2 MBytes 31.4 MBytes/sec 0 549 KBytes [ 5] 6.03-7.03 sec 32.9 MBytes 32.8 MBytes/sec 0 682 KBytes [ 5] 7.03-8.01 sec 31.2 MBytes 31.8 MBytes/sec 0 682 KBytes [ 5] 8.01-9.02 sec 31.2 MBytes 31.2 MBytes/sec 0 751 KBytes [ 5] 9.02-10.03 sec 32.5 MBytes 32.2 MBytes/sec 0 751 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.03 sec 322 MBytes 32.1 MBytes/sec 0 sender [ 5] 0.00-10.03 sec 322 MBytes 32.1 MBytes/sec receiver iperf Done.
racoon
With racoon enabled:
sid0# iperf3 -fM -c 172.16.2.1 Connecting to host 172.16.2.1, port 5201 [ 5] local 172.16.1.1 port 53618 connected to 172.16.2.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.01 sec 31.2 MBytes 30.8 MBytes/sec 0 287 KBytes [ 5] 1.01-2.04 sec 30.7 MBytes 29.8 MBytes/sec 0 317 KBytes [ 5] 2.04-3.00 sec 29.2 MBytes 30.4 MBytes/sec 0 471 KBytes [ 5] 3.00-4.01 sec 31.2 MBytes 31.1 MBytes/sec 0 534 KBytes [ 5] 4.01-5.04 sec 30.0 MBytes 29.0 MBytes/sec 0 561 KBytes [ 5] 5.04-6.00 sec 27.5 MBytes 28.6 MBytes/sec 0 662 KBytes [ 5] 6.00-7.03 sec 31.2 MBytes 30.3 MBytes/sec 0 662 KBytes [ 5] 7.03-8.01 sec 28.8 MBytes 29.3 MBytes/sec 0 820 KBytes [ 5] 8.01-9.01 sec 29.7 MBytes 29.8 MBytes/sec 0 927 KBytes [ 5] 9.01-10.01 sec 30.0 MBytes 30.2 MBytes/sec 157 649 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.01 sec 300 MBytes 29.9 MBytes/sec 157 sender [ 5] 0.00-10.01 sec 300 MBytes 29.9 MBytes/sec receiver iperf Done.
iproute2
With only iproute2 used for configuration:
sid0# iperf3 -fM -c 172.16.2.1 Connecting to host 172.16.2.1, port 5201 [ 5] local 172.16.1.1 port 57128 connected to 172.16.2.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.01 sec 35.6 MBytes 35.4 MBytes/sec 0 216 KBytes [ 5] 1.01-2.02 sec 37.0 MBytes 36.5 MBytes/sec 0 317 KBytes [ 5] 2.02-3.01 sec 35.7 MBytes 36.1 MBytes/sec 0 389 KBytes [ 5] 3.01-4.01 sec 36.0 MBytes 35.9 MBytes/sec 0 408 KBytes [ 5] 4.01-5.02 sec 31.2 MBytes 30.9 MBytes/sec 0 483 KBytes [ 5] 5.02-6.01 sec 35.0 MBytes 35.4 MBytes/sec 0 483 KBytes [ 5] 6.01-7.03 sec 33.2 MBytes 32.7 MBytes/sec 24 421 KBytes [ 5] 7.03-8.02 sec 33.2 MBytes 33.7 MBytes/sec 0 448 KBytes [ 5] 8.02-9.01 sec 32.5 MBytes 32.8 MBytes/sec 0 486 KBytes [ 5] 9.01-10.00 sec 33.5 MBytes 33.6 MBytes/sec 0 491 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 343 MBytes 34.3 MBytes/sec 24 sender [ 5] 0.00-10.00 sec 343 MBytes 34.3 MBytes/sec receiver iperf Done.
Performance can be increased somewhat when using AES in CTR mode[2] instead:
sid0# iperf3 -fM -c 172.16.2.1 Connecting to host 172.16.2.1, port 5201 [ 5] local 172.16.1.1 port 57238 connected to 172.16.2.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.03 sec 41.5 MBytes 40.3 MBytes/sec 0 377 KBytes [ 5] 1.03-2.02 sec 41.5 MBytes 41.8 MBytes/sec 0 633 KBytes [ 5] 2.02-3.01 sec 41.2 MBytes 41.8 MBytes/sec 0 633 KBytes [ 5] 3.01-4.03 sec 41.1 MBytes 40.4 MBytes/sec 0 689 KBytes [ 5] 4.03-5.02 sec 42.5 MBytes 42.9 MBytes/sec 0 689 KBytes [ 5] 5.02-6.01 sec 38.8 MBytes 39.1 MBytes/sec 29 485 KBytes [ 5] 6.01-7.01 sec 40.0 MBytes 40.1 MBytes/sec 0 485 KBytes [ 5] 7.01-8.03 sec 39.6 MBytes 38.5 MBytes/sec 26 431 KBytes [ 5] 8.03-9.00 sec 38.8 MBytes 40.0 MBytes/sec 0 471 KBytes [ 5] 9.00-10.03 sec 38.8 MBytes 37.8 MBytes/sec 0 471 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.03 sec 404 MBytes 40.3 MBytes/sec 55 sender [ 5] 0.00-10.03 sec 404 MBytes 40.3 MBytes/sec receiver iperf Done.
Libreswan
A simple Libreswan VPN, with standard ciphers being used:
000 "test": IKE algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP2048 000 "test": ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=<Phase1>
sid0# iperf3 -fM -c ubuntu0 Connecting to host ubuntu0, port 5201 [ 5] local 192.168.56.130 port 35976 connected to 192.168.56.144 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 81.0 MBytes 80.7 MBytes/sec 0 287 KBytes [ 5] 1.00-2.00 sec 81.5 MBytes 81.6 MBytes/sec 42 250 KBytes [ 5] 2.00-3.01 sec 84.8 MBytes 84.5 MBytes/sec 0 311 KBytes [ 5] 3.01-4.01 sec 83.9 MBytes 83.2 MBytes/sec 28 260 KBytes [ 5] 4.01-5.00 sec 82.7 MBytes 83.7 MBytes/sec 0 288 KBytes [ 5] 5.00-6.00 sec 84.9 MBytes 84.7 MBytes/sec 0 307 KBytes [ 5] 6.00-7.02 sec 87.5 MBytes 86.4 MBytes/sec 14 244 KBytes [ 5] 7.02-8.00 sec 83.1 MBytes 84.6 MBytes/sec 0 275 KBytes [ 5] 8.00-9.00 sec 83.0 MBytes 82.8 MBytes/sec 0 299 KBytes [ 5] 9.00-10.01 sec 84.8 MBytes 84.5 MBytes/sec 11 222 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.01 sec 837 MBytes 83.7 MBytes/sec 95 sender [ 5] 0.00-10.01 sec 837 MBytes 83.7 MBytes/sec receiver iperf Done.
We can increase performance with a different cipher set:
000 "test": IKE algorithms: AES_GCM_16_256-HMAC_SHA2_256-MODP2048 000 "test": IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_256-MODP2048 000 "test": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1>
sid0# iperf3 -fM -c ubuntu0 Connecting to host ubuntu0, port 5201 [ 5] local 192.168.56.130 port 35990 connected to 192.168.56.144 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 154 MBytes 154 MBytes/sec 34 264 KBytes [ 5] 1.00-2.00 sec 153 MBytes 153 MBytes/sec 61 216 KBytes [ 5] 2.00-3.00 sec 148 MBytes 148 MBytes/sec 40 264 KBytes [ 5] 3.00-4.00 sec 152 MBytes 152 MBytes/sec 60 257 KBytes [ 5] 4.00-5.01 sec 151 MBytes 149 MBytes/sec 38 244 KBytes [ 5] 5.01-6.00 sec 145 MBytes 147 MBytes/sec 70 285 KBytes [ 5] 6.00-7.00 sec 151 MBytes 150 MBytes/sec 44 267 KBytes [ 5] 7.00-8.01 sec 156 MBytes 154 MBytes/sec 49 294 KBytes [ 5] 8.01-9.00 sec 148 MBytes 149 MBytes/sec 41 314 KBytes [ 5] 9.00-10.01 sec 157 MBytes 156 MBytes/sec 25 240 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.01 sec 1.48 GBytes 151 MBytes/sec 462 sender [ 5] 0.00-10.01 sec 1.48 GBytes 151 MBytes/sec receiver iperf Done.
strongSwan
A simple strongSwan host-to-host VPN, with standard ciphers being used:
test[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
test{2}: AES_CBC_128/HMAC_SHA2_256_128, 1312215 bytes_i (40352 pkts, 3s ago), 600088093 bytes_o (419598 pkts, 13s ago), rekeying in 43 minutes
sid0# iperf3 -fM -c ubuntu0 Connecting to host ubuntu0, port 5201 [ 5] local 192.168.56.130 port 36040 connected to 192.168.56.144 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.01 sec 49.1 MBytes 48.4 MBytes/sec 0 662 KBytes [ 5] 1.01-2.02 sec 54.6 MBytes 54.3 MBytes/sec 171 342 KBytes [ 5] 2.02-3.03 sec 54.2 MBytes 53.9 MBytes/sec 27 286 KBytes [ 5] 3.03-4.01 sec 55.3 MBytes 56.2 MBytes/sec 0 313 KBytes [ 5] 4.01-5.02 sec 54.6 MBytes 54.1 MBytes/sec 16 270 KBytes [ 5] 5.02-6.01 sec 54.8 MBytes 55.3 MBytes/sec 0 297 KBytes [ 5] 6.01-7.01 sec 53.5 MBytes 53.4 MBytes/sec 7 269 KBytes [ 5] 7.01-8.01 sec 54.5 MBytes 54.5 MBytes/sec 0 291 KBytes [ 5] 8.01-9.00 sec 51.8 MBytes 52.5 MBytes/sec 25 246 KBytes [ 5] 9.00-10.02 sec 57.8 MBytes 56.6 MBytes/sec 0 313 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.02 sec 540 MBytes 53.9 MBytes/sec 246 sender [ 5] 0.00-10.02 sec 540 MBytes 53.9 MBytes/sec receiver iperf Done.
With a more modern cipher being used, speed is doubled:
test[1]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
test{2}: AES_GCM_16_128, 1388034 bytes_i (40358 pkts, 78s ago), 1351933570 bytes_o (935419 pkts, 88s ago), rekeying in 43 minutes
sid0# iperf3 -fM -c ubuntu0 Connecting to host ubuntu0, port 5201 [ 5] local 192.168.56.130 port 36046 connected to 192.168.56.144 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 129 MBytes 129 MBytes/sec 202 251 KBytes [ 5] 1.00-2.00 sec 130 MBytes 130 MBytes/sec 20 329 KBytes [ 5] 2.00-3.00 sec 141 MBytes 141 MBytes/sec 55 249 KBytes [ 5] 3.00-4.00 sec 124 MBytes 124 MBytes/sec 29 296 KBytes [ 5] 4.00-5.00 sec 123 MBytes 124 MBytes/sec 45 265 KBytes [ 5] 5.00-6.00 sec 103 MBytes 103 MBytes/sec 9 287 KBytes [ 5] 6.00-7.00 sec 131 MBytes 130 MBytes/sec 57 294 KBytes [ 5] 7.00-8.01 sec 120 MBytes 120 MBytes/sec 55 293 KBytes [ 5] 8.01-9.00 sec 131 MBytes 131 MBytes/sec 13 211 KBytes [ 5] 9.00-10.00 sec 130 MBytes 130 MBytes/sec 40 264 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 1.23 GBytes 126 MBytes/sec 525 sender [ 5] 0.00-10.00 sec 1.23 GBytes 126 MBytes/sec receiver iperf Done.
WireGuard
Using WireGuard for a host-to-host VPN:
sid0# iperf3 -fM -c 172.16.2.1 Connecting to host 172.16.2.1, port 5201 [ 5] local 172.16.1.1 port 57434 connected to 172.16.2.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 141 MBytes 141 MBytes/sec 82 290 KBytes [ 5] 1.00-2.00 sec 139 MBytes 139 MBytes/sec 89 281 KBytes [ 5] 2.00-3.00 sec 141 MBytes 141 MBytes/sec 70 385 KBytes [ 5] 3.00-4.00 sec 144 MBytes 144 MBytes/sec 46 322 KBytes [ 5] 4.00-5.00 sec 130 MBytes 130 MBytes/sec 10 405 KBytes [ 5] 5.00-6.00 sec 136 MBytes 136 MBytes/sec 119 256 KBytes [ 5] 6.00-7.00 sec 117 MBytes 117 MBytes/sec 38 281 KBytes [ 5] 7.00-8.00 sec 128 MBytes 128 MBytes/sec 80 367 KBytes [ 5] 8.00-9.00 sec 137 MBytes 137 MBytes/sec 71 335 KBytes [ 5] 9.00-10.00 sec 135 MBytes 135 MBytes/sec 31 310 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 1.32 GBytes 135 MBytes/sec 636 sender [ 5] 0.00-10.00 sec 1.31 GBytes 135 MBytes/sec receiver iperf Done.
...Can this be tuned somehow?
OpenVPN
A simple OpenVPN host-to-host tunnel using static keys, where only CBC ciphers are supported:
sid0# iperf3 -fM -c 172.16.0.2 Connecting to host 172.16.0.2, port 5201 [ 5] local 172.16.0.1 port 49230 connected to 172.16.0.2 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 25.7 MBytes 25.7 MBytes/sec 11 115 KBytes [ 5] 1.00-2.00 sec 25.8 MBytes 25.8 MBytes/sec 25 80.3 KBytes [ 5] 2.00-3.00 sec 22.7 MBytes 22.7 MBytes/sec 10 120 KBytes [ 5] 3.00-4.00 sec 23.5 MBytes 23.5 MBytes/sec 19 79.0 KBytes [ 5] 4.00-5.00 sec 22.4 MBytes 22.4 MBytes/sec 13 94.5 KBytes [ 5] 5.00-6.00 sec 22.6 MBytes 22.6 MBytes/sec 12 82.9 KBytes [ 5] 6.00-7.00 sec 22.2 MBytes 22.2 MBytes/sec 27 84.2 KBytes [ 5] 7.00-8.00 sec 23.4 MBytes 23.4 MBytes/sec 15 106 KBytes [ 5] 8.00-9.00 sec 22.9 MBytes 22.9 MBytes/sec 21 98.4 KBytes [ 5] 9.00-10.00 sec 22.4 MBytes 22.4 MBytes/sec 16 82.9 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 234 MBytes 23.4 MBytes/sec 169 sender [ 5] 0.00-10.00 sec 234 MBytes 23.4 MBytes/sec receiver iperf Done.
When using TLS, faster GCM ciphers can be used and performance is doubled:
sid0# iperf3 -fM -c 172.16.0.2 Connecting to host 172.16.0.2, port 5201 [ 5] local 172.16.0.1 port 49294 connected to 172.16.0.2 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 50.8 MBytes 50.8 MBytes/sec 110 67.2 KBytes [ 5] 1.00-2.00 sec 50.3 MBytes 50.3 MBytes/sec 153 84.3 KBytes [ 5] 2.00-3.00 sec 49.8 MBytes 49.8 MBytes/sec 125 77.7 KBytes [ 5] 3.00-4.00 sec 51.0 MBytes 51.0 MBytes/sec 156 83.0 KBytes [ 5] 4.00-5.00 sec 45.9 MBytes 45.9 MBytes/sec 103 111 KBytes [ 5] 5.00-6.00 sec 46.1 MBytes 46.1 MBytes/sec 69 77.7 KBytes [ 5] 6.00-7.00 sec 48.0 MBytes 48.1 MBytes/sec 106 112 KBytes [ 5] 7.00-8.00 sec 49.1 MBytes 49.1 MBytes/sec 121 96.2 KBytes [ 5] 8.00-9.00 sec 46.3 MBytes 46.3 MBytes/sec 78 109 KBytes [ 5] 9.00-10.00 sec 38.9 MBytes 38.9 MBytes/sec 38 100 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 476 MBytes 47.6 MBytes/sec 1059 sender [ 5] 0.00-10.00 sec 476 MBytes 47.6 MBytes/sec receiver iperf Done.
SSH
A simple SSH based host-to-host tunnel:
# iperf3 -fM -c 10.0.0.20 Connecting to host 10.0.0.20, port 5201 [ 5] local 10.0.0.10 port 45868 connected to 10.0.0.20 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 22.6 MBytes 22.6 MBytes/sec 12 607 KBytes [ 5] 1.00-2.00 sec 32.5 MBytes 32.5 MBytes/sec 0 694 KBytes [ 5] 2.00-3.00 sec 31.2 MBytes 31.2 MBytes/sec 9 535 KBytes [ 5] 3.00-4.00 sec 35.0 MBytes 35.0 MBytes/sec 0 578 KBytes [ 5] 4.00-5.00 sec 36.2 MBytes 36.2 MBytes/sec 0 625 KBytes [ 5] 5.00-6.00 sec 35.0 MBytes 35.0 MBytes/sec 0 666 KBytes [ 5] 6.00-7.00 sec 36.2 MBytes 36.3 MBytes/sec 0 708 KBytes [ 5] 7.00-8.00 sec 31.2 MBytes 31.2 MBytes/sec 12 551 KBytes [ 5] 8.00-9.00 sec 30.0 MBytes 30.0 MBytes/sec 0 618 KBytes [ 5] 9.00-10.00 sec 31.2 MBytes 31.3 MBytes/sec 0 663 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 321 MBytes 32.1 MBytes/sec 33 sender [ 5] 0.00-10.00 sec 318 MBytes 31.8 MBytes/sec receiver iperf Done.
With different parameters the connection speed can be somewhat increased:
$ ssh -oCiphers=aes128-ctr -oMACs=hmac-sha1 -oKexAlgorithms=diffie-hellman-group14-sha1 [...]
# iperf3 -fM -c 10.0.0.20 Connecting to host 10.0.0.20, port 5201 [ 5] local 10.0.0.10 port 45886 connected to 10.0.0.20 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 24.8 MBytes 24.8 MBytes/sec 57 563 KBytes [ 5] 1.00-2.00 sec 32.5 MBytes 32.5 MBytes/sec 0 642 KBytes [ 5] 2.00-3.00 sec 33.8 MBytes 33.8 MBytes/sec 0 700 KBytes [ 5] 3.00-4.00 sec 36.2 MBytes 36.2 MBytes/sec 9 525 KBytes [ 5] 4.00-5.00 sec 40.0 MBytes 40.0 MBytes/sec 0 581 KBytes [ 5] 5.00-6.00 sec 41.2 MBytes 41.2 MBytes/sec 0 632 KBytes [ 5] 6.00-7.00 sec 38.8 MBytes 38.8 MBytes/sec 0 679 KBytes [ 5] 7.00-8.00 sec 38.8 MBytes 38.8 MBytes/sec 1 526 KBytes [ 5] 8.00-9.00 sec 35.0 MBytes 35.0 MBytes/sec 0 594 KBytes [ 5] 9.00-10.00 sec 33.8 MBytes 33.8 MBytes/sec 0 642 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 355 MBytes 35.5 MBytes/sec 67 sender [ 5] 0.00-10.00 sec 352 MBytes 35.2 MBytes/sec receiver iperf Done.
sshuttle
A simple sshuttle based host-to-host tunnel:
$ iperf3 -fM -c 10.0.0.20 Connecting to host 10.0.0.20, port 5201 [ 4] local 10.0.0.10 port 56050 connected to 10.0.0.20 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 22.1 MBytes 22.1 MBytes/sec 0 3.44 MBytes [ 4] 1.00-2.00 sec 16.0 MBytes 16.0 MBytes/sec 0 3.44 MBytes [ 4] 2.00-3.00 sec 15.8 MBytes 15.8 MBytes/sec 0 3.44 MBytes [ 4] 3.00-4.00 sec 13.6 MBytes 13.6 MBytes/sec 0 3.44 MBytes [ 4] 4.00-5.00 sec 15.0 MBytes 15.0 MBytes/sec 0 3.44 MBytes [ 4] 5.00-6.00 sec 15.0 MBytes 15.0 MBytes/sec 0 3.44 MBytes [ 4] 6.00-7.00 sec 14.4 MBytes 14.4 MBytes/sec 0 3.44 MBytes [ 4] 7.00-8.00 sec 15.2 MBytes 15.2 MBytes/sec 0 3.44 MBytes [ 4] 8.00-9.00 sec 13.6 MBytes 13.6 MBytes/sec 0 3.44 MBytes [ 4] 9.00-10.00 sec 12.4 MBytes 12.4 MBytes/sec 0 3.44 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 153 MBytes 15.3 MBytes/sec 0 sender [ 4] 0.00-10.00 sec 145 MBytes 14.5 MBytes/sec receiver iperf Done.
Different SSH parameters do not seem to change the results:
$ sshuttle -v -e "ssh -oCiphers=aes128-ctr -oMACs=hmac-sha1 -oKexAlgorithms=diffie-hellman-group14-sha1" -r dummy@10.0.0.20 0.0.0.0/0
$ iperf3 -fM -c 10.0.0.20 Connecting to host 10.0.0.20, port 5201 [ 4] local 10.0.0.10 port 56050 connected to 10.0.0.20 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 25.0 MBytes 25.0 MBytes/sec 0 939 KBytes [ 4] 1.00-2.00 sec 14.0 MBytes 14.0 MBytes/sec 0 939 KBytes [ 4] 2.00-3.00 sec 14.0 MBytes 14.0 MBytes/sec 0 939 KBytes [ 4] 3.00-4.00 sec 14.5 MBytes 14.5 MBytes/sec 1 939 KBytes [ 4] 4.00-5.00 sec 12.5 MBytes 12.5 MBytes/sec 0 939 KBytes [ 4] 5.00-6.00 sec 13.0 MBytes 13.0 MBytes/sec 0 939 KBytes [ 4] 6.00-7.00 sec 10.1 MBytes 10.1 MBytes/sec 0 939 KBytes [ 4] 7.00-8.00 sec 15.8 MBytes 15.8 MBytes/sec 0 939 KBytes [ 4] 8.00-9.00 sec 15.4 MBytes 15.4 MBytes/sec 0 939 KBytes [ 4] 9.00-10.00 sec 12.8 MBytes 12.8 MBytes/sec 0 939 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 147 MBytes 14.7 MBytes/sec 1 sender [ 4] 0.00-10.00 sec 139 MBytes 13.9 MBytes/sec receiver iperf Done.