1. Setup a VPN on Your iPhone With OpenVPN and Linux

    June 18, 2018

    [Update 2018] This article has been substantially updated since it was published in 2013.

    Introduction

    In this article, I will show you how to setup a Linux-based OpenVPN server. Once this server is up and running, I'll show you how to setup your iOS devices, such as your iPhone or iPad so that they can connect with your new VPN server.

    The goal of this effort is to encapsulate all internet traffic through your VPN connection so no matter where you are, nobody can monitor which sites you visit and what you do. This is ideal if you have to visit the internet through untrusted internet sources like public Wi-Fi.

    Some typical scenarios would be:

    • you run an OpenVPN service on your Linux-based home router directly
    • you run an OpenVPN service on a device behind your home router using portforwarding (like a Raspberry Pi)
    • you run an OpenVPN service on a VPS hosted by one of many cloud service providers

    Your iOS devices will be running OpenVPN Connect, a free application found in the App store.

    screenshot

    A note on other platforms: Although this tutorial is focussed on iOS devices, your new OpenVPN-based VPN server will support any client OS, may it be Windows, MacOS, Android or Linux. Configuration of these other clients is out-of-scope for this article.

    This tutorial is based on OpenVPN, an open-source product. The company behind OpenVPN also offers VPN services for a price per month. If you find the effort of setting up your own server too much of a hassle, you could look into their service. Please note that I have never used this service and cannot vouch for it.

    This is a brief overview of all the steps you will need to take in order to have a fully functional setup, including configuration of the clients:

    1. Install a Linux server (out-of-scope)
    2. Install the OpenVPN software
    3. Setup the Certificate Authority
    4. Generate the server certificate
    5. Configure the OpenVPN server configuration
    6. Configure the firewall on your Linux server
    7. Generate certificates for every client (iPhone, iPad, and so on)
    8. Copy the client configuration to your devices
    9. Test your clients

    How It Works

    OpenVPN is an SSL-based VPN solution. SSL-based VPNs are very reliable because if you set it up properly, you will never be blocked by any firewall as long as TCP-port 443 is accessible. By default, OpenVPN uses UDP as a transport at port 1194, but you can switch to TCP-port 443 to increase the chance that your traffic will not be blocked at the cost of a little bit more bandwidth usage.

    Authentication

    Authentication is based on public/private key cryptography. The OpenVPN server is similar to an HTTPS server. The biggest difference is that your device doesn't use a username/password combination for authentication, but a certificate. This certificate is stored within the client configuration file.

    So before you can configure and start your OpenVPN service, you need to setup a Certificate Authority (CA). With the CA you can create the server certificate for your OpenVPN server and after that's done, generate all client certificates.

    OpenVPN installation

    OpenVPN is available on most common Linux Distros by default. apt-get install openvpn for any Debian or Ubuntu version is all you need to install OpenVPN.

    Or take a look here

    I have never tried it out, but you can try and take a look at an OpenVPN install script

    This script seems to automate a lot of steps, like firewall configuration, certificate generation, etc.

    Tip

    It's out-of-scope for this tutorial, but you should make sure that you keep your OpenVPN software up-to-date, in case security vulnerabilities are discovered in OpenVPN in the future.

    Security

    I'm creating this tutorial on an older system, with less secure default configuration settings for both the Certificate Authority as the OpenVPN server itself. The settings I use in this tutorial are based on the steps in this blog.

    Notable improvements:

    • AES256 for encryption
    • 2048 bit key sizes over 1024 bit keys
    • SHA256 over sha1/md5

    Performance

    I did some performance tests and got around 40-50 Mbs per iOS client. I believe that the bottleneck lies with my old HP Microserver N40L with its relatively weak CPU.

    Traffic Shaping

    If you want to limit how much bandwidth a client is allowed to use, I recommend to use this tutorial. I have tried it out and it works perfectly.

    Creating a certificate authority.

    I assume that you will setup your OpenVPN configuration in /etc/openvpn. Before you can setup the server configuration, you need to create a certificate authority. I used the folder /etc/openvpn/easy-rsa as the location for my CA.

    mkdir /etc/openvpn/easy-rsa
    

    We start with copying all these files to this new directory:

    cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/easy-rsa
    

    Please note that depending on your Linux flavour, these files may be found at some other path.

    Next, we cd into the destination directory.

    cd /etc/openvpn/easy-rsa
    

    Now, open the 'vars' file with your favorite text editor. The following instructions are straight from the OpenVPN howto.

    You should change all the values to ones that apply to you (obviously).

    export KEY_COUNTRY="US"
    export KEY_PROVINCE="California"
    export KEY_CITY="San Fransisco"
    export KEY_ORG="My Company"
    export KEY_EMAIL="my@mail.com"
    export KEY_CN=server
    export KEY_NAME=server
    export KEY_OU=home
    

    Change the KEY_SIZE parameter:

    export KEY_SIZE=2048
    

    How long would you like your certificates to be valid (10 years?)

    export CA_EXPIRE=3650
    export KEY_EXPIRE=3650
    

    Then I had to copy openssl-1.0.0.cnf to openssl.cnf because the 'vars' script complained that it couldn't find the latter file.

    cp openssl-1.0.0.cnf openssl.cnf
    

    Notice I went through these steps on an older Linux installation. I had to edit the file /etc/openvpn/easy-rsa/pkitool and changed all occurrences of 'sha1' to 'sha256'.

    Now we 'source' var and run two additional commands that actually generate the certificate authority. Notice the dot before ./vars.

    . ./vars
    ./clean-all
    ./build-ca
    ./build-dh
    

    You will have to confirm the values or change them if necessary.

    Now we have a certificate authority and we can create new certificates that will be signed by this authority.

    WARNING: be extremely careful with all key files, they should be kept private.

    I would recommend performing these commands:

    chown -R root:root /etc/openvpn 
    chmod -R 700 /etc/openvpn
    

    By default, OpenVPN runs as root. With these commands, only the root user will be able to access the keys. If you don't run OpenVPN as root, you must select the appropriate user for the first command. See also this article.

    Creating the Server Certificate

    We create the server certificate:

    ./build-key-server server
    

    It's up to you to come up with an alternative for 'server'. This is the file name under which the key files and certificates are stored.

    All files that are generated can be found in the '/etc/openvpn/easy-rsa/keys' directory. This is just a flat folder with both the server and client keys.

    Creating the optional TLS-AUTH Certificate

    This step is optional but it doesn't take much effort and it seems to add an additional security layer at no significant cost. In this step we create an additional secret key that is shared with both the server and the clients.

    The following steps are based on this article (use of -tls-auth).

    cd /etc/openvpn/easy-rsa/keys
    openvpn --genkey --secret ta.key
    

    When we are going to create the server configuration, we will reference this key file.

    Creating the Client Certificate

    Now that we have a server certificate, we are going to create a certificate for our iPhone (or any other iOS device).

    ./build-key iphone
    

    Answer the questions with the defaults. Don't forget to answer these questions:

    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    

    So now we have everything in place to start creating an OpenVPN configuration. We must create a configuration for the server and the client. Those configurations are based on the examples that can be find in /usr/share/doc/openvpn/examples/.

    Example Server configuration

    This is my server configuration which is operational. It is stored in /etc/openvpn/openvpn.conf

    dev tun2
    tls-server
    cipher AES-256-CBC
    auth SHA256
    remote-cert-tls client
    dh easy-rsa/keys/dh2048pem
    ca easy-rsa/keys/ca.crt
    cert easy-rsa/keys/server.crt
    key easy-rsa/keys/server.key
    server 10.0.0.0 255.255.255.0
    log /var/log/openvpn.log
    comp-lzo
    script-security 2
    route-up "/sbin/ifconfig tun2 up"
    port 443
    proto tcp-server
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8"
    

    I believe you should be able to use this configuration as-is. Depending on your local IP-addresses within your own network, you may have to change the server section.

    I use TCP-port 443 as this destination port is almost never blocked as blocking this port would break most internet connectivity. (The downside is that I can no longer host any secure web site on this IP-address).

    The OpenVPN service will provide your client with an IP-address within the address range configured in the 'server' section.

    Change any parameters if required and then start or restart the OpenVPN service:

    /etc/init.d/openvpn restart
    

    Make sure that the server is running properly in /var/log/openvpn.log

    If you want to use your VPN to browse the internet, we still need to configure a basic firewall setup.

    I'm assuming that you already have some kind of IPtables-based firewall running. Configuring a Linux firewall is out-of-scope for this article. I will only discuss the changes you may need to make for the OpenVPN service to operate properly.

    You will need to accept traffic to TCP port 443 on the interface connected to the internet.

    iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    

    If your OpenVPN server is behind a router/firewall, you need to configure port-forwarding on that router/firewall. How to do so is out-of-scope for this article, as it is different for different devices.

    Assuming that you will - for example - use the 10.0.0.0/24 network for VPN clients such as your iPhone, you must also create a NAT rule so VPN clients can use the IP-address of the Linux server to access Internet.

    iptables -t nat -A POSTROUTING -s "10.0.0.0/24" -o "eth0" -j MASQUERADE
    

    Please note that you must change eth0 with the name of the appropriate interface that connects to the internet. Change the IP-address range according to your own situation. It should not conflict with your existing network.

    iptables -A FORWARD -p tcp -s 10.0.0.0/24 -d 0.0.0.0/0 -j ACCEPT
    

    Please note that I haven't tested these rules, as I have a different setup. But this should be sufficient. And make sure that forwarding is enabled like this:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    

    Example Client configuration

    Most OpenVPN clients can automatically import files with the .ovpn file extension. A typical configuration file is something like 'iphone.ovpn'.

    Warning: the .ovpn files will contain the certificate used by your iPhone/iPad to authenticate against your OpenVPN server. Be very carefull where you store this file. Anyone that is able to obtain a copy of this file, will be able to connect to your VPN server.

    This is an example configuration file, but we are not going to create it by hand, it's too much work.

    What you will notice from this example is that the .ovpn file contains both the client configuration and all the required certificates:

    1. the CA root certificate
    2. the server certificate to validate the server
    3. the client private certificate
    4. the TLS-AUTH certificate (an optional extra security measure)

    Create a client configuration file (.ovpn) with a script

    You can create your client configuration file manually but that is a lot of work. Because you need to append all the certificates to a single file, that also contains the configuration settings.

    So we will use a script to setup the client configuration.

    First we are going to create a folder where our client configuration files will be stored.

    mkdir /etc/openvpn/clientconfig
    chmod 700 /etc/openvpn/clientconfig
    

    Now we will download the script and the accompanying configuration template file. Notice that the links may wrap.

    cd /etc/openvpn
    wget https://raw.githubusercontent.com/louwrentius/openvpntutorial/master/create-client-config.sh
    wget https://raw.githubusercontent.com/louwrentius/openvpntutorial/master/client-config-template
    chmod +x create-client-config.sh
    

    Please note that you first need to create the certificates for your devices before you can generate a configuration file. So please go back to that step if you need to.

    Also take note of the name you have used for your devices. You can always take a look in /etc/openvpn/easy-rsa/keys to see how your devices are called.

    When you run this script, a configuration file is generated and placed in to the folder /etc/openvpn/clientconfig.

    The script just puts the client configuration template and all required certificates in one file. This is how you use it:

    ./create-client-config.sh iPhone
    

    Some output you will notice when running the script:

    user@server:/etc/openvpn# ./create-client-config.sh iphone
    Client's cert found: /etc/openvpn/easy-rsa/keys/iphone
    Client's Private Key found: /etc/openvpn/easy-rsa/keys/iphone.key
    CA public Key found: /etc/openvpn/easy-rsa/keys/ca.crt
    tls-auth Private Key found: /etc/openvpn/easy-rsa/keys/ta.key
    Done! /etc/openvpn/clientconfig/iphone.ovpn Successfully Created.
    

    You should now find a file called 'iphone.ovpn' in the directory /etc/openvpn/clientconfig.

    We are almost there. We just need to copy this file to your iOS device.

    You have three options:

    1. Use iCloud Drive
    2. Use iTunes
    3. Use email (obviously insecure and not discussed)

    Setting up your iPhone or iPad with iCloud Drive

    1. First install the OpenVPN Connect application if you haven't done so.
    2. Copy the .ovpn file from your OpenVPN server to your iCloud Drive.
    3. Take your device and use the 'files' browser to navigate within your iCloud drive to the .ovpn file you just copied.
    4. Tap on the file to download and open it.
    5. Now comes the tricky part: press the share symbol

    step 1

    Open the file with the OpenVPN application on your iOS device:

    step 2

    step 3

    When you get the question "OpenVPN would like to Add VPN Configurations", choose 'Allow'.

    Continue with the step 'Test your iOS device'.

    If the OpenVPN Connect client doesn't import the file, remove the application from the device and re-install it. (This is what I had to do on my iPad).

    Setting up your iPhone or iPad with iTunes

    You can skip this step if you used iCloud Drive to copy the .ovpn profile to your device.

    You need to get the following files on your iOS device:

    iphone.ovpn
    

    Copy this file from your OpenVPN server to the computer running iTunes. Then connect your device to iTunes with a cable.

    1. Open iTunes
    2. Select your device at the top right
    3. Go to the Apps tab
    4. Scroll to the file sharing section
    5. Select the OpenVPN application
    6. Add the iphone.ovpn
    7. Sync your device

    Test your iOS device

    Open the OpenVPN client. You will see a notice that a new configuration has been imported and you need to accept this configuration.

    As it might not work straight away, you need to monitor /var/log/openvpn.log on the server to watch for any errors.

    Now try to connect and enjoy.

    Conclusion

    You should be able to keep your VPN enabled at all times because battery usage overhead should be minimal. If you are unable to connect to your VPN when you are at home behind your own firewall, you need to check your firewall settings.

    Updated 20130123 with keepalive option. Updated 20130801 with extra server push options for traffic redirection and DNS configuration Updated 20180618 as substantial rewrite of the original outdated article.

  2. HP Proliant Microserver Gen10 as Router or NAS

    September 14, 2017

    Introduction

    In the summer of 2017, HP released the Proliant Microserver Gen10. This machine replaces the older Gen8 model.

    gen10

    For hobbyists, the Microserver always has been an interesting device for a custom home NAS build or as a router.

    Let's find out if this is still the case.

    Price

    In The Netherlands, the price of the entry-level model is similar to the Gen8: around €220 including taxes.

    CPU

    The new AMD X3216 processor has slightly better single threaded performance as compared to the older G1610t in the Gen8. Overall, both devices seem to have similar CPU performance.

    The biggest difference is the TDP: 35 Watt for the Celeron vs 15 Watt for the AMD CPU.

    Memory

    By default, it has 8 GB of unbuffered ECC memory, that's 4 GB more than the old model. Only one of the two memory slots is occupied, so you can double that amount just by adding another 8 GB stick. It seems that 32 GB is the maximum.

    Storage

    This machine has retained the four 3.5" drive slots. There are no drive brackets anymore. Before inserting a hard drive, you need to remove a bunch of screws from the front of the chassis and put four of them in the mounting holes of each drive. These screws then guide the drive through grooves into the drive slot. This caddy-less design works perfectly and the drive is mounted rock-solid in it's position.

    To pop a drive out, you have to press the appropriate blue lever, which latches on to one of the front screws mounted on your drive and pulls it out of the slot.

    There are two on-board sata controllers.

    00:11.0 SATA controller: Advanced Micro Devices, Inc. [AMD] FCH SATA Controller [AHCI mode] (rev 49)
    01:00.0 SATA controller: Marvell Technology Group Ltd. 88SE9230 PCIe SATA 6Gb/s Controller (rev 11)
    

    The Marvell controller is connected to the four drive bays. The AMD controller is probably connected to the fifth on-board SATA port.

    As with the Gen8, you need a floppy-power-connector-to-sata-power-connector cable if you want to use a SATA drive with the fifth onboard SATA port.

    Due to the internal SATA header or the USB2.0 header, you could decide to run the OS without redundancy and use all four drive bays for storage. As solid state drives tend to be very reliable, you may use a small SSD to keep the cost and power usage down and still retain reliability (although not the level of reliability RAID1 provides).

    Networking

    Just as the Gen8, the Gen10 has two Gigabit network cards. The brand and model is: Broadcom Limited NetXtreme BCM5720

    As tested with iperf3 I get full 1 Gbit network performance. No problems here (tested on CentOS 7).

    PCIe slots

    This model has two half-height PCIe slots (1x and 8x in a 4x and 8x physical slot) which is an improvement over the single PCIe slot in the Gen8.

    USB

    The USB configuration is similar to the Gen8, with both USB2 and USB3 ports and one internal USB2 header on the motherboard.

    Sidenote: the onboard micro SD card slot as found in the Gen8 is not present in the Gen10.

    Graphics

    The Gen10 has also a GPU build-in but I have not looked into it as I have no use for it.

    The Gen10 differs in output options as compared to the Gen8: it supports one VGA and two displayport connections. Those displayport connectors could make the Gen10 an interesting DIY HTPC build, but I have not looked into it.

    iLO

    The Gen10 has no support for iLO. So no remote management, unless you have an external KVM-over-IP solution.

    This is a downside, but for home users, this is probably not a big deal. My old Microserver N40L didn't have iLO and it never bothered me.

    And most of all: iLO is a small on-board mini-comuter that increases idle power consumption. So the lack of iLO support should mean better idle power consumption.

    Boot

    Both Legacy and UEFI boot is supported. I have not tried UEFI booting.

    Booting from the 5th internal SATA header is supported and works fine (as opposed to the Gen8).

    For those who care: booting is a lot quicker as opposed to the Gen8, which took ages to get through the BIOS.

    Power Usage

    I have updated this segment as I have used some incorrect information in the original article.

    The Gen10 seems to consume 14 Watt at idle, booted into Centos 7 without any disk drives attached (removed all drives after booting). This 14 Watt figure is reported by my external power meter.

    Adding a single old 7200 1 TB drive drives power usage up to 21 Watt (as expected).

    With four older 7200 RPM drives the entire system uses about 43 Watt according to the external power meter.

    As an experiment, I've put two old 60 GB 2.5" laptop drives in the first two slots, configured as RAID1. Then I added two 1 TB 7200 RPM drives to fill up the remaining slots. This resulted in a power usage of 32 Watt.

    Dimensions and exterior

    Exactly the same as the Gen8, they stack perfectly.

    The Gen8 had a front door protecting the drive bays connected to the chassis with two hinges. HP has been cheap on the Gen10, so when you open the door, it basically falls off, there's no hinge. It's not a big issue, the overall build quality of the Gen10 is excellent.

    I have no objective measurements of noise levels, but the device seems almost silent to me.

    Evaluation and conclusion

    At first, I was a bit disappointed about the lack of iLO, but it turned out for the best. What makes the Gen10 so interesting is the idle power consumption. The lack of iLO support probably contributes to the improved idle power consumption.

    The Gen8 measures between 30 and 35 Watt idle power consumption, so the Gen10 does fare much better (~18 Watt).

    Firewall/Router

    At this level of power consumption, the Gen10 could be a formidable router/firewall solution. The only real downside is it's size as compared to purpose-built firewalls/routers. The two network interfaces may provide sufficient network connectivity but if you need more ports and using VLANs is not enough, it's easy to add some extra ports.

    If an ancient N40L with a piss-poor Atom processor can handle a 500 Mbit internet connection, this device will have no problems with it, I'd presume. Once I've taken this device into production as a replacement for my existing router/firewall, I will share my experience.

    Storage / NAS

    The Gen8 and Gen10 both have four SATA drive bays and a fifth internal SATA header. From this perspective, nothing has changed. The reduced idle power consumption could make the Gen10 an even more attractive option for a DIY home grown NAS.

    All things considered I think the Gen10 is a great device and I have not really encountered any downsides. If you have no problems putting a bit of effort into a DIY solution, the Gen10 is a great platform for a NAS or Router/Firewall, that can compete with most purpose-build devices.

    I may update this article as I gain more experience with this device.

    Tagged as : Storage Networking
  3. Using InfiniBand for Cheap and Fast Point-To-Point Networking

    March 25, 2017

    InfiniBand networking is quite awesome. It's mainly used for two reasons:

    1. low latency
    2. high bandwidth

    As a home user, I'm mainly interested in setting up a high bandwidth link between two servers.

    I was using quad-port network cards with Linux Bonding, but this solution has some downsides:

    1. you can only go to 4 Gbit with Linux bonding (or you need more ports)
    2. you need a lot of cabling
    3. it is similar in price as InfiniBand

    So I've decided to take a gamble on some InfiniBand gear. You only need InfiniBand PCIe network cards and a cable.

    1 x SFF-8470 CX4 cable                                              $16
    2 x MELLANOX DUAL-PORT INFINIBAND HOST CHANNEL ADAPTER MHGA28-XTC   $25
                                                                Total:  $66
    

    view of installed infiniband card and cable

    I find $66 quite cheap for 20 Gbit networking. Regular 10Gbit Ethernet networking is often still more expensive that using older InfiniBand cards.

    InfiniBand is similar to Ethernet, you can run your own protocol over it (for lower latency) but you can use IP over InfiniBand. The InfiniBand card will just show up as a regular network device (one per port).

    ib0 Link encap:UNSPEC HWaddr 80-00-04-04-FE-80-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.2.3  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::202:c902:29:8e01/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:65520  Metric:1
          RX packets:7988691 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17853128 errors:0 dropped:10 overruns:0 carrier:0
          collisions:0 txqueuelen:256 
          RX bytes:590717840 (563.3 MiB)  TX bytes:1074521257501 (1000.7 GiB)
    

    Configuration

    I've followed these instructions to get IP over InfiniBand working.

    Modules

    First, you need to assure the following modules are loaded at a minimum:

    ib_mthca
    ib_ipoib
    

    I only had to add the ib_ipoib module to /etc/modules. As soon as this module is loaded, you will notice you have some ibX interfaces available which can be configured like regular ethernet cards

    Subnet manager

    In addition to loading the modules, you also may need a subnet manager but this seems only relevant if you have an InfiniBand switch. Such switches either have a build-in subnet manager or you can just install and use 'opensm'

    Link status

    if you want you can check the link status of your InfiniBand connection like this:

    # ibstat
    CA 'mthca0'
        CA type: MT25208
        Number of ports: 2
        Firmware version: 5.3.0
        Hardware version: 20
        Node GUID: 0x0002c90200298e00
        System image GUID: 0x0002c90200298e03
        Port 1:
            State: Active
            Physical state: LinkUp
            Rate: 20
            Base lid: 1
            LMC: 0
            SM lid: 2
            Capability mask: 0x02510a68
            Port GUID: 0x0002c90200298e01
            Link layer: InfiniBand
        Port 2:
            State: Down
            Physical state: Polling
            Rate: 10
            Base lid: 0
            LMC: 0
            SM lid: 0
            Capability mask: 0x02510a68
            Port GUID: 0x0002c90200298e02
            Link layer: InfiniBand
    

    Set mode and MTU

    Since my systems run Debian Linux, I've configured /etc/network/interfaces like this:

    auto ib0
    iface ib0 inet static
        address 10.0.2.2
        netmask 255.255.255.0
        mtu 65520
        pre-up echo connected > /sys/class/net/ib0/mode
    

    Please take note of the 'mode' setting. The 'datagram' mode gave abysmal network performance (< Gigabit). The 'connected' mode made everything perform acceptable.

    The MTU setting of 65520 improved performance by another 30 percent.

    Performance

    I've tested the card on two systems based on the Supermicro X9SCM-F motherboard. Using these systems, I was able to achieve file transfer speeds up to 750 MB (Megabytes) per second or about 6.5 Gbit as measured with iperf.

    ~# iperf -c 10.0.2.2
    ------------------------------------------------------------
    Client connecting to 10.0.2.2, TCP port 5001
    TCP window size: 2.50 MByte (default)
    ------------------------------------------------------------
    [  3] local 10.0.2.3 port 40098 connected with 10.0.2.2 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec  7.49 GBytes  6.43 Gbits/sec
    

    Similar test with netcat and dd:

    ~# dd if=/dev/zero bs=1M count=100000 | nc 10.0.2.2 1234
    100000+0 records in
    100000+0 records out
    104857600000 bytes (105 GB) copied, 128.882 s, 814 MB/s
    

    Testing was done on Debian Jessie.

    During earlier testing, I've also used these cards in HP Micro Proliant G8 servers. On those servers, I was running Ubuntu 16.04 LTS.

    As tested on Ubuntu with the HP Microserver:

    ------------------------------------------------------------
    Client connecting to 10.0.4.3, TCP port 5001
    TCP window size: 4.00 MByte (default)
    ------------------------------------------------------------
    [  5] local 10.0.4.1 port 52572 connected with 10.0.4.3 port 5001
    [  4] local 10.0.4.1 port 5001 connected with 10.0.4.3 port 44124
    [ ID] Interval       Transfer     Bandwidth
    [  5]  0.0-60.0 sec  71.9 GBytes  10.3 Gbits/sec
    [  4]  0.0-60.0 sec  72.2 GBytes  10.3 Gbits/sec
    

    Using these systems, I was able eventually able to achieve 15 Gbit as measured with iperf, although I have no 'console screenshot' from it.

    Closing words

    IP over InfiniBand seems to be a nice way to get high-performance networking on the cheap. The main downside is that when using IP over IB, CPU usage will be high.

    Another thing I have not researched, but could be of interest is running NFS or other protocols directly over InfiniBand using RDMA, so you would bypass the overhead of IP.

Page 1 / 63