During Redis replication benchmarks between AWS Ireland (client) and US-East (server), I observed significant performance differences:
# Redis sync monitoring command used:
while 1; do redis-cli -p 7777 info | grep master_sync_left_bytes;sleep 1; done
Raw throughput measurements showed SSH achieving ~11MB/s compared to OpenVPN's ~2MB/s - a 5.5x difference that contradicts conventional wisdom about VPN performance advantages.
Subsequent controlled tests revealed consistent patterns:
| Method | Configuration | Transfer Time |
|---|---|---|
| OpenVPN | TCP with compression | 15 minutes |
| UDP with compression | 5 minutes | |
| SSH | Default settings | 1m50s |
| No compression | 1m30s |
iperf tests confirmed the performance hierarchy, with SSH consistently outperforming OpenVPN across different cipher configurations:
| method | result (Mb/s)|
|------------------+--------------|
| ssh | 91.1 / N.A |
| vpn blowfish udp | 43 / 11 |
| vpn AES udp | 36 / 4 |
The OpenVPN setup used standard enterprise-grade parameters:
# Server configuration highlights:
proto udp
cipher AES-256-CBC
comp-lzo
tun-mtu 1500
fragment 1300
# Client tunnel command:
ssh -f user@host -i key.pem -L 12345:127.0.0.1:12345 -N
Several factors contribute to SSH's superior performance in this scenario:
- TCP-over-TCP avoidance: While OpenVPN UDP avoids this, the MTU/fragment settings may introduce overhead
- Encryption overhead: AES-256-CBC requires more CPU cycles than SSH's default cipher
- Buffer management: SSH's adaptive buffering works particularly well with Redis' sequential sync pattern
For Redis replication specifically:
# Optimal SSH tunnel setup for Redis:
ssh -o "Compression=no" -T -N -L 6379:localhost:6379 user@redis-master
For general-purpose VPN needs where security takes priority:
# OpenVPN performance tuning:
proto udp
cipher BF-CBC # Faster than AES for comparable security
comp-lzo adaptive
tun-mtu 1400
mssfix 1360
sndbuf 393216
rcvbuf 393216
During recent Redis replication tests between AWS Ireland (server) and US-East (client) instances, SSH tunneling consistently outperformed OpenVPN by significant margins. The benchmark measured Redis synchronization time between Connecting to MASTER and MASTER <-> SLAVE sync: Finished with success states:
while 1; do redis-cli -p 7777 info | grep master_sync_left_bytes;sleep 1; done
Test results showed:
- SSH (default): ~11MB/s (1m50s total sync)
- OpenVPN UDP: ~2MB/s (5m with compression)
SSH Tunnel Setup:
ssh -f XXXX@XXXX -i XXXX -L 12345:127.0.0.1:12345 -N
OpenVPN Server Config (CentOS 6.3):
port 1194
proto udp
dev tun0
cipher AES-256-CBC
comp-lzo
tun-mtu 1500
fragment 1300
| Method | Throughput (Mb/s) |
|---|---|
| SSH | 91.1 / N.A |
| OpenVPN (Blowfish UDP) | 43 / 11 |
| OpenVPN (AES TCP) | 12 / 5 |
Key discoveries from repeated testing:
- SSH performs better without compression (1m30s vs 2m30s with compression)
- OpenVPN shows better UDP performance (5m) vs TCP (15m)
- Compression helps OpenVPN UDP (5m) vs no compression (6m)
The performance gap likely stems from:
- SSH's more efficient packet handling in high-latency environments
- OpenVPN's MTU/fragmentation overhead (1500 MTU + 1300 fragment)
- AES-256-CBC encryption overhead in OpenVPN vs SSH's default cipher
For Redis replication over WAN:
# Preferred SSH setup for maximum throughput:
ssh -f user@host -L 6379:localhost:6379 -N -o Compression=no -c aes128-ctr
When OpenVPN is required:
# Optimized OpenVPN client config:
proto udp
cipher BF-CBC
comp-lzo
tun-mtu 1400
fragment 0
mssfix 0