The following note explains how to deploy a high-performance VPN using WireGuard on VPP with DPDK. This lets lab members connect to computation servers from anywhere on the campus network with minimal overhead.<\/p>\n\n\n\n\n\n\n\n
While SoftEther VPN with a local-bridge to the NIC offers ~90 MB\/s for a single user on a 1 Gbps network, but drop quickly to 1MB\/s with increasing clients, it cannot leverage DPDK or SR-IOV. To scale beyond a few clients, we upgrade to an Intel E810 NIC and running VPP in user space. DPDK bypasses the kernel\u2019s network stack, enabling zero-copy packet forwarding:<\/p>\n\n\n\n
eth0 (out) <--> VPP (WireGuard + DPDK) <--> eth1 (in)<\/code><\/pre><\/p>\n\nNetwork topology:<\/p>\n
VPN Client (10.100.1.x)\n \u2502\n \u2502 WireGuard tunnel\n \u2502\nVPN Server\n wg0: 10.100.1.1\/24 \u2190 VPN subnet\n dpdk1: 10.10.2.10\/24 \u2190 Internal servers\n dpdk0: <Internet IP> \u2190 Public internet\n \u2502\n \u251c\u2500\u2500 Servers (10.10.2.0\/24)\n \u2514\u2500\u2500 Internet<\/code><\/pre><\/p>\n\nClients on 10.100.1.0\/24 connect through wg0. Internal servers on 10.10.2.0\/24 connect via dpdk1. The VPN server also acts as the NAT gateway for both subnets.<\/p>\n\n
Example VPP configuration:<\/p>\n
# 1) Interface configuration\nset interface ip address dpdk0 dhcp client # Public internet\nset interface ip address dpdk1 10.10.2.10\/24 # Internal server subnet\nset interface state dpdk0 up\nset interface state dpdk1 up\n\n# 2) WireGuard setup\nwireguard create listen-port 51820 private-key <server-private-key>\nset interface ip address wg0 10.100.1.1\/24\nset interface state wg0 up\n\n# 3) Peer configuration\nwireguard peer add wg0 \\\n public-key <client-public-key> \\\n allowed-ip 10.100.1.2\/32 \\\n persistent-keepalive 25\n\n# 4) Routing\nip route add 0.0.0.0\/0 via <internet-gw> dpdk0\nip route add 10.100.1.0\/24 via wg0\n\n# 5) Enable NAT (NAT44) for internet access\nnat44 plugin enable sessions 65535\nnat44 add interface address dpdk0 # SNAT on public interface\nset interface nat44 out dpdk0\nset interface nat44 in dpdk1 # DNAT\/MASQUERADE for internal\nset interface nat44 in wg0 # DNAT\/MASQUERADE for VPN<\/code><\/pre>\n<\/p>\n\n\n\nOf course, on the servers of 10.10.2.0\/24, # ip route add 10.100.1.0\/24 via 10.10.2.10<\/code> should be added for “seeing” the vpn clients, 10.10.100.0\/24.<\/p>\n\n\n\nAnd the client side:<\/p>\n\n\n\n
[Interface]\nPrivateKey = Client-Private-Key\nAddress = 10.100.1.2\/24\nDNS = 8.8.8.8\n\n[Peer]\nPublicKey = Server-public-key\nEndpoint = [Server IPV4\/6]:51820\nAllowedIPs = 0.0.0.0\/0, ::\/0\nPersistentKeepalive = 25<\/code><\/pre><\/p>\n\n\n\nHere’s the results of the configuration:<\/p>\n\n\n\nTraffic Path<\/th> NAT Applied?<\/th> Explanation<\/th> Meets Requirements?<\/th><\/tr><\/thead> VPN Clients \u2194 Internal Servers<\/td> \u274c No<\/td> Traffic between two “inside” interfaces has no NAT.<\/td> \u2705 Yes<\/td><\/tr> VPN Clients \u2192 Internet (External Network)<\/td> \u2705 Yes<\/td> Traffic from an “inside” to an “outside” interface undergoes NAT.<\/td> \u2705 Yes<\/td><\/tr> Internal Servers \u2192 Internet (External Network)<\/td> \u2705 Yes<\/td> Traffic from an “inside” to an “outside” interface undergoes NAT.<\/td> \u2705 Yes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nOptimization<\/strong><\/p>\n\n\n\nIf desktop CPUs are used, here are some optimization principles:<\/p>\n\n\n\n
\n- Maximize Single-Core Performance<\/strong>: Assign dedicated CPU cores explicitly to DPDK\/VPP tasks to minimize context switching overhead.<\/li>\n\n\n\n
- NUMA Node Optimization<\/strong>: Desktop CPUs typically have a single NUMA node; ensure DPDK memory allocation is configured accordingly.<\/li>\n\n\n\n
- CPU Isolation and Affinity<\/strong>: Explicitly isolate and bind VPP and DPDK threads to specific CPU cores.<\/li>\n\n\n\n
- Disable Power-Saving Features<\/strong>: Ensure CPU frequency stability by disabling dynamic frequency scaling and CPU power-saving modes.<\/li>\n<\/ul>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
The following note explains how to deploy a high-performance VPN using WireGuard on VPP with DPDK. This lets lab members connect to computation servers from anywhere on the campus network with minimal overhead.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,9],"tags":[32,33],"class_list":["post-399","post","type-post","status-publish","format-standard","hentry","category-misc","category-notes","tag-network","tag-vpn"],"_links":{"self":[{"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/posts\/399","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/comments?post=399"}],"version-history":[{"count":14,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/posts\/399\/revisions"}],"predecessor-version":[{"id":415,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/posts\/399\/revisions\/415"}],"wp:attachment":[{"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/media?parent=399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/categories?post=399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shirui.me\/blog\/wp-json\/wp\/v2\/tags?post=399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}