PIA AES-256-CBC with OpenVPN is out but not working on Asus routers

[L&LD]

Is there anyway that you can at least look at it and see if you can reverse the VPN traffic like with the CPU scenario so at least all the VPN traffic would go to Download?
at least that would work because the way it is now, being backwards there is no way you can turn on the QOS it just wont work properly when VPN traffic starts.
Please try
thanks

I think, you ask too much.

 

[RMerlin]

Is there anyway that you can at least look at it and see if you can reverse the VPN traffic like with the CPU scenario so at least all the VPN traffic would go to Download?
at least that would work because the way it is now, being backwards there is no way you can turn on the QOS it just wont work properly when VPN traffic starts.
Please try
thanks

As I said, I don't have the expertise to look at it. That's something that Asus will have to fix themselves. They have a whole team of paid engineers for that.

The CPU affinity was on me since it's entirely my own code.

 

[yorgi]

As I said, I don't have the expertise to look at it. That's something that Asus will have to fix themselves. They have a whole team of paid engineers for that..

I totally understand. The only reason I said that is because with the original firmware when you use the VPN it doesn't do that so why would ASUS try to fix something that is only wrong because of the VPN code that was added by you?
Besides if you are swift enough to fix bugs that their entire team of engineers can't, Don't you think that this maybe something interesting to fix?
So I thought maybe when you added the code for the VPN maybe it got reversed like with the CPU.
But in my opinion a QOS is really important and if its just a thing as reversing a command line, then is it worth looking at?

sorry if I upset you, i love your work. I bought this router because of you.

 

[yorgi]

I think, you ask too much.

I bought this router because of the Merlin Firmware
and there is nothing wrong my question.
I have had routers that where way inferior and the QOS worked great.
What is wrong with my request? Isn't this a custom firmware? Why does Merlin fix and add features? because people want them right? If the QOS worked right then this router would be the ultimate router.
at this point its a great router. everything works really nice, except when I download with the VPN and my wife
wants to watch something on her iPad and she is using Local ISP she gets crappy bandwith and her movie stops and starts because the QOS looks at the VPN traffic as upload therefore gives it full bandwidth to the VPN.

Besides the original firmware doesn't do that. and since this is a custom firmware what is wrong with my request?
whats the use if the 87u for 300 dollar can't route traffic properly and squirms.

I see people ask for things that are completely of the wall and Merlin answers them.
and I make a request that is very important to any router and say I AM ASKING FOR TO MUCH?
A QOS IS THE HEART OF ANY ROUTER!!
It's what dictates who gets priority or not.

If you don't find that to be a problem or something that you should be concerned with
then keep your comments to yourself and go to a forum about Barby Dolls or something.
You don't deserve to have a router
Seriously!

 

[L&LD]

I bought this router because of the Merlin Firmware
and there is nothing wrong my question.
I have had routers that where way inferior and the QOS worked great.
What is wrong with my request? Isn't this a custom firmware? Why does Merlin fix and add features? because people want them right? If the QOS worked right then this router would be the ultimate router.
at this point its a great router. everything works really nice, except when I download with the VPN and my wife
wants to watch something on her iPad and she is using Local ISP she gets crappy bandwith and her movie stops and starts because the QOS looks at the VPN traffic as upload therefore gives it full bandwidth to the VPN.

Besides the original firmware doesn't do that. and since this is a custom firmware what is wrong with my request?
whats the use if the 87u for 300 dollar can't route traffic properly and squirms.

I see people ask for things that are completely of the wall and Merlin answers them.
and I make a request that is very important to any router and say I AM ASKING FOR TO MUCH?
A QOS IS THE HEART OF ANY ROUTER!!
It's what dictates who gets priority or not.

If you don't find that to be a problem or something that you should be concerned with
then keep your comments to yourself and go to a forum about Barby Dolls or something.
You don't deserve to have a router
Seriously!

You are much too immature to reply in depth too.

But this is what is wrong with your request, besides already having been answered twice by RMerlin already.

http://www.snbforums.com/threads/greetings-from-backstage.29772/

http://www.snbforums.com/threads/greetings-from-backstage.29772/page-4#post-237778

 

[RMerlin]

I totally understand. The only reason I said that is because with the original firmware when you use the VPN it doesn't do that so why would ASUS try to fix something that is only wrong because of the VPN code that was added by you?
Besides if you are swift enough to fix bugs that their entire team of engineers can't, Don't you think that this maybe something interesting to fix?
So I thought maybe when you added the code for the VPN maybe it got reversed like with the CPU.
But in my opinion a QOS is really important and if its just a thing as reversing a command line, then is it worth looking at?

sorry if I upset you, i love your work. I bought this router because of you.

The VPN code as a whole is the same in Asus's firmware, there are only very minor differences such as (specifically) the CPU affinity code.

It all comes down to how that interacts with the Linux tc architecture, which isn't in my areas of expertise. Not gonna devote multiple hours just learning how tc works, then more hours in understanding how it's implemented in Asuswrt. That would all be before I can even start to TRY to debug the code itself.

So as a general rule, I never touch the QoS code itself. Asus has a single engineer devoted ONLY to dealing with that code. It's something that's quite specialized.

 

[kvic]

Asus has a single engineer devoted ONLY to dealing with that code. It's something that's quite specialized.

Seems Asus is really resourceful..

One thing I don't understand is why Asus accepts TrendMicro and Tuxera stuff as prebuilt *.ko modules. It would be better off for Asus and e.g. the community here if both firms follow the "best practice" of broadcom shipping their CTF as prebuilt *.o. Then TrendMicro and Tuxera will then be far more flexible to slightly changed kernels due to re-compilation.

Is it what Asus wants or they can't get better deals from TrendMicro and Tuxera? Perhaps you can help to convey this message to your contacts in Asus..

(sorry off topic..)

 

[yorgi]

The VPN code as a whole is the same in Asus's firmware, there are only very minor differences such as (specifically) the CPU affinity code.

It all comes down to how that interacts with the Linux tc architecture, which isn't in my areas of expertise. Not gonna devote multiple hours just learning how tc works, then more hours in understanding how it's implemented in Asuswrt. That would all be before I can even start to TRY to debug the code itself.

So as a general rule, I never touch the QoS code itself. Asus has a single engineer devoted ONLY to dealing with that code. It's something that's quite specialized.

I owe you an apology
I re flashed to ASUS firmware and did the same test and you are right, the download VPN traffic shows up as an Upload. It is an ASUS bug and I agree with you that you shouldn't fix their mistakes.
I honestly thought it was the VPN section that you added and reversed something by mistake
I am no engineer I just jumped the gun. I assumed, my bad.

What I really don't get is why hasn't anyone else said anything?
I haven't read any threads where people talk about this problem. I am sure at this point that this issue must be there from the beginning.
I don't get their engineers, how can they put out a product that has a flaw like that?

Once again my apologies.
Respect

 

[RMerlin]

One thing I don't understand is why Asus accepts TrendMicro and Tuxera stuff as prebuilt *.ko modules. It would be better off for Asus and e.g. the community here if both firms follow the "best practice" of broadcom shipping their CTF as prebuilt *.o. Then TrendMicro and Tuxera will then be far more flexible to slightly changed kernels due to re-compilation.

Is it what Asus wants or they can't get better deals from TrendMicro and Tuxera? Perhaps you can help to convey this message to your contacts in Asus..

Asus ain't the only customers of these two products. It's how these deal with all of their other customers I assume. No idea why however, nor if it would make any sizable difference if they were provided with objects instead of modules. I assume it's so they don't need to also provide support for whichever firmware build environment the end customer uses. They build it using the customer's provided kernel, and give the customer a .ko file, telling him he just needs to copy it to the kernel module location.

 

[Rango]

Hi guys. Just wanted to share. I just finished stetting up pfsense router/firewall on virtual box using my desktop pc hardware 4.1Ghz cpu clock, 12GB of ram that kills every router in processing power (encryption wise). I was slightly disappointing in not getting close to my comcast isp speeds. Let me tell you. I'm getting 80Mbps on AES-128. I also love the logs in pfsense. Verb 5, much more detailed and you know what is going on on your vpn connection. Honestly this is the way to go. I turned my 87u router into access point. The only thing one needs is to have 2 Nic cards. I had spare 100 mbps nic from old so using that. I freaking love this setup. NAT rules are kinda tricky but did this on first try. Anyway if anyone wants to do this here is guide. There is also utility that turns virtual machine into service in windows service. My pc runs all the time so i just disabled sleep mode, put fans on silent and enabled monitors to sleep at 15 min. Boom. From what i've read torrents require huge amount of ram for some space swaps and they delete each other connections once router 256mb of physical ram is filled. With virtual box you can assign as much RAM as one physically has, in my case 12GB but for now i'm running 2GB. This thing is sick!

https://forum.pfsense.org/index.php?topic=76015.0

Quick question. How do i turn 87u router LAN ports into switch as they are not working in AP mode. Turn it into bridge?

 

[L&LD]

Hi guys. Just wanted to share. I just finished stetting up pfsense router/firewall on virtual box using my desktop pc hardware 4.1Ghz cpu clock, 12GB of ram that kills every router in processing power (encryption wise). I was slightly disappointing in not getting close to my comcast isp speeds. Let me tell you. I'm getting 80Mbps on AES-128. I also love the logs in pfsense. Verb 5, much more detailed and you know what is going on on your vpn connection. Honestly this is the way to go. I turned my 87u router into access point. The only thing one needs is to have 2 Nic cards. I had spare 100 mbps nic from old so using that. I freaking love this setup. NAT rules are kinda tricky but did this on first try. Anyway if anyone wants to do this here is guide. There is also utility that turns virtual machine into service in windows service. My pc runs all the time so i just disabled sleep mode, put fans on silent and enabled monitors to sleep at 15 min. Boom. From what i've read torrents require huge amount of ram for some space swaps and they delete each other connections once router 256mb of physical ram is filled. With virtual box you can assign as much RAM as one physically has, in my case 12GB but for now i'm running 2GB. This thing is sick!

https://forum.pfsense.org/index.php?topic=76015.0

Quick question. How do i turn 87u router LAN ports into switch as they are not working in AP mode. Turn it into bridge?

With the 80Mbps cap on AES-128, your choice of LAN port (10/100) maybe limiting you? I've seen post where a normal (Asus) router can do that?

 

[Rango]

With the 80Mbps cap on AES-128, your choice of LAN port (10/100) maybe limiting you? I've seen post where a normal (Asus) router can do that?

On Lan 100Mbps would be but my ISP speed is 90/12 so limitation here is ISP speed. 91Mbps was my peak. During heavy usage hours i get 85-75Mbps so getting similar speeds on vpn is just 5-10% less due to encrypting and when congested then less then that. I will eventually change it to 1gb but my Wan/encrypt decrypt card is 1GB so only lan ethernet is 100mbps. My 5ghz is still 1Gb which is what i use anyway. Limitation here is still cpu encrypt/decrypt and comcast isp traffic, but i'm perfectly happy with those result.

I'm esentially utilizing my 4core 4.1Ghz pc decrypt and unlimted ram for torrents connections. On top openvpn connections seems more stable and provides better logs. I mean i'm liking this a lot. I will get the service implemented too but for today it's enought. Add on packages is another sweet deal like adblocking on wan etc. This thing is a power house. So much to learn but it was easy to setup actually.

 

[L&LD]

On Lan 100Mbps would be but my ISP speed is 90/12 so limitation here is ISP speed. 91Mbps was my peak. During heavy usage hours i get 85-75Mbps so getting similar speeds on vpn is just 5-10% less due to encrypting and when congested then less then that. I will eventually change it to 1gb but my Wan/encrypt decrypt card is 1GB so only lan ethernet is 100mbps. My 5ghz is still 1Gb which is what i use anyway. Limitation here is still cpu encrypt/decrypt and comcast isp traffic, but i'm perfectly happy with those result.

I'm esentially utilizing my 4core 4.1Ghz pc decrypt and unlimted ram for torrents connections. On top openvpn connections seems more stable and provides better logs. I mean i'm liking this a lot. I will get the service implemented too but for today it's enought. Add on packages is another sweet deal like adblocking on wan etc. This thing is a power house. So much to learn but it was easy to setup actually.

What router do you have that gives you 1Gbps throughput on 5GHz? None that I know at any reasonable and usable distance.

 

[Rango]

What router do you have that gives you 1Gbps throughput on 5GHz? None that I know at any reasonable and usable distance.

87u and in theory and on lan which i don't use

 

[yorgi]

On Lan 100Mbps would be but my ISP speed is 90/12 so limitation here is ISP speed. 91Mbps was my peak. During heavy usage hours i get 85-75Mbps so getting similar speeds on vpn is just 5-10% less due to encrypting and when congested then less then that. I will eventually change it to 1gb but my Wan/encrypt decrypt card is 1GB so only lan ethernet is 100mbps. My 5ghz is still 1Gb which is what i use anyway. Limitation here is still cpu encrypt/decrypt and comcast isp traffic, but i'm perfectly happy with those result.

I'm esentially utilizing my 4core 4.1Ghz pc decrypt and unlimted ram for torrents connections. On top openvpn connections seems more stable and provides better logs. I mean i'm liking this a lot. I will get the service implemented too but for today it's enought. Add on packages is another sweet deal like adblocking on wan etc. This thing is a power house. So much to learn but it was easy to setup actually.

Does your new setup kill connections to VPN traffic if the tunnel goes down so you don't leak your IP?

 

[yorgi]

Hi guys. Just wanted to share. I just finished stetting up pfsense router/firewall on virtual box using my desktop pc hardware 4.1Ghz cpu clock, 12GB of ram that kills every router in processing power (encryption wise). I was slightly disappointing in not getting close to my comcast isp speeds. Let me tell you. I'm getting 80Mbps on AES-128. I also love the logs in pfsense. Verb 5, much more detailed and you know what is going on on your vpn connection. Honestly this is the way to go. I turned my 87u router into access point. The only thing one needs is to have 2 Nic cards. I had spare 100 mbps nic from old so using that. I freaking love this setup. NAT rules are kinda tricky but did this on first try. Anyway if anyone wants to do this here is guide. There is also utility that turns virtual machine into service in windows service. My pc runs all the time so i just disabled sleep mode, put fans on silent and enabled monitors to sleep at 15 min. Boom. From what i've read torrents require huge amount of ram for some space swaps and they delete each other connections once router 256mb of physical ram is filled. With virtual box you can assign as much RAM as one physically has, in my case 12GB but for now i'm running 2GB. This thing is sick!

https://forum.pfsense.org/index.php?topic=76015.0

Quick question. How do i turn 87u router LAN ports into switch as they are not working in AP mode. Turn it into bridge?

I am confused about this encryption stuff.

When you use openVPN software and are connected to a VPN with a 100mbps connection and do a speed test it goes to 100mbps without a glitch.

when you do a speed test with a router you get half of what you got with openvpn software even overcloked.
From what I see average with a VPN is no more then 50-60 mbps and that is not only on a 87U which has the fastest cpu but same a 68u which has a inferior CPU.
if this was the case the 68U should be slower.

I can't understand how the CPU of the 87u doesn't max out, its like not more then 30% usage but yet the bandwidth is not the same as when you test it on a computer with the openvpn software. Like I said before it never gets faster then 50-60 regardless if you have a 60mbps or 100mbps
I got these results from tests you did and test I did with 2 people I know that use PIA on merlin and one guy had a 60mbps and the other had a 100mbps both using 68u.
Your router should have smoked their results.

From what I see even with this new setup with pfsence you still cant max out your connection. You are still getting 10-15% less speeds. and this is a very fast computer you are using.

My question, does openvpn software use blowfish encryption on port 1194? Because when I make tests with the router using port 1195 with no encryption I get max results like when using openvpn software.

I think openVPN software doesn't use encryption unless you script it in the software. when you do speed test with openvpn software using a computer the speeds go up so fast one would never think there was any encryption happening.


Also I would not trust this AES-128 and 256 on merlin routers because if you use more then one client at the same time it freaks out the router and it leaks DNS not all the time but it happened to me while making tests on at least 4 routers all with merlin latest firmware and i had similar problems with all the routers I tested.

I have been using 1194 with blowfish for over a year now on my router and I never had a DNS leak or any crash like I did when I put AES. I couldn't believe when it happened because even the Firewall that is suppose to stop traffic if the tunnel goes down didn't work so I think it totally freaked out the router. Another thing that happens is when 2 clients are on you will see the IP of the second client instead of the first. very weird voodoo stuff.
I also noted that in the VPN status the client 1 has 0 bytes in TUN/TAP read bytes.
It said it was connected but something weird was happening.

it is very new and not fully tested and on PIA's site they say you need a patch for openvpn software but on our router we have no updated patch.
I would be cautious even with your pfsence. AES is seriously flaky. dont trust it until they put it out on their mainstream stuff. right now they are using people as beta testers hehe.

Please use this AES with caution!!!!!!

If you install PIA software, they have all kinds of encryption and features, but my entire concern is router and openvpn software.
I will make tests with the PIA software and will let you know as they have all the encryption features on their program.

also more comments here

http://www.snbforums.com/threads/as...p-setup-pia-vpn-within-my-router.30421/page-2

Maybe Merlin can clarify this
any ideas why?

 

[Rango]

yorgi sounds to me something is not correctly setup in your client. Btw i'm starting to think that PIA throttles down all vpn connections. My 80mpbs i can no longer touch that anymore. I'm getting now max 50mbps-33, 40mpbs usually on aes128 on pfsense. Throttling would make sense with what you said that 87u never reached beyond 60% of cpu utilization rate, which means it's not computing power what is the limitation here but PIA is even they say they don't. I'm not sure how they achieve 10% less speeds with their app. I'm trying not to go that route. With pfsense the logs is what is the gold in this setup. I'm still tweaking this setup but it looks like my 80mbps is gone with wind already. I achieved that on initial setup but now it's gone. In pfsense you also get full openvpn software control. The other packages like antivirus and adblocking is sweet but i'm not there yet. Unless i scrwed something up pfsense does not look faster then 87u router with PIA. Pia is throttling the connection it appears to me. However i still like the control pfsesne gives. I may try another provider if this continues to underperform but i'm thinking ALL providers will throttle. I was with another vpn provider and never did i go beyond 50mbps on router. Pfsense is enterprise grade router and firewall and with other add on packages it can become reporting tool and other fancy stuff which is pretty sick. If i would want to shell out extra money i would set this up on spare physical box but don't want to spend money and also increase electricity costs when i can do that with my desktop power supply unit anyway. All i have to say it's sweet control and it's powerhouse. It makes router look like dumb box.

 

[RMerlin]

Also I would not trust this AES-128 and 256 on merlin routers because if you use more then one client at the same time it freaks out the router and it leaks DNS not all the time but it happened to me while making tests on at least 4 routers all with merlin latest firmware and i had similar problems with all the routers I tested.

The cipher used has absolutely nothing to do with routing or traffic. It's just a cipher algorithm.

AES is the recommended cipher for OpenVPN.

 

[yorgi]

yorgi sounds to me something is not correctly setup in your client. Btw i'm starting to think that PIA throttles down all vpn connections. My 80mpbs i can no longer touch that anymore. I'm getting now max 50mbps-33, 40mpbs usually on aes128 on pfsense. Throttling would make sense with what you said that 87u never reached beyond 60% of cpu utilization rate, which means it's not computing power what is the limitation here but PIA is even they say they don't. I'm not sure how they achieve 10% less speeds with their app. I'm trying not to go that route. With pfsense the logs is what is the gold in this setup. I'm still tweaking this setup but it looks like my 80mbps is gone with wind already. I achieved that on initial setup but now it's gone. In pfsense you also get full openvpn software control. The other packages like antivirus and adblocking is sweet but i'm not there yet. Unless i scrwed something up pfsense does not look faster then 87u router with PIA. Pia is throttling the connection it appears to me. However i still like the control pfsesne gives. I may try another provider if this continues to underperform but i'm thinking ALL providers will throttle. I was with another vpn provider and never did i go beyond 50mbps on router.

I helped this guy out yesterday in this thread
http://www.snbforums.com/threads/as...se-help-setup-pia-vpn-within-my-router.30421/
he is from Chicago as well.
I team viewed on his pc and i did tests on his 100mbps connection with Comcast
and he couldn't get better then 30mbps. When I put openVPN on his computer it got full bandwidth. I never tried PIA's software have you?
they have all kinds of encryption on there
maybe you should try it with that software and see if you get max speeds.
at least you can try all the encryptions with their software and see if you get throttled from comcast or if the software will give same results.
Sometimes we got 30 other times 10 other times 15
it was never stable so I think the problem is not with PIA its with Comcast
they throttle the bandwidth.
My buddy in California has a 68U and he got almost his full bandwidth and no issues.
Everyone I know in Chicago hates Comcast.
did you try port 1195 auth none without encryption and see what you got?
when I tried his 100mbps without any encryption he got full speeds again.
something fishy is going on here.

 

[Rango]

I would think it's PIA. I can get 91Mbps on comcast. I tried setting up pia with no encryption on 1195 but that didnt work for me. It would be interesting.
When you connect to vpn you essentially are changing your isp, so your isp on pia could be choopa so they are providing you vpn bandwith not comcast, unless i''m not understanding this correctly. I can hit 50Mbps which i never did on router 87u so technically it's still 10mbps faster but that's marginal. I wanted 70-80Mbps on vpn when my isp is 90mbps. I'm missing that already by wide margin.