86u openVpn server speeds not 200 Mbit

[RAJ]

Im trying to max out my VPN speed from office to home. I read the 86u can do 200 Mbit but I seem to be hitting a 100-110 Mbit wall.
Maybe I need to see someone elses configs for tuning.
The connection speeds
- Work 1000/1000 Fiber
- Home 500/30 xfninity/comcast

I run Turnkey VPN on the office Hyper V as a VM and it can send around 12MB/sec (96 Megabits) Test over SMB shares and iperf3 and fastcopy roughly 100Mbit

So when I read the Asus 86u can do 200Mbit (25MB/sec) that would increase my VPN sends to home from 12MB/sec to 25MB/sec or double it.

But sadly its not doing any better than my openVPN VM both around 100Mbits +-.

Now for comparison I can send home at 60MB/sec (500Mbits) from a VM that is a owncloud server (https) it just flys.
I can FTP home around 40MB/sec (320Mbit)
But VPN seems to be at a 100Mbit wall even with the 86u.

For some reason when I connect to the 86u open vpn does not list the connection cypher like it does when i connect to my Turnkey open vpn. ie. 128bit GCM.
so am not 100 percent sure if its really connecting at 128 bit maybe its 256 the log does not say.

Here is my client file and I have the asus VPN server pretty much on default tun settings. Anyone know of a tweak I can do or even a reason why I cant get much better than 100Mbit? I think maybe people that are getting 200Mbit are using a providers VPN and not using the asus as the VPN server, not sure. Maybe its all it can do.

# Config generated by Asuswrt-Merlin 386.3, requires OpenVPN 2.4.0 or newer.

client
dev tun
proto udp
resolv-retry infinite
nobind
float
auth SHA1
auth-nocache
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-128-GCM
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----

My log when I connect does not list the ciphers, is there an option to turn this on?

Here is what my Turnkey connection log has but connecting to the asus 86u no such entry is there.

Wed Sep 01 01:54:47 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Sep 01 01:54:47 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 01 01:54:47 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

 

[elorimer]

I run Turnkey VPN on the office Hyper V as a VM and it can send around 12MB/sec (96 Megabits) Test over SMB shares and iperf3 and fastcopy roughly 100Mbit

Isn't this where your limit is? Your openvpn server is CPU limited?

 

[Adooni]

AC86U OpenVPN is about 200Mbit in theoretical situation - router is not doing anything more. For example QoS need to be disable, AiProtection etc.

Do you have only OpenVPN enabled?

 

[RAJ]

Isn't this where your limit is? Your openvpn server is CPU limited?

Both the Server using a xeon cpu single thread. And not sure if its cpu limited or where the bottle neck is. Encryption does slow it down.
The 86u is said to be able to hit 200Mbits but its no faster than the Turnkey VPN.
I can send to google drive at 500-600Mbit and to home FTP and owncloud at 500-600 Mbit. I realize there is some overhead with vpn was hoping I could get 150-200Mbit using the 86u. Not saying I can' yet. Not sure where the limiting factor is.

 

[RAJ]

AC86U OpenVPN is about 200Mbit in theoretical situation - router is not doing anything more. For example QoS need to be disable, AiProtection etc.

Do you have only OpenVPN enabled?

Yes I don't use any of that.
It might be they never used it like I am. Most seem to pay a provider and rather than using the providers windows app (like I do for torgaurd) they use the router.
I'm not doing that, I'm just using the router as a VPN server and connecting from Office to Home or vice versa.

100Mbit is good. My old 66u only did 15-20 Mbit vpn speed.
If I want to send fast to home I just put a file on my own cloud VM at the office and get 500Mbit sends. So 200Mbit with the 86u seemed not out of the question.

 

[miniterror]

I have slow speeds over VPN too when using it as client on my AX-86U, i have never seen a reall solution but during my google i did found a Reddit where someone stated Asus routers only utilize 1 core of the cpu for VPN.
Not sure if that is true but if so then the CPU of the Asus might be the bottleneck for encryption towards WAN.

 

[eibgrad]

To be honest, 100Mbps does seem on the low side for that router. Then again, I don't know if those claiming 200Mbps (or better) were only measuring wrt the OpenVPN client and download performance (that's certainly the more common need and concern). What you're measuring is the OpenVPN server and upload performance. I don't know if those two scenarios are necessarily symmetric.

One thing I do know based on years of experience; you can futz with all those OpenVPN directives till doomsday and it's highly unlikely to make a difference. These VPNs are highly demanding, and what ultimately matters is the raw horsepower the hardware can deliver. That's why a desktop platform like Window or Linux will always blow away your typical consumer-grade router.

 

[Tech9]

Firmware base 386 lowered AC86U VPN performance to about 170Mbps. On 384 firmware I could see up to 260Mbps. I have NordVPN account to test with. Tests were made to same local server with the same standard configuration file. NordVPN servers are quite fast - 350Mbps on my x86 firewall.

 

[RMerlin]

Test both TCP and UDP. One of these two seems to suffer from a performance issue with newer firmware releases, unsure why.

 

[doczenith1]

Firmware base 386 lowered AC86U VPN performance to about 170Mbps. On 384 firmware I could see up to 260Mbps. I have NordVPN account to test with. Tests were made to same local server with the same standard configuration file. NordVPN servers are quite fast - 350Mbps on my x86 firewall.

I concur. I was/am getting similar results with PIA.

 

[Tech9]

My tests were UDP only. TCP slows it down to about 100-120Mbps, don't remember exactly. I haven't tested newer Asuswrt firmware. It was months ago. I have one AC86U on current Asuswrt RC3-1 beta, but I don't have the time to tests now. Disappointed by Asus marketing once again - AC86U is a HND router, but doesn't receive AX only features. The hardware is capable of running both Multiple VPN and WireGuard. GT-AC2900 has VPN fusion for years.

 

[RAJ]

To be honest, 100Mbps does seem on the low side for that router. Then again, I don't know if those claiming 200Mbps (or better) were only measuring wrt the OpenVPN client and download performance (that's certainly the more common need and concern). What you're measuring is the OpenVPN server and upload performance. I don't know if those two scenarios are necessarily symmetric.

One thing I do know based on years of experience; you can futz with all those OpenVPN directives till doomsday and it's highly unlikely to make a difference. These VPNs are highly demanding, and what ultimately matters is the raw horsepower the hardware can deliver. That's why a desktop platform like Window or Linux will always blow away your typical consumer-grade router.

Agree none of them are using VPN in the way I am. Using Torgaurd would do me no good even if I got 200Mbit. I'm thinking maybe 100Mbit is all it can do in my situation which seems to be rare.

For Torgaurd I just use a simple windows app, don't see the point of involving the router at all.

For anyone that has a 86u at home. Set it up as a VPN server so you can connect to it from some place outside of your home. Connect to it from say a place that has gigabit send speeds. Try to send a Zipped file to home and see what rate you get. If you get 25MB/Sec then you are getting 200Mbit. Don't include compression tricks etc. Sending a uncompressed file for a real world test.

I'm sending backups through it and trying to squeek out the most speed. So far the winner over in encrypted channel is Owncloud using https and I am not sure owncloud https is as secure as Open Vpn. Its using only a single core on a HV VM. But its blazing fast at sending home.

Owncloud server only have space for 30GB files without rebuilding the entire server. I'm sending files over 100Gb in size at times. Also it adds an extra step going from work DAS to owncloud then owncloud to home. Using open vpn its one step from the DAS storage to home.

I think Open Vpn is the bottleneck it has always used 1 core on anything. So it does not matter if you have quad core router or computer they will just sit idle doing zero.

Im using open Vpn to Open Vpn not torgaurd VPN (or other commercial propitiatory vpn) which might be more efficient than open vpn.

 

[RoutNew36]

Please allow to hijack this thread for a short question.
I'm using a RT AC-5300. I have just ~50Mbit download, even if the line is capable of 100Mbit.
Disable OpenVPN increases download to full speed. Is the RT AC-5300 that slow ? Or is it more the VPN provider I'm using (AirVpn)

Tried it with an older 374 version and with 386.2.6. The newest 386.3.2 has some weird issue with VPN. (Was marked as connected but doesn't used it)

 

[L&LD]

Yes, that old model RT-AC5300 is that slow.

To see an appreciable difference, the RT-AC86U, RT-AX88U, and the RT-AX86U (latter, highly preferred) will give up to 5 times the VPN performance with their AES-NI enabled SoC/CPU's.

 

[SoFluffy]

Before recently upgrading to the RT-AX86U, I used my RT-AC86U as an OpenVPN server on 1Gbps fiber. I could consistently measure ~174mbps using iperf3. (My new AX86U got past 174mbps to the limit of my remote connection at 200mbps. Haven't been anywhere with fast enough internet to test the actual upper limits.)

Edit: Started thinking about it more - Did you stumble upon the Flow Control settings yet? Search in the forums for better explanations, but you should perhaps experiment with that. Try some tests with it enabled, and some with disabled, then see if that makes a difference. (Also test your non-VPN speeds after making that change as it could slow down regular traffic.)

fc disable
fc enable

 

[houmi]

VPN Speeds are definitely slower on latest fw. I had not tested router vpn speed until recently.

With tweaks I can get it to 100Mbps (Nord or Express), I used to be able to get around 180-190 before.

 

[houmi]

I have slow speeds over VPN too when using it as client on my AX-86U, i have never seen a reall solution but during my google i did found a Reddit where someone stated Asus routers only utilize 1 core of the cpu for VPN.
Not sure if that is true but if so then the CPU of the Asus might be the bottleneck for encryption towards WAN.

afaik, I think openvpn is single threaded...

 

[houmi]

Test both TCP and UDP. One of these two seems to suffer from a performance issue with newer firmware releases, unsure why.

I noticed the regression on udp, tcp is considerably slower (nord or express)

 

[Ice9]

My tests were UDP only. TCP slows it down to about 100-120Mbps, don't remember exactly. I haven't tested newer Asuswrt firmware. It was months ago. I have one AC86U on current Asuswrt RC3-1 beta, but I don't have the time to tests now. Disappointed by Asus marketing once again - AC86U is a HND router, but doesn't receive AX only features. The hardware is capable of running both Multiple VPN and WireGuard. GT-AC2900 has VPN fusion for years.

I just had a look at VPN fusion. Looks like a nice feature. How come they don't allow the RT-AC86U to use it if the hardware is the same as the GT-AC2900? It something similar supported in the Merlin releases of the firmware, I've never used Merlin on my AC86U (when it was working).

 

[RMerlin]

How come they don't allow the RT-AC86U to use it if the hardware is the same as the GT-AC2900?

It was a marketing decision at the time to limit it to their ROG models.

VPN Fusion is getting replaced by a new VPN client interface with their next major firmware update, which should be supported by non-ROG models as well.