Asus Router, Rmerlin Firmware and OpenVPN options for best performance

[L&LD]

http://www.snbforums.com/threads/my-openvpn-configuration.13917/

The above thread got me interested in trying to optimize some settings for a customer in their OpenVPN configuration (RT-AC68U as an OpenVPN client to an RT-AC66U as an OpenVPN server) to get the fastest performance over the VPN connection.

They are using RDP to connect to the RT-AC66U's attached computers and in this type of use, it is fast (enough).

But they are also using SMB (\\192.168.1.154) to share files and doing this, the maximum file copy (either way) seems to be capped at 355KB/s. The ISP speeds on both ends are 25d/5u Mbps and can peak at 30d/8u Mbps on a good day.

I have already told them that they really should upgrade the RT-AC66U to at least an RT-AC68U. Better yet, upgrade both routers to the higher clocked processor models available (RT-AC1900P, RT-AC3100, RT-AC5300, RT-AC88U).

Is there any specific settings for the Digest Auth, Encryption Cipher and Compression settings that will still have them secure but give them a little extra speed?

Is it worth to play with the 'tun-mtu xxxx' setting to optimize the MTU of the VPN? Where would this setting be applied in the gui today? Do both the server and the client need it specified (and then both routers rebooted) for it to take effect? Or, will simply turning the server and client on and off be enough to test different configurations?

Looking forward to a discussion of these parameters and how they will affect the performance.

 

[sfx2000]

Is there any specific settings for the Digest Auth, Encryption Cipher and Compression settings that will still have them secure but give them a little extra speed?

Is it worth to play with the 'tun-mtu xxxx' setting to optimize the MTU of the VPN? Where would this setting be applied in the gui today? Do both the server and the client need it specified (and then both routers rebooted) for it to take effect? Or, will simply turning the server and client on and off be enough to test different configurations?

Always fair to ask about tuning - but never sacrifice speed/access for security...

 

[L&LD]

sfx2000, agreed. Security first, performance second.

 

[RMerlin]

AES-128-CBC and a SHA1 digest is fine for regular uses. I wouldn't move to AES-256-CBC and SHA256 unless I was carrying highly sensitive data, or feared being targeted by a state entity.

I would keep compression disabled, because of the weak CPU, and also because a lot of the data we use these days is already compressed anyway.

 

[L&LD]

RMerlin,

I guess I was too cautious then.

I have already set them up with the following settings:

• Auth Digest - SHA256
• Encryption Cipher - AES-256-CBC
• Compression - Disabled

I will try with the settings you suggest and see if they make a usable improvement for them.

Would you have any tips on the tun-mtu settings to use? I currently have it set to 'tun-mtu 1428' but honestly don't see any difference with it enabled or not.

Btw, the WAN MTU is set to 1500. Any reason to adjust that? Any reasonable way to tune it?

 

[maurer]

for my openvpn tcp 443 accessed over proxy (mandatory corp internet access these days) i got better results (about +20%) using on both server and client:

mssfix 1440
tun-mtu 64800

 

[sfx2000]

AES-128-CBC and a SHA1 digest is fine for regular uses. I wouldn't move to AES-256-CBC and SHA256 unless I was carrying highly sensitive data, or feared being targeted by a state entity.

I would keep compression disabled, because of the weak CPU, and also because a lot of the data we use these days is already compressed anyway.

Quite a few options - RMerlin's is very good - also consider maybe using UDP as the tunnel transport, less overhead and more flexibility with the MTU's...

 

[L&LD]

for my openvpn tcp 443 accessed over proxy (mandatory corp internet access these days) i got better results (about +20%) using on both server and client:

mssfix 1440
tun-mtu 64800

Is this code running on router or on a computer? It seems like a very large MTU value?

I (just now) found that there is a 'mtu-disc' option that finds the optimum MTU automatically.

Also, disabling 'comp-lzo' is the same as disabling compression, correct?

Oh, so many options and settings to test (and not enough time to do it).

Thanks for the suggestions so far.

 

[L&LD]

Quite a few options - RMerlin's is very good - also consider maybe using UDP as the tunnel transport, less overhead and more flexibility with the MTU's...

The tunnel transport is set to UDP. Does that mean a setting of 'tun-mtu 64800' makes sense then?

 

[sfx2000]

The tunnel transport is set to UDP. Does that mean a setting of 'tun-mtu 64800' makes sense then?

Yes it does

 

[sfx2000]

BTW - if you're on a lossy link like 3G/4G (or satellite), then UDP with a large MTU can hurt... all depends on the use-case...

 

[L&LD]

BTW - if you're on a lossy link like 3G/4G (or satellite), then UDP with a large MTU can hurt... all depends on the use-case...

Thank you. This customer is using DSL on one end and a cable provider on the other.

 

[maurer]

if you intend to use
tun-mtu 64800
on UDP i suggest to add:

fragment 1400
mssfix

you can check description on
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

 

[RMerlin]

RMerlin,

I guess I was too cautious then.

I have already set them up with the following settings:

• Auth Digest - SHA256
• Encryption Cipher - AES-256-CBC
• Compression - Disabled

I will try with the settings you suggest and see if they make a usable improvement for them.

Would you have any tips on the tun-mtu settings to use? I currently have it set to 'tun-mtu 1428' but honestly don't see any difference with it enabled or not.

Btw, the WAN MTU is set to 1500. Any reason to adjust that? Any reasonable way to tune it?

SHA256 might be a good idea as SHA1 is now considered to be a tad weak, however some people mentionned a fairly measurable performance impact from it. You'll have to test it to compare. I suspect that the CPU overhead on the ARM platform might not be a problem if your Internet connection is already the bottleneck.

Security-wise, I'd say that one important thing (but often overlooked) is to ensure you use TLS 1.2, in lights of the TLS 1.0 issues of recent years.

Jul 14 17:16:00 openvpn[1149]: 107.1.1.1:57033 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA

I never fiddle with MTUs, as it's most of the time a tedious process to finetune things out, and default values are typically fine. The ideal MTU will vary based on other factors, such as whether your Internet connection is ATM-based (i.e. DSL) or not. ATM carries an overhead.

 

[sfx2000]

I never fiddle with MTUs, as it's most of the time a tedious process to finetune things out, and default values are typically fine. The ideal MTU will vary based on other factors, such as whether your Internet connection is ATM-based (i.e. DSL) or not. ATM carries an overhead.

Tuning there can help - but it's a lot of testing across different applications... which might be worthwhile or not - depends on the use case and interfaces...

 

[peraburek]

what would be highest possible encryption/security with current version of Merlin FW ?

here is my idea

Auth Digest - SHA512
Encryption Cipher - AES-256-CBC

Diffie-Hellman-Parameter

openssl dhparam -out dh4096.pem 4096

don't run this on your router, it will take really REALLY long, you can use your linux machine to generate key

both Server and Client:

cipher AES-256-CBC
auth SHA512
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
***your key goes here***
-----END OpenVPN Static key V1-----
</tls-auth>

Server-Config:
Extra HMAC authorization: Incoming (0)

remote-cert-tls client

Client-Config:
Extra HMAC authorization: Outgoing (1)

remote-cert-tls server
verify-x509-name <common-name vpn server> name

 

[szimat]

Hi,

I just got my Dark Knight (RT-N66U), replacing a TP-Link WR1043ND v1). I immediately upgraded to Merlin's firmware (thanks very much for your work @RMerlin).

I like this router a lot. Anyway, I jump into this conversation regarding the OpenVPN server. I had it configured on my previous router, but here it is even lot more easier (then on DD-WRT, not that there was hard).

I struggle with the usual security & performance question. I use OpenVPN to connect to my home network rarely, most of the time to stream video, music, etc. And from phone or laptop on unsecure wifi.

Here are my current settings:

I guess it is a quite common setting for RT-N66U. I do have some questions (of course):

1) The guide here uses stronger keys. Reading many comments on the forum here (and elsewhere) I still understand that SHA1 and AES-128-CBC with Extra HMAC is completely secure for not so important stuff (when security is not absolute top priority). Correct me if I'm wrong, but SHA1 + AES128-CBC + E-HMAC is still very very hard to crack, decrypt (and E-HMAC should prevent MitM too). Perhaps NSA can do it, but it is hard to find someone who is actually capable and it is still a very exhausting task. Of course, I could use stronger keys, but that would cost me a lot of performance because of the router's hw.
What do you think?

2) The keys were created by the router. Should I perhaps create a 2048-bit CA key instead of the 1024-bit? Does it help anything? And a 2048-bit DH key for E-HMAC instead of the 1024-bit used now?

3) E-HMAC: what is the best option: bi-directional or incoming 1/0?

4) I added the tls-version-min 1.2 line to Custom Configuration. Do I need to add anything else, like:
tls-cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA

5) I'm a little confused now regarding the Perfect Forward Secrecy. Isn't the exactly what E-HMAC is? Or this should be added separately?

My client.ovpn file looks like this:

client
dev tun
proto udp
remote ddns.address 1194
float
cipher AES-128-CBC
auth SHA1
keepalive 15 60
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
resolv-retry infinite
nobind

 

[HairyA00]

Thank you. This customer is using DSL on one end and a cable provider on the other.

Not to resurrect an old thread (and I can open a new one if preferable), but what were your findings? No matter where I connect to the RT-AC86U, be it five or 1000 miles away, my download speeds are limited to 5mbps. My network is around 200mpbs when on the LAN.

I've done no tinkering; these are the default settings for me.

Any way I can speed this up? I use it primarily for connecting full tunnel to home for ad-blocking and safety when on someone else's WiFi network. I have RT-AC86Us that I maintain all over the place, and 5mbps is more than enough speed for managing and maintaining the networks, but it's brutally slow when using full tunnel all day long.




EDIT: I stumbled upon this: https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

The only change I see is going from Compression Disabled > LZ4. Not sure how much of a difference that'll make.

 

[ironclad]

If it's just for personal use and you don't mind using WIP software check out Wireguard:
https://www.snbforums.com/threads/experimental-wireguard-for-rt-ac86u-ax88u.46164/

 

[Adamm]

Not to resurrect an old thread (and I can open a new one if preferable), but what were your findings? No matter where I connect to the RT-AC86U, be it five or 1000 miles away, my download speeds are limited to 5mbps. My network is around 200mpbs when on the LAN.

Is your home upload speed also 200Mbps?