Asus RT-AC68u NordVPN speed

[paomiao]

Hi,
I have at home a fiber connection 200/20 Mb.
On my IMAC using Nordvpn App I'll reach 150/20 Mb speed losing only 10% of the max speed.
Trying to config Nordvpn on my router Asus RT-AC68u the speed dramatically down to 20/10!
I'll try to overclock the router but the max speed reach only 50/20.
I have read many discussion without a solution of my problem.
Thanks for your attention.
Paomiao

 

[ColinTaylor]

I'll try to overclock the router but the max speed reach only 50/20.
I have read many discussion without a solution of my problem.

There is no "problem". That is the maximum speed the router's VPN is capable of.

https://www.snbforums.com/threads/so-theres-no-vpn-tab-in-ap-mode-then-how-do-i.61496/#post-545255

 

[ironclad]

That's just the short answer. The long answer is these routers use cheap ARM SoCs that don't compute very fast and lack AES acceleration so naturally they have mediocre OpenVPN performance. OpenVPN generally uses AES and its implementations don't tend to have good multi-threading support so now you're limited to VPNing with one core of your slow ARM SoC. If your VPN provider supports it (I can't tell), you can try downgrading the cipher from AES-256-GCM to AES-128-GCM which should result in some speedup. Popular consensus is that 128-bit key sizes are still good enough for AES so use your own judgement if you want to do this.

NordVPN seems to support the Wireguard protocol which uses much faster elliptical curve ciphers. 68U uses an ancient Linux kernel so it doesn't have good WG support. But if somehow manage to get it to work please write about it I'm interested too.

If you're bored and have too much free time you can probably roll your own solution with faster hardware. Or you can upgrade your router to a different model. Newer RT-AC86Us have AES acceleration.

I get about 30-40 mbits both ways on the AC68U, 1200 MHz CPU 800 MHz memory with AES-256-GCM, no compression algorithm. If you're interested in overclocking the router I wrote a post about it here:
https://www.snbforums.com/threads/r...13-is-now-available.57860/page-21#post-510501
It will only set the overclocks on successful reboots. If you run into power loss or software failure the overclock might not set and you'll revert to stock speeds until reboot, this is generally good.

I use the OpenVPN client feature to route mobile devices and to selectively enforce routing on certain sites with hardcoded IP voodoo magic. I think that's the best use case, nobody does anything bandwidth-heavy on phones/tablets. You'll save battery and sanity by not running OpenVPN on mobile devices.

 

[Wallace_n_Gromit]

That's just the short answer. The long answer is these routers use cheap ARM SoCs that don't compute very fast and lack AES acceleration so naturally they have mediocre OpenVPN performance. OpenVPN generally uses AES and its implementations don't tend to have good multi-threading support so now you're limited to VPNing with one core of your slow ARM SoC. If your VPN provider supports it (I can't tell), you can try downgrading the cipher from AES-256-GCM to AES-128-GCM which should result in some speedup. Popular consensus is that 128-bit key sizes are still good enough for AES so use your own judgement if you want to do this.

NordVPN seems to support the Wireguard protocol which uses much faster elliptical curve ciphers. 68U uses an ancient Linux kernel so it doesn't have good WG support. But if somehow manage to get it to work please write about it I'm interested too.

If you're bored and have too much free time you can probably roll your own solution with faster hardware. Or you can upgrade your router to a different model. Newer RT-AC86Us have AES acceleration.

I get about 30-40 mbits both ways on the AC68U, 1200 MHz CPU 800 MHz memory with AES-256-GCM, no compression algorithm. If you're interested in overclocking the router I wrote a post about it here:
https://www.snbforums.com/threads/r...13-is-now-available.57860/page-21#post-510501
It will only set the overclocks on successful reboots. If you run into power loss or software failure the overclock might not set and you'll revert to stock speeds until reboot, this is generally good.

I use the OpenVPN client feature to route mobile devices and to selectively enforce routing on certain sites with hardcoded IP voodoo magic. I think that's the best use case, nobody does anything bandwidth-heavy on phones/tablets. You'll save battery and sanity by not running OpenVPN on mobile devices.

Based on @ironclad's helpful posting many months ago, https://www.snbforums.com/threads/r...13-is-now-available.57860/page-21#post-510501, I have consistantly been running my ASUS RT-68U O/C'ed at 1200Mhz (Default clock was 800Mhz on my model--(CFE) 1.0.2.0) with absolutely no problem for months.

Since I'm getting Covid-bored at home and bouncing off the walls, I decided to actually do some personal testing/pushing the envelope on my old router.

Actual testing on 04-24-2020 on dslreports.com speedtest:

Asus RT-AC68U--External USB drive on USB3.0--Small 1 1/2" USB fan on USB2.0 attached with scotch tape to the outside, one side back vent.
Using NordVPN as VPN client.

Note: Is the power supply the true limiting factor on how much you can O/C the router? (Thinking of the Raspberry Pi 4 power issues-- the more you juice up the O/C on it, the more overvoltage you gotta do--a weak power supply will cause it to fail) I did notice while running the router O/C'ed to 1400Mhz that the Asus branded power supply was a bit warm to the touch. But didn't think to touch it before the O/C, could be running warm to the touch all the time.

megabit/s dL/uL Overall/BufferBloat/Quality
@800Mhz CPU Frequency: CPU temp 60-61C bogoMIPS 15xx.xx (x2)
5.89d/2.29u C/C/C
15.45d/4.75u B/C/A
16.63d/5.14u B/C/C

@1200Mhz CPU Frequency: CPU temp 63-64C bogoMIPS 23xx.xx (x2)
20.31d/4.93u A/C/A+
17.94d/3.37u B/C/A
22.65d/4.82u B/C/A

@1400Mhz CPU Frequency: CPU temp 65-66C bogoMIPS 2798.38 (x2)
20.21d/4.94u A/C/A+
25.1d/5.06u B/C/A
25.1d/5.06u A/C/A+
(Been running for almost an hour and a half, O/C'ed and running 2xCPU's at 100%(using "while true; do openssl speed aes-256-cbc -multi 2 ; done" in ssh session--still running stable)

Edit: @1400Mhz CPU Frequency using Brave/Firefox browsers the speeds on DSLreports.com
are much better now:
megabit/s dL/uL Overall/BufferBloat/Quality
Firefox:
32.6d/5.16u B/C/B
Brave:
31.2d/4.47u B/C/A
(I guess mileage varies by so many factors, Time of day, Network Traffic etc)

Edit: @1600Mhz The router failed to boot. Couldn't access the GUI nor the ssh. All router lights except the 2.4Ghz and 5.Ghz Wireless came on.

Per @Asad Ali's post from March 19, 2019, https://www.snbforums.com/threads/b...eta-is-now-available.55520/page-9#post-473141 :

...the process for manually clearing the NVRAM:

1- Power off the Router.
2- Press and hold down the WPS button.
3- While holding the WPS button, plug in the power cable to turn router on.
4- Keep holding the WPS button for 30 seconds before releasing. The router should reboot.
5- It's Done!!

That worked. And since I followed ironclad's insistence to backup, backup,backup ... I restored both the Router settings and the JFFS partition.

The router returned to 1200Mhz CPU. I boosted it back to 1400Mhz CPU. If it fails at this speed in the future I will post an additional update.

 

[Wallace_n_Gromit]

...If your VPN provider supports it (I can't tell), you can try downgrading the cipher from AES-256-GCM to AES-128-GCM which should result in some speedup. Popular consensus is that 128-bit key sizes are still good enough for AES so use your own judgement if you want to do this....

...I get about 30-40 mbits both ways on the AC68U, 1200 MHz CPU 800 MHz memory with AES-256-GCM, no compression algorithm...

How would I downgrade the cipher properly? This is the *.OVPN that was provided by Nordvpn.

Would I just manually remove [AES-256-GCM:AES-256-CBC] from the "Negotiable ciphers" leaving [AES-128-GCM:AES-128-CBC] and change "Legacy/fallback cipher" from [AES-256-CBC] to something like [AES-128-CBC]?

 

[ColinTaylor]

I think the list of available ciphers is already optimised. But if you want to benchmark each one change the fallback cipher to none and then put just one of the negotiable ciphers in that field rather than a list. That way you can ensure that only the specified cipher is being used. Work your way through the list testing each one.

 

[Wallace_n_Gromit]

I think the list of available ciphers is already optimised. But if you want to benchmark each one change the fallback cipher to none and then put just one of the negotiable ciphers in that field rather than a list. That way you can ensure that only the specified cipher is being used. Work your way through the list testing each one.

It appears that all the modifications to the 3 fields "Cipher Negotiation", "Negotiable ciphers" and/or "Legacy/fallback cipher" I've tried resulted in a failure to establish a VPN client connection. Restoring them to default settings restored my VPN client connection

 

[ColinTaylor]

It appears that all the modifications to the 3 fields "Cipher Negotiation", "Negotiable ciphers" and/or "Legacy/fallback cipher" I've tried resulted in a failure to establish a VPN client connection. Restoring them to default settings restored my VPN client connection

That appears to be the case. It looks like the only cipher supported by NordVPN is AES-256-GCM. Creating a list that doesn't contain that simply generates this sort of error:

Error: pushed cipher not allowed - AES-256-GCM not in none or AES-128-CBC:AES-256-CBC

Where "none" was the fallback cipher and "AES-128-CBC:AES-256-CBC" was my list.

 

[Wallace_n_Gromit]

... Or you can upgrade your router to a different model. Newer RT-AC86Us have AES acceleration.

When I go to amazon I see several Models:

RT-AC86U
RT-AC2900
GT-AC2900

Are they all the same/interchangeable with the Merlin/wireguard firmware/addon's?

 

[ColinTaylor]

There is no Merlin support for the GT- routers.

 

[Marin]

When I go to amazon I see several Models:

RT-AC86U
RT-AC2900
GT-AC2900

Are they all the same/interchangeable with the Merlin/wireguard firmware/addon's?

RT-AC86U and RT-AC2900 are the same router.


Sent from my iPhone using Tapatalk

 

[CaptainSTX]

When I go to amazon I see several Models:

RT-AC86U
RT-AC2900
GT-AC2900

Are they all the same/interchangeable with the Merlin/wireguard firmware/addon's?

If you end up with an AC86/AC2900 there probably won't be any speed advantage at this time in running WireGuard vs OpenVPN. With either your maximum download speed probably will in the range of 200-250 Mbps as this is all most commercial VPN can/will handle based on my experience running OpenVPN on a router vs, running WireGuard on a PC with an I7 processor.

Let me know if your results vary if you end up purchasing an AC86.

 

[ColinTaylor]

NordVPN have their own implementation of WireGuard. As far as I'm aware nobody has created a Merlin compatible client for that.

 

[Wallace_n_Gromit]

NordVPN have their own implementation of WireGuard. As far as I'm aware nobody has created a Merlin compatible client for that.

An update to the Windows NordVPN app was pushed to my computer several days ago enabling a new feature NordLynx. When I followed the directions to enable/test NordLynx I couldn't find it in the settings.

Then it occurred to me that maybe having my router be the client for NordVPN was somehow disabling NordLynx on the Windows NordVPN app. (I sometimes do both--works just fine--a OpenVPN tunnel w/i a OpenVPN tunnel)

BINGO! Running NordLynx(Wireguard) on my windows computer now allows me to fully use my subscribed download speed (only 100Mbps down/5Mbps up). Running OpenVPN on my computer throttles the bandwidth to about 50Mbps download. Running OpenVPN on my router RT-AC68U O/C'ed 1400Mhz throttles the bandwidth to just over 30Mbps download.

 

[ColinTaylor]

Do you have a link to the NordLynx app for Windows? The only reference I can find for it is an experimental Linux build.

 

[Wallace_n_Gromit]

If you end up with an AC86/AC2900 there probably won't be any speed advantage at this time in running WireGuard vs OpenVPN. With either your maximum download speed probably will in the range of 200-250 Mbps as this is all most commercial VPN can/will handle based on my experience running OpenVPN on a router vs, running WireGuard on a PC with an I7 processor.

Let me know if your results vary if you end up purchasing an AC86.

The current router I have running as a client through NordVPN even though it's O/C'ed only allows me about 1/3 the bandwidth I'm subscribed for. There have been many discussions about the inadequacy of the 68U SoC using OpenVPN. I would imagine the AC86U with its HW based AES-NI (?) feature would optimize my ISP connection at 100Mbps using either OpenVPN or Wireguard. Still fun to use Wireguard since it's the newest/greatest thing out there.

I'm typically a very frugal person. The price point of the 86U is a bit high, considering I have invested already in 3 68U's (one overheats severely). But I hate leaving 2/3's of my subscribed bandwidth on the table. One thought I had is using one of my many Raspberry Pi's (3's, 3+, 4's) with Wireguard installed, Linux version of NordVPN, 5Ghz wireless enabled. I would still have OpenVPN running as client on my 68U, and somehow have the Raspberry Pi running Wireguard/NordLynx as a secondary option for my high bandwidth needs, like streaming from my Roku/RokuTV.

Just don't know how to logically implement something like that. Would I have the Raspberry Pi in the DMZ with a permanent NordLynx connection, accepting 5Ghz wireless connections from my video streaming devices?

 

[Wallace_n_Gromit]

Do you have a link to the NordLynx app for Windows? The only reference I can find for it is an experimental Linux build.

If you have the NordVPN app for windows version 6.29.8.0, It will already be a part/option to merely click on.

https://nordvpn.com/download/

Open the NordVPN windows app.
Go to Auto-connect.
Be sure "Choose a VPN protocol and server automatically" is toggled OFF
Click on the"VPN protocol" window drop down box
Scroll down the window and choose "NordLynx"

EDIT: Just be sure to disable the VPN client you have running on your router. The NordLynx option won't show up.

 

[ColinTaylor]

If you have the NordVPN app for windows version 6.29.8.0, It will already be a part/option to merely click on.

Thanks. I was on the previous version and for some reason it wasn't detecting that there was an update available.

Downloaded and tried it. Seems slightly faster on my PC, 188 vs 178 Mbps. I'll stick with OpenVPN for now.

 

[doczenith1]

I see that you aren't getting much faster speeds with WireGuard. I got the opposite results with PIA. On my i5-2500K machine I was getting around 300 Mbps with OpenVPN and switching to WireGuard was a huge improvement at 800+.

 

[Wallace_n_Gromit]

Thanks. I was on the previous version and for some reason it wasn't detecting that there was an update available.

Downloaded and tried it. Seems slightly faster on my PC, 188 vs 178 Mbps. I'll stick with OpenVPN for now.

I did notice that only one of my Windows computers actually pushed the (rolling) update to the NordLynx version. I had to go to the https://nordvpn.com/download/ to pull the download to my other windows computers.

https://nordvpn.com/blog/major-upgrade-nordlynx/