Best Router for fastest VPN speeds

[Nullity]

Yes - it's due to design - L2TP/IPSec will always be faster than OpenVPN - OVPN will always use the TUN interface, and between the jumps up and down from User to Kernel space, and the subsequent memory thrashes... and this is with, or without, OpenSSL acceleration that some chips offer..

LT2P, along with PPTP, live in kernel space - they don't have the overhead there...

Folks that do VPN for a living - OpenVPN isn't really an option for B2B connections - the overhead there is just too expensive compared to L2TP/IPSec...

Cloudflare had a blog post recently explaining that they achieve ~10x performance by by-passing the kernel. https://blog.cloudflare.com/kernel-bypass/
Kernel-space processing is not automatically a more efficient design choice.

A quick Googling shows that IPsec tends to be faster, but OpenVPN is also occasionally faster. No clear winner. Very hardware dependant.


This site: https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/ says

Relatively minor compared to the last point, but probably worth mentioning, is that because L2TP/IPsec encapsulates data twice, it is not as efficient as SSL based solutions (such as OpenVPN and SSTP,) and is therefore slightly slower.

Seems, from a design stand-point, IPsec is the less efficient. How many devices support HW acceleration for IPsec and not OpenVPN is a separate conversation, though valid.

Still, I see no mention of IPsec vs OpenVPN while they both use the same cipher. Is this impossible?

Edit: As kvic said, numbers would be nice.

 

[kvic]

Still, I see no mention of IPsec vs OpenVPN while they both use the same cipher. Is this impossible?

Business boxes are pre-dominantly IPSec optimised and are encouraged to use IPSec over OpenVPN for many reasons such as scalability, compatibility and manageability. OpenVPN speed sucks in these boxes anyway. So I won't expect they are interested in benchmarking one versus the other.

I would hope consumer boxes like NAS jump in and ppl can benchmark on them. Most have both IPSec and OpenVPN. Either both optimised or none does. Shall give a good sense of any architectural excellence of one over the other..

The cloud flare article is an interesting read. Thanks.

 

[sfx2000]

Cloudflare had a blog post recently explaining that they achieve ~10x performance by by-passing the kernel. https://blog.cloudflare.com/kernel-bypass/
Kernel-space processing is not automatically a more efficient design choice.

A quick Googling shows that IPsec tends to be faster, but OpenVPN is also occasionally faster. No clear winner. Very hardware dependant.

Kernel bypass requires a very specific kernel config, and a lot of horsepower behind it - and memory bandwidth, which is all in short supply in the average SOHO grade consumer router...

 

[sfx2000]

Seems, from a design stand-point, IPsec is the less efficient. How many devices support HW acceleration for IPsec and not OpenVPN is a separate conversation, though valid.

Still, I see no mention of IPsec vs OpenVPN while they both use the same cipher. Is this impossible?

Edit: As kvic said, numbers would be nice.

L2TP/IPSec is efficient as it's all in kernel space - all VPN's wrap the packets twice in any event once it's on the wire - it's the how that makes LT2P/IPSec reasonably fast...

As for numbers - Let's just say that most mid-large telco's use LT2P/IPSec tunnels all the time on 10G/40G/100G links...

 

[kvic]

This benchmark from pfSense team shows no obvious speed advantage of IPSec over OpenVPN. It's "most scientific" comparison I've seen so far!

https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported.


But my love of OpenVPN is fading a bit due to close source nature (under Apple NDA) of the iOS client. Bugs like this and this aren't fixed promptly.

 

[Melontes]

Interesting thread...My post is similar to the OP. Please forgive me if any of my questions fall into the "stupid idiot" category.
I have an Asus RT-AC68U router and would like to get the best/economic VPN provider for security and privacy, and the fastest speed possible (presently running 100Mbps down) so,
***to be done at the router level***
What protocol should/can I use for my router?
Must I install 3rd party firmware? And if so, which is superior for my router?

Just looking for a good, solid VPN provider that offers good speed, reliability, support, security, no logging, and privacy at an economic price. Ease of setup would be nice too.
Thanks in advance.

 

[RMerlin]

But my love of OpenVPN is fading a bit due to close source nature (under Apple NDA) of the iOS client. Bugs like this and this aren't fixed promptly.

Apple are the ones who should be "losing your love" there. The OpenVPN project code itself is fully open sourced.

 

[patrick sullivan]

Check out Turris Omnia if you are not in a hurry (estimated shipping in April). According to the last update:

"With Turris Omnia, acting as an OpenVPN server with recommended configuration with one client connected, we measured 100 Mbps in one direction. We expect this number to be a bit better in the future as we have still the crypto acceleration turned off."

You can always port-forward OpenVPN to an internal "real" computer that is set up as an OpenVPN server, which will crush practically any router.

I opened a separate post concerning this exact issue. I have a dedicated machine that I currently have Windows 7 on that runs a VPN (PIA). I am looking for help setting it up correctly. I don't want to add more hardware upstream (router), but need to secure my network. This PC connects directly to my modem, and works very well, but lacks security (?). I am not opposed to changing the OS to Pfsense, but I need to be able to run a bit torrent client on this machine. Maybe run Pfsense on a VM? Would that work? Could I configure my VPN with that setup?

 

[yorgi]

The N66U can handle way more then the bandwidth you get for your VPN
N66U is a great router and even though it has one cpu it doesn't mean it cant take the speeds.
What you need to do is check your server ports. try different ports. its not the routers problem.
get the ports list from your VPN provider
Try using their software and see if you get the same issues with bandwidth.
Don't waste your money by buying a new router until you are sure its not a router issue

Update: I take that back, after making more tests with the 66u i agree that it cannot do more then 10mbps
You need dual core and faster cpu like u68 or u87

 

[System Error Message]

CCR1072, 72x300Mb/s of PPTP/IPSEC throughput.

 

[yorgi]

CCR1072, 72x300Mb/s of PPTP/IPSEC throughput.

Flagship router, I wonder what the flagship price tag is?

 

[yorgi]

Interesting thread...My post is similar to the OP. Please forgive me if any of my questions fall into the "stupid idiot" category.
I have an Asus RT-AC68U router and would like to get the best/economic VPN provider for security and privacy, and the fastest speed possible (presently running 100Mbps down) so,
***to be done at the router level***
What protocol should/can I use for my router?
Must I install 3rd party firmware? And if so, which is superior for my router?

Just looking for a good, solid VPN provider that offers good speed, reliability, support, security, no logging, and privacy at an economic price. Ease of setup would be nice too.
Thanks in advance.

VPN provider that claims to do what you want go with PIA
Flash your 68U with Merlin
You will be able to get at least 50mbps with VPN which is quite nice.
here is a how to guide
http://www.snbforums.com/threads/ho...n-firmware-a-step-by-step-how-to-guide.30851/

 

[sfx2000]

This benchmark from pfSense team shows no obvious speed advantage of IPSec over OpenVPN. It's "most scientific" comparison I've seen so far!

https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported.


But my love of OpenVPN is fading a bit due to close source nature (under Apple NDA) of the iOS client. Bugs like this and this aren't fixed promptly.

Probably not the best example - the Alix is a Geode from the Cyris/NatSemi days that AMD bought...

Pretty much every ARMv7 processor - Cortex-A9/Cortex-A7 can out run it - and the recent intel AMD64 chips - well that's even more.

I still stand, and this is based on experience in the data center, that L2TP/IPSec is a faster solution..

OpenVPN has the portability advantage, and it's very good at hole punching thru firewalls (who is going to block incoming/outgoing 80/443 over TCP?)

 

[kvic]

Probably not the best example - the Alix is a Geode from the Cyris/NatSemi days that AMD bought...

I have IKEv2/IPsec and OpenVPN running on my RT-AC56U @ 1.4GHz. Both aes-128. Max throughputs:

ipsec: ~86Mbps (multi-threaded crypto) ~7xMbps (single-threaded crypto)
openvpn: ~71Mbps

I can't remember the x in ~7x but closer to 80 than 70.

 

[sfx2000]

I have IKEv2/IPsec and OpenVPN running on my RT-AC56U @ 1.4GHz. Both aes-128. Max throughputs:

ipsec: ~86Mbps (multi-threaded crypto) ~7xMbps (single-threaded crypto)
openvpn: ~71Mbps

I can't remember the x in ~7x but closer to 80 than 70.

Cool - might consider sharing results on this thread with the methodology discussed there...

http://www.snbforums.com/threads/openvpn-estimate-performance-via-openvpn.33416