Can you help me speed up OPENVPN on N66U?

[Deleted member 27741]

Hi, I connect to OPENVPN on my N66U when away from home for local access to my home network and it works great. Only problem is that I am getting speeds of 1 Mb/s down 0.25 Mb/s up while connected (all speeds are with internet traffic redirected). This is usually on hotel connections that have greater than 20 Mb/s down and 5 Mb/s up. My connection at home that the router uses is about 60 Mb/s down and 7 Mb/s up.

I can't figure out why it is so slow?

I use encryption cipher AES-128-CBC and the following in custom configuration-
auth sha256
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

I have removed the custom configuration settings to no avail. Any ideas?

 

[Deleted member 27741]

Router server settings-
interface- TAP
protocol- TCP
Authrization Mode- TLS
Extra HMAC authorization (tls-auth)- bi-directional
Allocate from DHCP yes
poll interval- 0
direct clients to redirect internet traffic- yes
respond to dns- yes
advertise dns to clients- yes
encryption cipher- aes-128-cbc
compression- adaptive
tls renegotiaion time- -1
manage client-specific options- no

custom config-
auth sha256
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA


OPENVPN client settings-

client
dev tap
dev-node XXXXXXXXXX
proto tcp
remote xxx.xxx.com xxx
resolv-retry infinite
nobind
persist-key
persist-tun
ca xx.crt
cert xx.crt
key xx.key
auth sha256
ns-cert-type server
remote-cert-tls server
tls-auth xx.key
cipher AES-128-CBC
comp-lzo adaptive
verb 3
mute 20

 

[CaptainSTX]

Your lack of speed is the result of several issues.

First the N66u doesn't have enough processing power. A newer router with a faster processor and more memory will help some, but no SOHO router is going to give you a fast OpenVPN connection when operating remotely.

Second the distance involved in connecting from your hotel to your home, to a web site and then back to your hotel is slowing your connection. For comparison, when you are not using your VPN, connect to Speedtest using the nearest server and then connect to a distant server and you will see a noticeable reduction in reported speeds.

Finally hotel Internet connections are often overloaded and not dependable. Some hotels even block certain types of VPN connections to prevent guests from using a VPN to circumvent the hotel's restrictions on streaming video.

Depending what you are doing and you don't need access to resources on your home network just to run a VPN on your devices directly. This will protect you on insecure networks when traveling and prevent man in the middle attacks.

If you want to use your home Internet connection when traveling while running a VPN and you want speed then you will need to set up a VPN server on a PC on your home network. You can run a version of DD-WRT on a PC and other posters have had success with Ubiquiti.

 

[netware5]

Hi, I am using RT-N66U as home OpenVPN server since April 2013 for the same purposes as you (road warrior). The configuration is almost the same - TAP interface over TCP with extra tls-auth, but my encryption is 256-bit AES, which is a heavier task for the router compared to your 128-bit.

Technically this router is capable to reach about 14 Mbits/s with 256-bit AES encryption and this is proved on my router. With 128-bit AES encryption (your case) the router should be able to reach about 22-25 Mbits/s. Try to google this forum to find the Merlin's thread about RT-N66U OpenVPN performance. He made a lot of performance tests of different configurations.

The only thing which may affect the speed and is under your control is LZO compression. You shall DISABLE LZO compression both on router and client. This option does not provide any benefit, even it slows the connection. See how to do this in OpenVPN help.

The other possible reason for slow connection is the slow and crowded hotel internet as my colleague above said. I am testing my router's performance from my office where the internet connection is almost the same as in my home (50 Mbits/s download and 33 Mbits/s upload. When I am in hotels and airports around the world I frequently observe slow speeds as you. The reason is their slow internet connection. Please note, that the OpenVPN tunnel's speed over TCP depends on the slower of two speeds - upload and download. It is impossible to reach more than the slower of them. So, if the hotel connection is 50 Mbits/s download and 1 Mbit/s upload your speed will be less than 1 Mbit/s definitely.

The third possible reason is that your router is busy with other tasks except its main job (routing). Such task may include DLNA server, torrents, large USB hard disk attached, etc. You should test your router under clear conditions, without such services started. Check the router's CPU load without OpenVPN client connected to verify if there are any other services that may overload the CPU.

As a conclusion: As your home connection is 60 Mbits/s download and 7 Mbits/s upload, you should be able to reach at least 7 Mbits/s if the client's internet connection is faster than 7 Mbits/s download and upload. The technical limitation of your router is about 22-25 Mbits/s (with 128-bit AES encryption) if you change your home upload speed to at least 22-25 Mbits/s and if your client has at least the same connection. The RT-N66U router is pretty acceptable as OpenVPN server if you don't need more than the technical limitation mentioned above. You should arrange a PC or newer router as a OpenVPN server only if you want faster speeds than the technical limitation.

P.S. My router is now 10% overclocked. Before this my speed was about 12 Mbits/s under the same other conditions. If you overclock your router you may expect about 25-28 Mbits/s as a technical limitation under the same other conditions.

P.P.S. Be aware that some hotels filter or shape the traffic over certain ports including the OpenVPN standard port 1194. My advice is to configure your OpenVPN server on standard HTTP or HTTPS ports which are almost free of any filtering by hotel's network administrators. This may lead to some minor issues like internet scanning bots trying to connect to the OpenVPN port which will result in the system log entries.

 

[sinshiva]

something is wrong.

you should really consider switching to a tun configuration. with my tun setup and a 10mbit down, 1mbit connection i generally receive ~0.6mbit up/down, which is better than half of my upload. at home, i can get nearly my full download bandwidth over openvpn using a rather old phone. you should also try using UDP instead of TCP

if you need TAP for something besides netbios names, you might try adding;

dhcp-option=43,01:04:00:00:00:02

to /jffs/configs/dnsmasq.conf.add

and then restarting all the hosts on your home network/restart network connections/unplug cable for a second. if they are all allocated IPs by dhcp, they will accept the above option to disable netbios over tcpip, potentially significantly reducing the broadcasts on your lan/tap vpn

 

[wiz]

I only use the openvpn on my RT-N66 as a backup connection. I have a 250mbit down, and 1 gbit upload fibre connection, and file transfers always peg the cpu of the router.

I have the primary openvpn setup on an I3 server which is more capable of doing the crypto work, and then the file transfers are limited by bandwidth available.

What I have done is disable compression as the poor cpu in the rt-n66 is way too busy with crypting and decrypting so it does not make sense to have it compress and decompress the data on the fly as well.

 

[Deleted member 27741]

Great information, guys. I will start with turning off comp-lzo, but I have a problem. When I set comp-lzo to "disable" on the router and
comp-lzo no
on the client I get this warning on connection-
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1604', remote='link-mtu 1603'
WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

How do I configure server and client to not get this warning or does it not matter?

 

[netware5]

Great information, guys. I will start with turning off comp-lzo, but I have a problem. When I set comp-lzo to "disable" on the router and
comp-lzo no
on the client I get this warning on connection-
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1604', remote='link-mtu 1603'
WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

How do I configure server and client to not get this warning or does it not matter?

Just set COMPRESSION to DISABLE in the router's Web UI and comment or remove the line about compression in the client's .ovpn file, like this:

;comp-lzo

I that case the client will follow the server's setting

 

[Deleted member 27741]

@Sinshava, I have tried to set up a tun/udp connection, but to no avail. How would I change the server/client settings to get it to work? My clients are using windows (xp 32 bit and win7 64 bit) if that matters.

@Netware5, I have my OPENVPN port set to 443, hoping to circumvent the port blocking common in hotels you speak of.

 

[netware5]

@000111,

Here is my configuration

== Client's .OVPN configuration file ==

client
remote xxx.xxx.xxx.xxx

# Added to avoid random failure of pushing routes
route-delay 30

port 80
proto tcp-client
dev tap
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
ping 10

# enable LZO compression
# NB! Next line is commented as the lzo compression takes too much router CPU time
;comp-lzo

verb 4
mute 10

===Server's Web UI Detail's page==

VPN Server mode <OPENVPN>
Select server instance <Server 1>
Interface Type <TAP>
Protocol <TCP>
Port <80>
Firewall <auto>
Authorization Mode <TLS>
Username/Password Authentication <No>
Extra HMAC authorization <Incoming (0)>
Allocate from DHCP <Yes>
Poll Interval <0>
Direct clients to redirect Internet traffic <Yes>
Respond to DNS <Yes>
Advertise DNS to clients <Yes>
Encryption cipher <AES-256 CBC>
Compression <Disable>
TLS Renegotiation Time <-1>
Manage Client-Specific Options<No>

Custom configuration:
tcp-nodelay

My advice is not to try the tun/udp. My TAP configuration above is proven and working.

**EDIT** My clients are Windows XP-32 and Windows 8.1 - 64

 

[wiz]

i agree with netware5, I don't think there will be a significant speed change when switching from tap to tun. After all the hard part is de en/decrypting which will not change.

 

[Deleted member 27741]

Well, I have disabled comp-lzo. Hasn't done much good, but it is a start.

I have tried connecting with my phone hotspot to test the speeds. I get about 5 Mb/s down 5 Mb/s up without the vpn connected. Connected I get about 0.3 Mb/s download 0.3 Mb/s up. Doesn't that seem low?

Is there any way my speeds are throttled somehow? I do not have QOS turned on on the router, should it be?

 

[RMerlin]

i agree with netware5, I don't think there will be a significant speed change when switching from tap to tun. After all the hard part is de en/decrypting which will not change.

A tap will get a bit of additional overhead however, as all kind of broadcast data will also go through the tunnel.

 

[netware5]

Well, I have disabled comp-lzo. Hasn't done much good, but it is a start.

I have tried connecting with my phone hotspot to test the speeds. I get about 5 Mb/s down 5 Mb/s up without the vpn connected. Connected I get about 1 Mb/s download 0.25 Mb/s up. Doesn't that seem low?

Is there any way my speeds are throttled somehow? I do not have QOS turned on on the router, should it be?

Could you explain what you mean connecting with my phone hotspot to test the speeds? What you had plugged in the router's WAN port?

 

[Deleted member 27741]

Sure I can explain-

The router (N66U) is connected as it always is (WAN connected to a cable modem).

The laptop I use to connect to the OPENVPN of the router is connected to WAN by the phone hotspot. This is so I am not testing the VPN while the laptop is connected to the very router that supplies the VPN. This way I don't have to go somewhere to test the VPN while I'm at home.

 

[netware5]

Sure I can explain-

The router (N66U) is connected as it always is (WAN connected to a cable modem).

The laptop I use to connect to the OPENVPN of the router is connected to WAN by the phone hotspot. This is so I am not testing the VPN while the laptop is connected to the very router that supplies the VPN. This way I don't have to go somewhere to test the VPN while I'm at home.

So that mean laptop is connected by wireless to the phone hotspot, then the phone hotspot is connected to the internet by 3G mobile network, then the traffic is going back to the cable modem through your 3G network provider. Isn't it?

 

[Deleted member 27741]

Yes, I believe so. The laptop connected to the phone then connects to the router by way of the VPN and all traffic is routed through the router to the phone/laptop.

I am working on getting an OPENVPN server working on a laptop (behind the N66U) instead of running it through the router. I am able to connect to it, but once the client is connected it cannot access anything on the home LAN, nor the internet.

Is anyone willing/knowledgeable enough to help me get the routing or bridging right so I can get access to the home LAN and the internet while connected to a laptop OPENVPN server behind my N66U?

 

[netware5]

Yes, I believe so. The laptop connected to the phone then connects to the router by way of the VPN and all traffic is routed through the router to the phone/laptop.

I am working on getting an OPENVPN server working on a laptop (behind the N66U) instead of running it through the router. I am able to connect to it, but once the client is connected it cannot access anything on the home LAN, nor the internet.

Is anyone willing/knowledgeable enough to help me get the routing or bridging right so I can get access to the home LAN and the internet while connected to a laptop OPENVPN server behind my N66U?

It is really strange. In your configuration you should be able to reach about 5 Mbits/s using VPN as it seems to be your max speed using the phone hotspot. Router is able to process at least 14 Mbits/s which is proven by my router. Did you try create an "external" network and connect the laptop to the WAN port by wire?

 

[Deleted member 27741]

Yep, it's weird. Even more weird- I got an OPENVPN server working on a windows 7 machine on my home network and guess what? It is even slower than using the N66U as an OPENVPN server. Why on earth would THAT be?

Hahahahaaa... all that processing power and when connected to the OPENVPN server on the windows computer I get about 0.30 Mb/s download while when connected to the N66U OPENVPN server I get 1 Mb/s.

 

[netware5]

Yep, it's weird. Even more weird- I got an OPENVPN server working on a windows 7 machine on my home network and guess what? It is even slower than using the N66U as an OPENVPN server. Why on earth would THAT be?

Hahahahaaa... all that processing power and when connected to the OPENVPN server on the windows computer I get about 0.30 Mb/s download while when connected to the N66U OPENVPN server I get 1 Mb/s.

Hm-m-m ... really weird. Now I am suspicious about your client machine. May be there is something wrong with your laptop.

Do you have running any deep packet inspection software (firewall, antivirus, etc.) on your router or client machine?