What's new

ExpressVPN setup (app vs. manual configuration) in Asus routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Marin

Very Senior Member
Hi,

I have the ExpressVPN app installed in my Asus RT-AC87U and it performs very well with averages download speeds for the server I use at about 30Mbps (ISP ~60 Mbps). The ExpressVPN app is built on a DD-WRT platform but I was curious how some (or all) of its settings could be translated in the same router that uses Merlin’s FW, instead?

When I try to set up the same server settings on my Asus RT-AC5300 (Merlin’s latest FW installed) I only get about 10Mbps download speeds. I have tweaked some of the settings based on suggestions posted in other threads but have not had experienced any improvement in download speeds.

I understand that apps have their own configurations and may not necessarily perform the same in different routers but is there a way to find out what an app’s settings are to try to somehow replicate them in another router in hopes of getting similar performance results?

I also just purchased an Asus RT-AC86U and I am wondering if will truly perform better when connected to VPN. Some of you have suggested this due to hardware-accelerated changes for openvpn settings.

For those of you who have manually configured ExpressVPN in your routers, would you be willing to share a pic with your current VPN client settings that you are having very good results?

Thank you!
 
@Marin Were you ever able to figure out the "secret sauce" for ExpressVPN+Merlin=same speed as ExpressVPN Router App?
 
Hi,

I have the ExpressVPN app installed in my Asus RT-AC87U and it performs very well with averages download speeds for the server I use at about 30Mbps (ISP ~60 Mbps). The ExpressVPN app is built on a DD-WRT platform but I was curious how some (or all) of its settings could be translated in the same router that uses Merlin’s FW, instead?

When I try to set up the same server settings on my Asus RT-AC5300 (Merlin’s latest FW installed) I only get about 10Mbps download speeds. I have tweaked some of the settings based on suggestions posted in other threads but have not had experienced any improvement in download speeds.

I understand that apps have their own configurations and may not necessarily perform the same in different routers but is there a way to find out what an app’s settings are to try to somehow replicate them in another router in hopes of getting similar performance results?

I also just purchased an Asus RT-AC86U and I am wondering if will truly perform better when connected to VPN. Some of you have suggested this due to hardware-accelerated changes for openvpn settings.

For those of you who have manually configured ExpressVPN in your routers, would you be willing to share a pic with your current VPN client settings that you are having very good results?

Thank you!
I am using nordvpn and I get roughly same speed as if without VPN. To be specific, without VPN I get around 85-90 Mbps and with VPN turned on I get around 80-85 Mbps.
The settings I use depends upon the server specific OVPN configuration file that you have to download from the expressvpn site. However, you have to change few settings after uploading the file to VPN client.
The settings that you need to change are-
1. Accept DNS configuration- "Strict"
2. Cipher Negotiation- "Enable with Fallback"
3. Compression- "LZO Adaptive"
4. TLS renegotiation time- "-1"
5. ConnextioC retry attempt- "-1"
6. Verify Server Certificate- "No"
7. Redirect Internet Traffic- "All"

Keep all other settings unchanged.

Note- Don't use the expressvpn recommended server. Using the recommended server has never worked for me. So, I suggest you the same.

Last thing which I also forgot to mention that I am getting this VPN speed even after enabling Stubby, AI protection, QOS and diversion.
 
Hi,

I have the ExpressVPN app installed in my Asus RT-AC87U and it performs very well with averages download speeds for the server I use at about 30Mbps (ISP ~60 Mbps). The ExpressVPN app is built on a DD-WRT platform but I was curious how some (or all) of its settings could be translated in the same router that uses Merlin’s FW, instead?

When I try to set up the same server settings on my Asus RT-AC5300 (Merlin’s latest FW installed) I only get about 10Mbps download speeds. I have tweaked some of the settings based on suggestions posted in other threads but have not had experienced any improvement in download speeds.

I understand that apps have their own configurations and may not necessarily perform the same in different routers but is there a way to find out what an app’s settings are to try to somehow replicate them in another router in hopes of getting similar performance results?

I also just purchased an Asus RT-AC86U and I am wondering if will truly perform better when connected to VPN. Some of you have suggested this due to hardware-accelerated changes for openvpn settings.

For those of you who have manually configured ExpressVPN in your routers, would you be willing to share a pic with your current VPN client settings that you are having very good results?

Thank you!
I can confirm that HW acceleration has no role to play with VPN performance. I am using QOS with VPN and still getting almost same internet speed as without VPN.
 
I can confirm that HW acceleration has no role to play with VPN performance. I am using QOS with VPN and still getting almost same internet speed as without VPN.

Without specifying which router and ISP speeds you get, that statement means very little on its own. ;)
 
Without specifying which router and ISP speeds you get, that statement means very little on its own. ;)
Router- Asus 86U
Speed without VPN- 85-90 MBPS on WAN (with QOS enabled)
Speed with VPN- 80-85 MBPS on WAN (with QOS enabled)
 
@Marin Were you ever able to figure out the "secret sauce" for ExpressVPN+Merlin=same speed as ExpressVPN Router App?

No, I have not tried and/or compared. The EVPN app is based on DD-WRT. Plus, you would not be able to tweak it unless you download a Kong's or Brainslayer's DD-WRT version in it. Even then, you would have to research DD-WRT forums to determine what tweaks would be needed to get better speeds. Unfortunately, I did not use this app long enough in my RT-AC87U. I didn't install Merlin in it either to be able to tell the difference. Keep in mind that although custom config settings tweaks help, it is also the type of router, CPU, hardware acceleration that considerable impact VPN speed. Based on my research then I didn't expect AC87U to get better speeds like newer routers such as AC86U and AX88U.
 
FWIW, after a lot of testing, I'm convinced the primary reason that these consumer grade routers perform so poorly when it comes to the VPN (just about any VPN) is due to ring changes, NOT the lack of hardware compression, not various buffers sizes, and a million other settings. It's having to constantly jump from user space to the kernel and back (aka ring changes), for the purposes of constructing and managing the tunnel, that's the *primary* culprit, w/ these others issues making marginal differences.

Why do I say that? Because I've gone so far as to configure a PTP (point to point) OpenVPN tunnel between my router (ASUS RT-AC68U) and a VPS, and even if I disable encryption entirely, just a plain ol', in the clear, tunnel (can't get any simpler), I still get the same crappy performance. But if instead I grab even an old crappy PC circa 2008 to support the OpenVPN client, it blows the pants off the router.

The reason a more powerful router improves VPN performance is simply raw horsepower. Back in the early 90's, Microsoft had the same problem when it came to the GDI (graphics routines) in Windows 3.x. The PCs of that time were so pathetic (at least relative to today), if Microsoft had left the GDI in user space, it would have taken forever to redraw the screen. So they decided to place the GDI in the kernel, which vastly improved performance. Of course, they paid the price for that decision years later when the internet came along and it became possible to gain remote access of the kernel through flaws in the GDI!

That's what I believe is happening w/ these VPNs. The ring changes using these relatively crappy processors in the router can't complete the ring changes efficiently. To improve performance, you would have to move OpenVPN to the kernel. And that's why Wireguard has better performance than OpenVPN. It's NOT the simplicity of Wireguard, or the better encryption options, yada yada, as so many claim, but the fact it runs in the kernel! Do the same for OpenVPN, and you'll see a dramatic improvement there as well.

That's why you're wasting your time trying to fiddle with various OpenVPN options. As long as it has to run in user space, and you mix it w/ a low-end processor, you'll remain disappointed w/ its performance. When users choose move to a *much* more powerful router (say 1.4GHz or better), *then* you see a significant improvement, but again, simply because of raw horsepower. Of course, at some point it starts to get silly, and you might as well run the OpenVPN client off an old PC. And if I'm serious about getting top performance from the VPN, that's what I do. I don't use the router.

JMTC
 
Last edited:
@eibgrad How does what you say apply to routers with encryption specific SOC CPUs such as the AC86U?

The point I'm making is that issues like encryption, and a thousand other configuration details we all typically fiddle with to improve VPN performance, are NOT the primary problem. I'm sure the choice of encryption, whether you have hardware acceleration for those purposes, the chipset architecture, etc., all have some impact. But relative to this issue of ring changes, they are trivial in comparison. While you might be able to tweak another 5-10% improvement, I believe ring changes is what's killing it, and what's dropping performance from 100Mbps to 10Mbps. All other tweaks might improve that 10Mbps to say 15Mbps. But it NOT going to improve that 10Mbps to say 70Mbps. For that to happen, you just need more raw horsepower. And that's what something like the RT-AC86U and its 1.8GHz (!) dual-core processor brings to the table. Just sheer, raw horsepower.
 
I think you are correct (and lots of good information, THANKS). However, I think you are underestimating/understating the capability of the AES-NI instruction set. The AC86U CPU is about 2 1/4 times as fast as the AC68. But OpenVPN throughput is 5X+.
 
I think you are correct (and lots of good information, THANKS). However, I think you are underestimating/understating the capability of the AES-NI instruction set. The AC86U CPU is about 2 1/4 times as fast as the AC68. But OpenVPN throughput is 5X+.

Perhaps. But the problem in apportioning blame is made more difficult by the fact you have multiple variables that are affecting the performance. That's why I went to the trouble to eliminate as many variables as possible in my testing, by using a super simple PTP tunnel (no encryption, no TLS, etc.). And once those variables were eliminated, there wasn't much, other than rings changes, to explain the vast difference in performance between an OpenVPN client on the router, and an OpenVPN client running on a crappy old PC, when connecting to the same OpenVPN server running on my VPS.

Again, this isn't to say encryption options, hardware assist, etc., don't have an impact. But it may be that unless you *also* have a powerful CPU, you might not see 5X+ performance w/ AES-NI. IOW, first you need the powerful CPU, *then* you can take advantage of hardware assisted encryption.

None of this is absolutely definitive. It's just my own, less than perfect, analysis after dealing w/ this issue for many years. And not just with OpenVPN, PPTP too. What really got me convinced that ring changes are the real culprit is the fact the Wireguard developer brags about the increased performance of his VPN, specifically because it runs in the kernel! Then the light bulb lit up! Ahh, that's why nothing gets any better unless you just throw more horsepower at it.

Now if someone comes along and shows me a low-end router w/ hardware encryption that provides full bandwidth from their ISP and VPN providers, I'm willing to reconsider. But so far, I haven't seen it. What I have seen are linear improvements as the power of the CPU increases. But no magic bullets, like hardware encryption.
 
Last edited:
Accept DNS configuration- "Strict"
If you have Stubby installed, why are you not setting it to "Disabled"? Doesn't "Strict" mean its still using the ExpressVPN DNS Servers? If so, then what's the point of Stubby? I'm just trying to understand how this all works.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top