What's new

Fastest Router for VPN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

amorak

Regular Contributor
I am running a 3-4 year old RT-N66u that's been great. However my router-run VPN throughput is about 8Mbps (1MBps) on the VPN vs non-VPN download speeds of 60Mbps (8MBps)

I am wondering - for anyone with one of the newer AC-class routers - do you see significantly higher speeds when on VPN (VPN run through the router, I mean)
 
AFAIK none of the residential ARM/MIPS routers have AES hardware acceleration (like AES-ni on Intel x86 CPU's for example) so they will all be pretty slow, limited by CPU speed.
 
I could get just over 10 on my n66u, have seen as high as 50 on my overclocked ac68u, usually 30 to 40 but I think that is down to the provider.
 
fastest router for VPN would be the mikrotik CCR series followed by x86 with AES-NI.

Not intend to be sarcastic, I'm well aware you own a mikrotik CCR. I'm hoping to own one too. Proactively searching for a justification...:)
 
my AC68 overclocked to 1200mhz can do close to 60mbit/s. I would imagine the latest routers would be even better.
 
OP is actually not clear about router as VPN client or router as VPN server. Reading through the context, I believe he was asking for router as VPN client.

For router as VPN client e.g. ppl use router to connect to PIA, the throughput depends on both the config of PIA's VPN server as well as your router's VPN client (config and hardware spec). Performance ranges from poor to quite good when compared to a PC. Also in this scenario, I doubt if a Mikrotik CCR could help you shine.

For router as VPN server e.g. you connect from your phone on streets back to home through VPN, you will have better control on software config. Hardware spec has big impact but not decisive.

I run my overclocked AC56U as VPN server. The highest achievable throughput is greater than 70Mbps (line speed 100Mbps). Anywhere between 50-70Mbps is sustainable.

Even under sustained 70Mbps throughput, the dual-core CPUs on AC56U still haven't maxed out. Only around 60-70% which I can't recall exactly*.

(*Much room for software improvement in which I'm waiting for collaborators to tackle the problem).
 
Keep in mind that OpenVPN is single threaded. Multiple cores will have next to no impact on performance, unless you start running multiple servers at the same time.
 
Keep in mind that OpenVPN is single threaded. Multiple cores will have next to no impact on performance, unless you start running multiple servers at the same time.

significantly faster speed is achieved when the openvpn process is on a different core from the kernel processes. dual core does help in that manner.
 
significantly faster speed is achieved when the openvpn process is on a different core from the kernel processes. dual core does help in that manner.

Yes. That's why on my firmware I have task affinity switched, i.e. openvpn1 is on core 1, and openvpn2 is on core 0.
 
Keep in mind that OpenVPN is single threaded. Multiple cores will have next to no impact on performance, unless you start running multiple servers at the same time.
If I run two OpenVPN clients, and I select 'redirect internet traffic - all' which traffic will be redirected to which VPN?
 
for sure if nat acceleration is disabled as long as openvpn doesnt share the same core as the main nat to wan thread then the 2nd core definitely still helps, and of course an overclocked ac68 has alot more performance than a n66 even on one core.

On my ac66 even 10mbit of non VPN traffic would chew up lots of its cpu without nat acceleration.
 
If I run two OpenVPN clients, and I select 'redirect internet traffic - all' which traffic will be redirected to which VPN?

Probably whichever is connected last I would assume. Just don't - you would be trying to setup two different default routes, while only one can exist at one time.
 
My quoted numbers in #9 are based on HW NAT being _off_.

HW NAT hogs CPU and reduces throughput in one usage scenario: phones on streets connect to home through VPN, and then visit the Internet.

In this particular usage scenario (with HW NAT off), the throughput is still significantly lower than terminating in home LAN. While visiting home LAN is about 70Mbps, it's only about 25Mbps when first visit home LAN and then visit the Internet.

I was thinking this particular scenario where software improvement worth diving into. My gut feeling is somewhere in the routing codes slowing it down...
 
Hi,

Yes. That's why on my firmware I have task affinity switched, i.e. openvpn1 is on core 1, and openvpn2 is on core 0.

On which cores are VPNclient 3-5 running? Getting much higher throughput (>50mibt/s) on client 1/core 1 (obviosly) with HW-NAT disabled than on client 2. Since I don't want to change configuration if I need to "switch" country it would be good to know.

Thanks
 
My quoted numbers in #9 are based on HW NAT being _off_.

HW NAT hogs CPU and reduces throughput in one usage scenario: phones on streets connect to home through VPN, and then visit the Internet.

In this particular usage scenario (with HW NAT off), the throughput is still significantly lower than terminating in home LAN. While visiting home LAN is about 70Mbps, it's only about 25Mbps when first visit home LAN and then visit the Internet.

I was thinking this particular scenario where software improvement worth diving into. My gut feeling is somewhere in the routing codes slowing it down...
You do realise that if you access home network remotely and than access internet through it that you halve the bandwidth in both available and throughput and even more so with asymmetric internet. You also have to account for routing for internet for VPN clients as well so it than has to do routing, encryption and NAT whereas from LAN it would just have NAT.

Not intend to be sarcastic, I'm well aware you own a mikrotik CCR. I'm hoping to own one too. Proactively searching for a justification...:)
The reason to own a CCR is mainly if you have gigabit internet and want to tweak your own firewall or if you want gigabit internet using PPPOE. The CCR does have hardware encryption which gives it better VPN throughput but because of the people who make it they havent fully multi threaded everything so while you could use multiple cores on 1 interface it restricts itself to one core per connection mainly so things dont flood the router but the compiler/software for it would allow using more cores for a single VPN connection. Im not sure if they've changed it but if you could use multiple cores for VPN it would be really fast. I can test it again later with newer firmware and once new fans arrive to keep it quiet. For myself even though i have less than 100Mb/s of internet i use the CCR for as many network tasks as i can give it and also perform layer 2 filtering, scripts and such. It does have a lot more features but i still havent managed to go through the cisco protocols that they have on it.

I also havent managed to get openVPN working yet or SSTP or L2TP/IPSEC even though others have used them on mikrotik routerboards.
 
Last edited:
On which cores are VPNclient 3-5 running? Getting much higher throughput (>50mibt/s) on client 1/core 1 (obviosly) with HW-NAT disabled than on client 2. Since I don't want to change configuration if I need to "switch" country it would be good to know.

Thanks

Only client1 is moved to the second core. I currently don't change the affinity of the other clients, so they all run on the first core.

I might eventually alternate them all.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top