Latest router recommendation for high speed VPN

[madfusker]

Hello,

I am currently running whole house VPN on my trusty AC86U and I get great speeds. I need to purchase another one for another house and would like to know what the best one is these days for VPN?

GT-AC2900?
RT-AX88U?
RT-AC88U?
Others?

Again, running whole router VPN with good speed is key, which is why I run the AC86U. I assume all the other features I need would come with the regular Merlin firmware.

Thanks,
-MF

 

[indark]

if you want to use merlin, GT model is out of question

AC86U's cpu is newer than AC88U's (I think)

AX88U has quadcore CPU, so i guess that's the only option?
but I dont know how much improvement it will provide.

 

[Val D.]

AX88U has quadcore CPU, so i guess that's the only option?
but I dont know how much improvement it will provide.

Per OpenVPN Client - none. OpenVPN uses a single core only, so RT-AC86U and RT-AX88U have the same OpenVPN performance. RT-AX88U has the advantage to run more OpenVPN Clients on different cores, if >2 VPN connections are required to run on the same router. Also, RT-AX88U has 1024MB RAM vs 512MB for RT-AC86U, but the price difference between the two is also 2X. So, RT-AC86U is still the best price/performance option, coming on sale here and there for about 160USD.

RT-AC88U is an older and much slower CPU model with no AES-NI support.
GT-AC2900 is just more fancy version of RT-AC86U, but with no Asuswrt-Merlin support.

Others?

PC x86 hardware based DIY router. During my tests I managed to reach 350Mbps OpenVPN speed with local NordVPN server. HP 8300 SFF, i5-3570 CPU, 16GB RAM, dual Intel LAN card, small SSD drive, pfSense. A bit overkill, but this is what I had as a test PC. Hard to setup pfSense though and APs are needed. I parsonally abandoned the idea seeing what RT-AC86U is capable of. It hits 270Mbps through OpenVPN with the same NordVPN server. Not all the servers allow such high speeds though. And the PC above consumes >60W.

 

[madfusker]

Really great information everyone, thanks! I had no idea OpenVPN could only use one core, so I think I'll just get another 86U.. It's been a great router.

Regards

 

[Val D.]

Really great information everyone, thanks!

Just one more thing to note - whole house VPN is a good idea, but the owner of this network has to be able to fix things on the router. It's harder to change or disable the VPN on the router. I had a case when the VPN server stopped responding and all devices lost internet connection at once. It may also break things, because some websites refuse to work through VPN connections. Usually just a few devices need VPN, so why to limit the others too?

VPN software running on clients that need VPN reduces the load on the router. Multiple CPUs share the load instead of a single core on the router. Internet feels more responsive when multiple x86 CPUs process their own traffic, for example. Changing and disabling VPN is easy, per client, per need. One limitation though - the router won't see anything on tunnels opened on clients, so TrendMicro services, preset DNS, User Scripts, etc. won't work for those clients.

Looks like VPN provided Windows software is limiting the connection speed, or Windows 10 itself is limiting something, not sure yet. I'm in a process of investigating of what is happening. Why? Because pfSence OpenVPN Client managed to reach 350Mbps, but NordVPN or ExpressVPN Windows clients never go above 230Mbps for some reason, on the same VPN server with the same x86 hardware, with CPU load of about 50-60% (on all 4 cores though).

 

[madfusker]

Yes, fully aware of the complexity, and the admin is me. I've run router VPN for about 4 years now and there are a few exceptions that sit in the router rules such as Netflix and Amazon Prime devices. Overall having most of the whole house run over the VPN has been great. It's absolutely incredible how the USA sells your traffic information. To even subscribe to internet or a cell phone you need to "Agree" to their terms of service in which they can sell all your information to 3rd parties. With whole house VPN I can run my traffic around my ISP which is nice. It's pretty amazing and scary that you can do a bunch of searching for something like a treadmill, and then a week later have a bunch of ads in your mailbox for buying one. The USA is insane and needs more privacy laws.

 

[madfusker]

In looking at the RT-AX88U, having the new wifi standard support would be nice, although as indicated, the price is pretty high to get it.

If I were to get this router, does anyone here have direct experience with it running Merlin on it? Is everything stable and the radios all work well? Even with the power of the 86U, my 3 story house degrades the signal to the top floor. Would the AX88U have any more overall signal strength, or the same?

 

[Marin]

In looking at the RT-AX88U, having the new wifi standard support would be nice, although as indicated, the price is pretty high to get it.

If I were to get this router, does anyone here have direct experience with it running Merlin on it? Is everything stable and the radios all work well? Even with the power of the 86U, my 3 story house degrades the signal to the top floor. Would the AX88U have any more overall signal strength, or the same?

AX88U works very well for me as an AiMesh router with Merlin FW/amtm/scripts/VPN and nodes with stock FW. Have not had a single issue with it so far and it has been very stable.


Sent from my iPhone using Tapatalk

 

[Greg72]

I am just using a RT-AC68U for my Comcast/Xfinity 1000mbps service, with my XB6 eMTA from Comcast in DMZ for the RT. I have no issues with speeds or coverage.

 

[Val D.]

I am just using a RT-AC68U

RT-AC68U can do only about 30Mbps through OpenVPN. This thread is about high speed VPN on a router.

Would the AX88U have any more overall signal strength, or the same?

About the same. Both routers have excellent coverage with better throughput than previous generations routers.

 

[Mikeyy]

RT-AC68U can do only about 30Mbps through OpenVPN. This thread is about high speed VPN on a router.

New AC68U has 1Ghz CPU which I tested up to 60Mbps and it worked without problems. Didn't have better connection to test with so I don't know what's real CPU limit.

 

[miroco]

Another option is the rt-ax92u. It uses the same cpu as the rt-ac86u.

https://wikidevi.com/wiki/ASUS_RT-AX92U
https://wikidevi.com/wiki/ASUS_RT-AC86U

https://www.snbforums.com/threads/rt-ax88u-and-rt-ax92u-as-aimesh-node-no-ax-mode.58387/#post-517236

https://www.amazon.com/dp/B07YD49FZT/?tag=snbforums-20

 

[Val D.]

Another option is the rt-ax92u.

No Asuswrt-Merlin support, so limited options to fine tune that VPN connection.

 

[Makaveli]

New AC68U has 1Ghz CPU which I tested up to 60Mbps and it worked without problems. Didn't have better connection to test with so I don't know what's real CPU limit.

At what encryption settings?

AES128 AES256?

 

[madfusker]

I'm getting 91 Mbps down tonight with my AC86U set at AES_256_GCM_SHA384, 2048 bit RSA using expressVPN. My connection without VPN is ~200Mbps.

Oct 28 21:56:46 ovpn-client2[4616]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 21 2019
Oct 28 21:56:46 ovpn-client2[4616]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.08
Oct 28 21:56:46 ovpn-client2[4617]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 28 21:56:46 ovpn-client2[4617]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Oct 28 21:56:46 ovpn-client2[4617]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Oct 28 21:56:46 ovpn-client2[4617]: TCP/UDP: Preserving recently used remote address: [AF_INET]:1195
Oct 28 21:56:46 ovpn-client2[4617]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Oct 28 21:56:46 ovpn-client2[4617]: UDP link local: (not bound)
Oct 28 21:56:46 ovpn-client2[4617]: UDP link remote: [AF_INET]:1195
Oct 28 21:56:46 ovpn-client2[4617]: TLS: Initial packet from [AF_INET]:1195, sid=945ee694 8578dd52
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY KU OK
Oct 28 21:56:46 ovpn-client2[4617]: Validating certificate extended key usage
Oct 28 21:56:46 ovpn-client2[4617]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY EKU OK
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2963-1a, emailAddress=support@expressvpn.com
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2963-1a, emailAddress=support@expressvpn.com
Oct 28 21:56:46 ovpn-client2[4617]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Oct 28 21:56:46 ovpn-client2[4617]: [Server-2963-1a] Peer Connection Initiated with [AF_INET]:1195
Oct 28 21:56:47 ovpn-client2[4617]: SENT CONTROL [Server-2963-1a]: 'PUSH_REQUEST' (status=1)​

 

[Val D.]

I'm getting 91 Mbps down tonight with my AC68U

Make sure you don’t have IPv6 leaks or inaccurate measurements because RT-AC68U CPU can’t actually do 90Mbps through OpenVPN.

 

[madfusker]

Make sure you don’t have IPv6 leaks or inaccurate measurements because RT-AC68U CPU can’t actually do 90Mbps through OpenVPN.

Windows 10 with IPv6 disabled in networking.

http://ipv6leak.com says - no
https://test-ipv6.com/ - no
https://www.astrill.com/ipv6-leak-test - No IPv6 detected

Not sure, but here is what multiple sites show. Compression goodness?

https://www.speedtest.net/ - 37 ping, 96.48 Mbps down, 9.59 Mbps up
https://www.spectrum.com/internet/speed-test.html - 95.3 Mbps down, 8.9 Mbps up
https://speedtest.xfinity.com - 81.3 Mbps down
http://speedtest.att.com/speedtest/ - 93.9 Mbps down, 10.4 Mbps up

-MF

 

[Adamm]

I'm getting 91 Mbps down tonight with my AC68U set at AES_256_GCM_SHA384, 2048 bit RSA using expressVPN. My connection without VPN is ~200Mbps.

Oct 28 21:56:46 ovpn-client2[4616]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 21 2019
Oct 28 21:56:46 ovpn-client2[4616]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.08
Oct 28 21:56:46 ovpn-client2[4617]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 28 21:56:46 ovpn-client2[4617]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Oct 28 21:56:46 ovpn-client2[4617]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Oct 28 21:56:46 ovpn-client2[4617]: TCP/UDP: Preserving recently used remote address: [AF_INET]:1195
Oct 28 21:56:46 ovpn-client2[4617]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Oct 28 21:56:46 ovpn-client2[4617]: UDP link local: (not bound)
Oct 28 21:56:46 ovpn-client2[4617]: UDP link remote: [AF_INET]:1195
Oct 28 21:56:46 ovpn-client2[4617]: TLS: Initial packet from [AF_INET]:1195, sid=945ee694 8578dd52
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY KU OK
Oct 28 21:56:46 ovpn-client2[4617]: Validating certificate extended key usage
Oct 28 21:56:46 ovpn-client2[4617]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY EKU OK
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2963-1a, emailAddress=support@expressvpn.com
Oct 28 21:56:46 ovpn-client2[4617]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2963-1a, emailAddress=support@expressvpn.com
Oct 28 21:56:46 ovpn-client2[4617]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Oct 28 21:56:46 ovpn-client2[4617]: [Server-2963-1a] Peer Connection Initiated with [AF_INET]:1195
Oct 28 21:56:47 ovpn-client2[4617]: SENT CONTROL [Server-2963-1a]: 'PUSH_REQUEST' (status=1)​

Make sure you don’t have IPv6 leaks or inaccurate measurements because RT-AC68U CPU can’t actually do 90Mbps through OpenVPN.

Windows 10 with IPv6 disabled in networking.

http://ipv6leak.com says - no
https://test-ipv6.com/ - no
https://www.astrill.com/ipv6-leak-test - No IPv6 detected

Not sure, but here is what multiple sites show. Compression goodness?

https://www.speedtest.net/ - 37 ping, 96.48 Mbps down, 9.59 Mbps up
https://www.spectrum.com/internet/speed-test.html - 95.3 Mbps down, 8.9 Mbps up
https://speedtest.xfinity.com - 81.3 Mbps down
http://speedtest.att.com/speedtest/ - 93.9 Mbps down, 10.4 Mbps up

-MF

I think you mean your AC86U

 

[madfusker]

You are correct! Typo, see the OP.

-MF

 

[Val D.]

You are correct!

Experiment connecting to a different VPN servers then. Local servers will give you best speeds. On a 200Mbps ISP line you should be able to get >150Mbps on UDP. ExpressVPN has some fast servers around.

I had no good experience with ExpressVPN on RT-AC86U. It was about 2 years ago though. Asuswrt-Merlin OpenVPN client was not re-connecting and auto-connecting with their servers. Looks like the things improved now.