New RT-AC88U user - VPN troubles

[jdjuggler]

I have a new RT-AC88U, installed 384.5beta1. Not sure if previous code was an issue or not - VPN wasn't working at all... Using NordVPN, speed seems to be around 10-12 mbps. Same servers thru PC client are about 50-60 mpbs. I'm sure I've seen better VPN numbers for this box. Any one have an idea of what the issue could be?
Thanks,
JD

 

[Netspud2K]

JD,

My router is not as powerful as your, but only by a bit, and they are the kind of speed I would expect for around a 1Ghz CPU. Maybe a little faster but not much. That's just from personal experience, and I use Nord too.

I'm anticipating your PC has a pretty powerful PC.

I would suggest watching the processor on the router whilst doing your tests, if it is maxing out, I doubt you are going to get much more. If you can connect with simpler encryption (not 512) it might be faster. I expect you would need to talk to Nord for details of how.

Hope this helps.

 

[jdjuggler]

With the VPN on, at it's peak it's only 30% and averages about 15-20% during speed test. Here are my settings if it helps.

 

[Netspud2K]

I don't know about others, but the res is too low for me to read, sorry.

 

[madfusker]

Yes, too small.

 

[Netspud2K]

I just checked my router, it's doing a fair bit of traffic tonight, so I thought I would check the figure.

So my router is downloading circa 3MB/s. That is 24Mb/s, which is the max for my connection. Across the two cpu cores it's around 50% (that's very much visually guessed). So what I quoted earlier might be a little out. And that's NOT on one of Nords VPNs specifically for what I am doing, so I am getting very good performance.

Any chance you have a MB/s / Mb/s issue? (mosts broadband connections measured in Mb/s).

Just a thought.

 

[jdjuggler]

Most certainly, I'm referring to Mbps. My connection is around 100 Mbps. 60+ with windows based VPN. Only 10-12 with Asus Merlin openvpn on the same provider & server. The send and rec buffer, i just added, did not make a difference.
These pics are hopefully better.

 

[Zastoff]

Try TCP (port443) server if that option is possible with your vpn provider and see if that makes it better

 

[Odkrys]

I think sha512 is the problem.

 

[Zastoff]

Is not the Auth Digest the encryption level for username and password only?
Tried reading about it not sure if i understand it all
But in my setup from my vpn provider it uses SHA1 thats not considerd secure if you dont add nonce (timestamp) to it.
Not sure if thats the case for my setup (Have to email my vpn provider about it)
Also tried to change Auth Digest (SHA224/256/384/512)but could not connect to the vpn server

 

[CaptainSTX]

Your settings look to be the standard ones recommended. IMHO some settings have little or no impact in part because I suspect that VPN providers don't honor them.

Specifically push sndbuff, push rcvbuff, tun-mtu, tun-mtu extra, mssfix. Just for the sake of checking verify what your actual MTU and MSSFIX are both using the VPN and not using the VPN. www.speedguide.net:8080 will give you this information. I can get any confirmation that when using UDP it make any difference or not. PIA sets the MTU to 1360 even though I call for 1500 and if I don't add the commands to my config file they use 1392. Astrill on the other hand uses 1500 by default.

When you are checking your speeds are you connecting to a nearby VPN server? If I connect to Miami (200 miles ) my download speed is 170 Mbps. If I connect to Sydney, AUS (9,600) miles my spped drops to 80 Mbps. You probably won't get those speeds on most routers as I am running the VPN on a box that uses an I7 processor that supports AES-NI.

 

[jdjuggler]

SpeedGuide info:
Not really sure how this helps me, but the MTU size is changed to 1365 when connected.
I have picked a VPN server nearby (east coast US). I'm thinking it's the non AES-NI router I have... Unless someone tell me differently. I think I'm going to get an ASUS that has the AES-NI feature.

VPN OFF:
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2018.04.30 19:19
IP address: 67.245.xxx.xxx
Client OS/browser: Windows 10 (Chrome 65.0.3325.181)

TCP options string: 020405b40103030801010402
MSS: 1460
MTU: 1500
TCP Window: 65536 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 256
Recommended RWINs: 64240, 128480, 256960, 513920, 1027840
BDP limit (200ms): 2621kbps (328KBytes/s)
BDP limit (500ms): 1049kbps (131KBytes/s)
MTU Discovery: ON
TTL: 114
Timestamps: OFF
SACKs: ON
IP ToS: 00000000 (0)


VPN ON:
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2018.04.30 19:21
IP address: 185.236.xxx.xxx
Client OS/browser: Windows 10 (Chrome 65.0.3325.181)

TCP options string: 0204052d0103030801010402
MSS: 1325
MTU: 1365
TCP Window: 66048 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 258
Recommended RWINs: 63600, 127200, 254400, 508800, 1017600
BDP limit (200ms): 2642kbps (330KBytes/s)
BDP limit (500ms): 1057kbps (132KBytes/s)
MTU Discovery: ON
TTL: 110
Timestamps: OFF
SACKs: ON
IP ToS: 00101000 (40)
Precedence: 001 (priority)
Delay: 0 (normal delay)
Throughput: 1 (high throughput)
Reliability: 0 (normal reliability)
Cost: 0 (normal cost)
Check bit: 0 (correct)
DSCP (DiffServ): AF11 001010 (10) - Assured Forwarding class 1, low drop precedence (RFC 2597).

 

[CaptainSTX]

SpeedGuide info:
Not really sure how this helps me, but the MTU size is changed to 1365 when connected.
I have picked a VPN server nearby (east coast US). I'm thinking it's the non AES-NI router I have... Unless someone tell me differently. I think I'm going to get an ASUS that has the AES-NI feature.

VPN OFF:
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2018.04.30 19:19
IP address: 67.245.xxx.xxx
Client OS/browser: Windows 10 (Chrome 65.0.3325.181)

TCP options string: 020405b40103030801010402
MSS: 1460
MTU: 1500
TCP Window: 65536 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 256
Recommended RWINs: 64240, 128480, 256960, 513920, 1027840
BDP limit (200ms): 2621kbps (328KBytes/s)
BDP limit (500ms): 1049kbps (131KBytes/s)
MTU Discovery: ON
TTL: 114
Timestamps: OFF
SACKs: ON
IP ToS: 00000000 (0)


VPN ON:
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2018.04.30 19:21
IP address: 185.236.xxx.xxx
Client OS/browser: Windows 10 (Chrome 65.0.3325.181)

TCP options string: 0204052d0103030801010402
MSS: 1325
MTU: 1365
TCP Window: 66048 (not multiple of MSS)
RWIN Scaling: 8 bits (2^8=256)
Unscaled RWIN : 258
Recommended RWINs: 63600, 127200, 254400, 508800, 1017600
BDP limit (200ms): 2642kbps (330KBytes/s)
BDP limit (500ms): 1057kbps (132KBytes/s)
MTU Discovery: ON
TTL: 110
Timestamps: OFF
SACKs: ON
IP ToS: 00101000 (40)
Precedence: 001 (priority)
Delay: 0 (normal delay)
Throughput: 1 (high throughput)
Reliability: 0 (normal reliability)
Cost: 0 (normal cost)
Check bit: 0 (correct)
DSCP (DiffServ): AF11 001010 (10) - Assured Forwarding class 1, low drop precedence (RFC 2597).

As you found certain settings may have little or no impact on your VPN speed. Look at the ASUS AC86 as it offers the best available SOHO VPN speeds based on what other readers on this site have reported. It gets great VPN speeds because it has the AES-NI supporting processor. Based on what others have said 200 Mbps or more is possible using this router or at least they are with PIA.

 

[Netspud2K]

JD some initial thoughts, that don't especially relate to speed. It's doesn't look like you have a very secure VPN configuration (im not an expert), but I have had to deal with a few DNS leaks (You can check at https://www.dnsleaktest.com/). This is the custom configuration I have is mostly the same as yours, but you have extra stuff.

I tried speedguide.net just for the hell of it (VPN on):
7.12 Mbit/s down ↓
5.41 Mbit/s up ↑
ping: 249ms
jitter: 16ms

Test date: 2018.04.30 21:45 EDT
IP Address: 209.209.xxx.xxx
mirror: speedguide.net
Location: Jacksonville, FL USA

Then speedtest.net : 14Mb / 5.5 Mb

Then I did it without the VPN, and everything was slower. So sorry my internet was having some sort of weird moment. Not so helpful.

With regards to the 512 encryption, I am pretty sure, unless you speak to Nord directly it is needed. It didn't work for me without it.

Hope thats of some help with the security at least.

 

[Xentrk]

As you found certain settings may have little or no impact on your VPN speed. Look at the ASUS AC86 as it offers the best available SOHO VPN speeds based on what other readers on this site have reported. It gets great VPN speeds because it has the AES-NI supporting processor. Based on what others have said 200 Mbps or more is possible using this router or at least they are with PIA.

I helped a friend configure their AC86U. I was never able to achieve an improvement with the OpenVPN speeds when compared to my AC88U. I asked about this in the AC86U OpenVPN performance thread. I was told it had to do with the Runner being enabled. But how to enable it? The firmware seems to enable/disable it based on other settings. But I never could find out what those settings are. I tried turning off AI Protection to see if that enabled Runner. But no luck. I used the nvram command to enable it yet still did not see the improved performance others reported.

As mentioned previously, the closer one is to the geo-location of the VPN server, the better the performance. My server is half way across the globe. Connecting to the VPN server in Bangkok gives me the best performance. As I start moving farther away, the speeds start to drop. I am using AES-128-GCM and SHA1 to get the best performance.

I converted a PC to pfSense appliance with i5 CPU and AES-NI support. With pfSense, there is a check box to enable AES-NI. I don't see this option on the AC86U. My Ethernet speeds greatly improved when compared to the Ethernet speeds on the AC88U. WiFi not so much as WiFi can't support jumbo frames. You can read the thread in the VPN section here.

 

[Odkrys]

With regards to the 512 encryption, I am pretty sure, unless you speak to Nord directly it is needed. It didn't work for me without it.

sha1 still considered as safe for hmac, even md5.
In my experience, high hash require many cpu resource than high cipher.
Try free openvpn server in vpngate or vpnbook.
I think you can get better speed with 128bit cipher+sha1 auth.

 

[Geraner]

If possible give the AC88U back and buy a AC86U instead. This one has AES-IN support and you are geting 250-260 Mbit/s VPN speed with this toy.
If I remember right, I was not possible to get more than 40-50 Mbit/s on VPN with the AC88U since it's processer is missing the AES Acceleration feature.

 

[Xentrk]

If possible give the AC88U back and buy a AC86U instead. This one has AES-IN support and you are geting 250-260 Mbit/s VPN speed with this toy.
If I remember right, I was not possible to get more than 40-50 Mbit/s on VPN with the AC88U since it's processer is missing the AES Acceleration feature.

I recommended the AC86U to a friend based on the improved OpenVPN speeds others in the forum reported. Unfortunately, I have not been able to obtain the improved OpenVPN speeds with the AC86U when compared to the AC88U. There is no option in the firmware to enable AES-NI like there is in pfSense. From what I understand, the AES-NI equivalent in Asuswrt is called Runner. In the web gui, I can see that Runner is disabled. But how to enable it? In the AC86U OpenVPN performance thread, I was not able to get an answer on how to enable Runner. I did enable it using the nvram command in the command line. But I did not see a bump in performance. From what others reported, the firmware appears to enable/disable it based on other settings in the firmware. But I never could find out what those settings are.

 

[john9527]

There is no option in the firmware to enable AES-NI like there is in pfSense.

There is no command to enable hardware encryption (the Broadcom equivalent of AES-NI), it's always enabled.
Runner is the equivalent of the old CTF. I haven't looked at the AC86 code, but I suspect it's automatically bypassed for VPN connections just like the old CTF was.

 

[Netspud2K]

sha1 still considered as safe for hmac, even md5.
In my experience, high hash require many cpu resource than high cipher.
Try free openvpn server in vpngate or vpnbook.
I think you can get better speed with 128bit cipher+sha1 auth.

I was referring to compatibility with Nord servers. If found that unless I had exactly what they instructed I could not connect. But I didn't speak to Nord support, so it might be possible to use an alternate encryption level if you speak to them. Sorry if I confused anyone.