OpenVPN as Server - Speed

[ColinK]

I know, there are countless speed threads, but not as many when using the router as a server to access a file server at home. So here we go before I throw something out the window.

Asus RT-AC86U running Merlin 384.9.
150/150 fiber connection
File server is a local qnap NAS (not super important)
Server configuration:


I can't seem to copy files any faster than 2.5mb/sec = 20mbps. With the clock speed of the router, and the internet speeds, from what I'm reading, I should be able to attain AT LEAST 30mbps.

Speed of the client computer network is 350 down/15 up
While the client is copying a file, the router's second cpu climbs to between 10-15% load, so it doesn't seem that's the bottleneck. Is it the uprate of the connection?

A second client behind a business firewall with a 300/300 connection can only attain speeds of 3mbps (355kb/s), but I'm guessing that's a config issue that I'll need to sort out.

Is there anything else I can do on the server side with the configuration to speed things up (aside from dropping the encryption all together)

Thanks for any help!

 

[Jack Yaz]

Which protocol are you using for the copy? e.g. SMB, FTP

 

[Xentrk]

I know, there are countless speed threads, but not as many when using the router as a server to access a file server at home. So here we go before I throw something out the window.

Asus RT-AC86U running Merlin 384.9.
150/150 fiber connection
File server is a local qnap NAS (not super important)
Server configuration:


I can't seem to copy files any faster than 2.5mb/sec = 20mbps. With the clock speed of the router, and the internet speeds, from what I'm reading, I should be able to attain AT LEAST 30mbps.

Speed of the client computer network is 350 down/15 up
While the client is copying a file, the router's second cpu climbs to between 10-15% load, so it doesn't seem that's the bottleneck. Is it the uprate of the connection?

A second client behind a business firewall with a 300/300 connection can only attain speeds of 3mbps (355kb/s), but I'm guessing that's a config issue that I'll need to sort out.

Is there anything else I can do on the server side with the configuration to speed things up (aside from dropping the encryption all together)

Thanks for any help!

The GCM ciphers are faster than the CBC ciphers. Changing to AES-128-GCM will give you a slight bump in performance.

 

[elorimer]

A few things. First, you don't say what client you are using, and what the client computer is. I'm assuming you are running the client on the client computer (not on a remote router), and that the connection from the client computer to its gateway is wired 1G. If it is wireless, then you might be limited in the link between the client computer and its gateway. Same between the NAS and the 86.

Second, you might change the connection to TUN. With TAP you are sending a lot of other traffic.

Third, you might turn off the buffer and fast-io instructions and give that a whirl. If your client is a windows computer I'm not sure fast-io does anything.

 

[RMerlin]

For some people, TCP actually gives better performance than UDP (that was my case last time I did some benchmark tests).

 

[ColinK]

Which protocol are you using for the copy? e.g. SMB, FTP

Windows file sharing as a mapped network drive.

The GCM ciphers are faster than the CBC ciphers. Changing to AES-128-GCM will give you a slight bump in performance.

Great to know! Thanks!

A few things. First, you don't say what client you are using, and what the client computer is. I'm assuming you are running the client on the client computer (not on a remote router), and that the connection from the client computer to its gateway is wired 1G. If it is wireless, then you might be limited in the link between the client computer and its gateway. Same between the NAS and the 86.
Second, you might change the connection to TUN. With TAP you are sending a lot of other traffic.
Third, you might turn off the buffer and fast-io instructions and give that a whirl. If your client is a windows computer I'm not sure fast-io does anything.

Oops! Clients are windows computers on wired 1gbps network. Using OpenVPN GUI v 11.9 or better (tried on a few different computers)

I wasn't able to access the local files with TUN, I could ping the router, as expected, but couldn't ping or access the NAS, so TAP was my easiest option.

Sounds good, it was something I copied from somewhere else haha, was running out of ideas and willing to try anything!

For some people, TCP actually gives better performance than UDP (that was my case last time I did some benchmark tests).

SUCCESS! Sort of...

So this is interesting! Changing to TCP got me around the firewall speed thresholds at the office, now am seeing speeds of 130mbps!!!

However, the second home that is trying to access with a 350 down/15 up connection, isn't able to go any faster than 20mbps.

 

[Jack Yaz]

I always found shared drives like that to be rather slow over VPN and found FTP to work much better (in my uses anyway, ymmv)

 

[gmt]

Hi, can you recommend a router model which would best serve as vpn server, currently I am using a TP-Link C3150 but my speeds even on TCP and AES-256-GCM with fallback to AES-128-GCM still gives me only about 10 % of the line advertised upload speed.

 

[Catalinus]

AX88U seems to have hardware-implemented AES (and anyway a much faster CPU) so I get on OpenVPN at least 10 times the speed that I was getting on AC68U - at least 200 mbps but so far it seems that the restrictions might be mostly with my gigabit internet provider.

 

[ColinK]

I’m using the Asus RT-AC86U

You want something with the fastest CPU you can find.

 

[gmt]

Thank you for the quick replies, c3150 that is currently used as VPN server has a 1.4 GHz dual core, Ac86u has 1.8 Dual core, so only 400 MHz difference, AX88u is too expensive for me~ 300 Euro , I was thinking more in the direction of Mikrotik hAP ac² of which I've heard is very good in the vpn area. I actually use as vpn client a AC86u which has replaced the my AC68u exactly because of the supposedly better vpn hardware deconding

https://www.snbforums.com/threads/openvpn-performance-of-the-rt-ac86u.41217/

I was thinking to replace the C3150 with the 68U but maybe i should replace it with the 86U instead

 

[maxbraketorque]

The AC86U has a built-in crytography engine, so VPN speeds are much faster than a similarly clocked router without this feature.

 

[sfx2000]

For some people, TCP actually gives better performance than UDP (that was my case last time I did some benchmark tests).

With OVPN - UDP is always generally better - as we already have TCP inside the OVPN tunnel - and UDP packets can be fairly large there which plays to the strong stuff of OpenSSL.

 

[RMerlin]

With OVPN - UDP is always generally better

Benchmark does not always support this. I've seen a few setups where TCP was notably faster than UDP. Don't ask me why it's sometimes the case, I never investigated any further...