Openvpn maximum throughput with dual core 800mhz

[Protos]

Currently looking to upgrade from my N66u.

I have a 50mbit cable line, when running openvpn from my desktop I can max out my connection. When running openvpn from the N66u I can only get 10-12mbit.

My question is what is the max throughput that is possible with the new AC68 dual core 800mhz.
Will I be able to use openvpn on the AC68 and max out my connection ???

 

[sinshiva]

what's going to matter more is your upload speed. i assume you have something like a 50/10 connection, in which case the router wouldn't matter at all.

Also, the kind of performance you'll get from the server depends largely on what cipher you're using and the protocol, tcp or udp.

 

[netware5]

Currently looking to upgrade from my N66u.

I have a 50mbit cable line, when running openvpn from my desktop I can max out my connection. When running openvpn from the N66u I can only get 10-12mbit.

My question is what is the max throughput that is possible with the new AC68 dual core 800mhz.
Will I be able to use openvpn on the AC68 and max out my connection ???

As I understood you are speaking about using the OpenVPN in client mode, i.e. you are connecting to OpenVPN server which is outside of your home LAN. In that case it is very difficult to reach the maximum throughput using any SOHO router. The cryptographic performance of SOHO routers (depends on CPU speed, CPU type, available RAM and memory bus frequency) is far away from any desktop PC or laptop. My advice is to use your desktop PC as client device to connect to the OpenVPN server. You should use the router as client device only if you have a SIGNIFICANT reason to do this. Such reason could be if you want some mobile devices or any other devices, unable to run the OpenVPN client software, to reach the internet through a VPN tunnel. In general - migrating to AC68 will definitely increase your performance but still it will not reach the desktop PC one.

The case is similar if you want to have an OpenVPN server in your LAN to be reached from outside. The performance issues discussed above are the same, but in that case using the router as OpenVPN server is preferable due to the convenience and because of security reasons. So, in that case you have a SIGNIFICANT reason to use a router as OpenVPN server instead of desktop PC.

Try to search this forum for "OpenVPN performance". I remember that Merlin has published some experimental results about OpenVPN performance of different Asus routers with Merlin's firmware.

what's going to matter more is your upload speed. i assume you have something like a 50/10 connection, in which case the router wouldn't matter at all.

Also, the kind of performance you'll get from the server depends largely on what cipher you're using and the protocol, tcp or udp.

It seems to be that the upload speed is not a factor in this particular case, as the desktop PC performance is reported to be on max. The desktop PC and the router use the same WAN so the upload speed has the same effect on their performance in both cases.

 

[RMerlin]

In raw OpenVPN throughput I was able to push an RT-AC56U to 60 Mbps during early development. I haven't retested with a recent FW version, it might have changed a bit. But essentially I was getting a 3x speed increase over the N66U.

 

[Protos]

Thanks netware5 for that excellent post, very informative ... I did indeed mean to say that I wanted to use the router in client mode and protect my whole network.

I knew that the cpu+ram were the bottleneck, I just was not sure if the new dual core 800 would be enough to get me close to maxing my connection. Searching around for benchmarks on openvpn performances did not produce much for me which is a shame as I feel that is a great networking benchmark.

Merlin thanks for your post as well, are you saying that the architecture of the AC series significantly enhances openvpn or was this purely a function of your firmware ??

 

[RMerlin]

Merlin thanks for your post as well, are you saying that the architecture of the AC series significantly enhances openvpn or was this purely a function of your firmware ??

Both. The dual core 800 MHz CPU in the AC56/AC68U makes a huge difference, and I also added my own optimizations to the firmware, so you'll get better results with my firmware than with Asus's (they picked my OpenVPN code but not the optimizations I did to it or to OpenSSL).

This is only with the ARM devices - the MIPS devices such as the AC66U won't give you any better performance over the N66.

 

[Protos]

Thanks for that merlin, seriously looking at a zotac mini running pfense, however I have read that openvpn is not multithreaded so that I would need a very high single core cpu freq to get benefits ..... what are your thoughts ?

 

[speedingcheetah]

I use my AC56U with current stock firmware as OpenVpn server. I have 50/20 dsl. I have the router in TAP mode. When I use the OpenVPN client software on my laptop, when i am way at my folks, I get full speed ...in that it maxes out my 20meg home upload....and, since I am using TAP, I can even watch HDTV with my HDHomeRun Prime with Media center remotely.

For most folks internet speed package, router based vpn servers is just fine, but for those that have crazy fast upload (50meg or higher) you will probably get full performance by using a dedicated computer to run your vpn server.

 

[RMerlin]

Thanks for that merlin, seriously looking at a zotac mini running pfense, however I have read that openvpn is not multithreaded so that I would need a very high single core cpu freq to get benefits ..... what are your thoughts ?

You won't need much horsepower to handle VPN on a 50 Mbits connection. Any recent Zotac mini PC would be fine (even an RT-AC56U/RT-AC68U can handle 50 Mbits of VPN traffic).

Your bottleneck here remains your ISP.

 

[Protos]

I went with a Netgear R7000 for the hardware specs.
Hopefully someone will do tomato firmware.

Thanks to all in the asus forums for their posts and help. Happy New Year !

 

[Sky1111]

R7000 is faster, but it does not come with Merlin , and I do not know how good are Kong's DD-WRT builds - and I could not find conclusive evidence of OpenVPN client performance - please share if you find any.

I am running OpenVPN client on 25/10 connection, and I would say stock clocks are not sufficient to handle VPN + p2p traffic. Overclocked AC56 does handle the load fine (1200 CPU/800 memory). [Side note: for few weeks I was running ASUS firmware and reported few issues - and honestly, I got fed up with slow performance and went back to Merlin's firmware).

In few days I am switching to 50/10 connection (even bought a new VDSL modem - LOL, and I will report back to this forum with real world OpenVPN client performance - both stock clocks and overclocked.

 

[CaptainSTX]

Another option to look at is the customized Tomato VPN firmware from Sabai along with their VPN Accelerator. The Accelerator has its own processor and four Gigs of memory to handle all the VPN processor and not bog down the attached router's operation. Sabai's hardware isn't inexpensive but it does the job and the after sale support is fantastic.

Running Sabai's dual gateway VPN firmware and using their VPN Accelerator with its custom firmware and connecting to a Strong VPN server two hundred miles distant using OpenVPN I usually get 70+ Mbps download speeds and 30+ upload.

Not all VPN providers can or will provide that much bandwidth. Using exactly the same hardware and connecting to Astrill's VPN server in the same city my download speed tops out at about 40Mbps. I also tested HMA and IPVanish and I didn't get nearly the throughput I get from StrongVPN.

 

[Protos]

@Sky
There is no doubt Merlin has made major contributions, I just never cared for the Asus interface. Tomato just did it for me.

Will definetly report back when I have some performance numbers, though I don't think it would be proper to put them in the asus forums.

@Captain
Thanks I was aware of the sabai option but I feel 600+ bones is ridiculous for what is offered. Also I have read that they are not giving back to tomato .... which does not endear them to me in any way. I am with PIA and they max my connection so I am most pleased.

 

[CaptainSTX]

The Sabai solution is expensive but it optimized to maximize your throughput.

When I was out of the US it allowed me to stream Amazon and Netflix with no problems even though my connection was only 5/1.5.

I am now back in the US and have a 75/35 connection from FIOS. With this speed and my Sabai setup I run almost all my families Internet traffic through a VPN with little or no reduction in throughput. It is also easy for me to modify my connection and stream video from the UK and Sweden.

If you need/ or want high throughput on a a secure OpenVPN connection you are going to need more processing power than a SOHO router can provide along with a very good VPN provider. Both cost money.

 

[Sky1111]

Not good OpenVPN client performance on 50Mb internet

Folks, today I got my 50Mb profile activated and I measured OpenVPN Client performance with Private Internet Access (PIA) VPN provider.

"Naked" line is giving ~45Mb (I am still working with ISP to get the full 50)

Overclocked RT-AC56U (1200 CPU/800 memory): tops at ~28 (for comparison, on 25Mb internet I was getting close to ~24!)

stock clocks AC56U: ~9Mb

Merlin FW: 3.0.0.4_374.36_beta1

 

[CaptainSTX]

Folks, today I got my 50Mb profile activated and I measured OpenVPN Client performance with Private Internet Access (PIA) VPN provider.

"Naked" line is giving ~45Mb (I am still working with ISP to get the full 50)

Overclocked RT-AC56U (1200 CPU/800 memory): tops at ~28 (for comparison, on 25Mb internet I was getting close to ~24!)

stock clocks AC56U: ~9Mb

Merlin FW: 3.0.0.4_374.36_beta1

You need to test PIA to see what throughput they can deliver. Install their VPN software on your most powerful PC and then connect the PC using an Ethernet cable to your router and run speed test to PIA's servers in a city nearest your actual physical location. This will give you a good idea what the maximum potential throughput of your VPN provider is.

Only one of the four VPN providers I have tested and or used could consistently provide speeds in excess of 40 Mbps down.

Once you know what the VPN's potential maximum is then you can determine how good your VPN hardware is.

Using StrongVPN and my Sabai setup I can get 70Mbps down on a 75 Mbps connection.

 

[Protos]

I use PIA as well and use this page to test my best locations.

https://payments.privateinternetaccess.com/pages/network/

Make sure to select a location that can saturate your connection, such as toronto.

I justed tested the Netgear R7000 Nighthawk and it was blazing fast peice of kit, but the firmware left something to be desired for me, also it does not support jumbo frames which was a deal breaker for my network. DDWRT didn't really impress me all that much and it didn't support jumbo frames either. Great hardware to be sure, but firmware not what I need.

Sent it back and will wait for an Asus dualcore 1ghz+ that I can load my beloved shibby tomato on.

For the record I got 47.6 mbs (only did one testwith the R7000) which was almost full saturation of my connection.

 

[Sky1111]

You need to test PIA to see what throughput they can deliver. Install their VPN software on your most powerful PC and then connect the PC using an Ethernet cable to your router and run speed test to PIA's servers in a city nearest your actual physical location. This will give you a good idea what the maximum potential throughput of your VPN provider is.

Only one of the four VPN providers I have tested and or used could consistently provide speeds in excess of 40 Mbps down.

Once you know what the VPN's potential maximum is then you can determine how good your VPN hardware is.

Using StrongVPN and my Sabai setup I can get 70Mbps down on a 75 Mbps connection.

Turns out that PIA is a bottleneck in my case, NOT the router!
As CaptainSTX suggested, I installed PIA client on my home server (quadcore, 12Gb of RAM, dual Intel NICs) and I tried ALL US servers (and of course I turned off VPN on the router first). I even chatted with PIA support dude - he suggesting to try different ports, UDP vs TCp, - no good. On PC, I could barely reach 20-22Mb!

I filed a ticket to PIA and will follow up with them.

 

[Sky1111]

I use PIA as well and use this page to test my best locations.

https://payments.privateinternetaccess.com/pages/network/

Make sure to select a location that can saturate your connection, such as toronto.

I justed tested the Netgear R7000 Nighthawk and it was blazing fast peice of kit, but the firmware left something to be desired for me, also it does not support jumbo frames which was a deal breaker for my network. DDWRT didn't really impress me all that much and it didn't support jumbo frames either. Great hardware to be sure, but firmware not what I need.

Sent it back and will wait for an Asus dualcore 1ghz+ that I can load my beloved shibby tomato on.

For the record I got 47.6 mbs (only did one testwith the R7000) which was almost full saturation of my connection.

Wow! You got 47.6 with running OpenVPN Client connected to PIA servers?

 

[Protos]

Yeah, I don't use the geographically closest, just the fastest ... you can tell the speed on the chart. For me Toronto or US East work best.

My base speed to my isp is 56mbits and I often hit 53mbs to New York.

Not quite full saturation of my connection, but given the overhead of the VPN I thought it was great. On my N66u, using my networkmanager (Arch Linux) to set up the openvpn I get full saturation, mind you I have a very fast rig, intel nic etc ....