OpenVPN performance of the RT-AC86U

[root]

I have an AC86U running latest merlin. I'm wondering if it's possible to configure the VPN-client so that only the downloads through Asus Download Master on the router are going through the VPN and all the devices in my network to not use the VPN-connection?

 

[RMerlin]

I have an AC86U running latest merlin. I'm wondering if it's possible to configure the VPN-client so that only the downloads through Asus Download Master on the router are going through the VPN and all the devices in my network to not use the VPN-connection?

Not easily. Beside Download Master, other things on your router need to access the Internet (such as DNS queries), therefore you cannot just forward all router traffic.

 

[root]

Not easily. Beside Download Master, other things on your router need to access the Internet (such as DNS queries), therefore you cannot just forward all router traffic.

I suspected that. It is possible to configure The VPN-client to include all devices and the router itself except some devices? I want the router and my PC behind the VPN but everything else outside it. Or is it out of the questions to include the router if I want anything else outside the VPN?

 

[RMerlin]

I suspected that. It is possible to configure The VPN-client to include all devices and the router itself except some devices? I want the router and my PC behind the VPN but everything else outside it. Or is it out of the questions to include the router if I want anything else outside the VPN?

You can exclude specific devices, yes. However I have no idea how things will work out if you include the router itself.

 

[killeriq]

Ive seen some talk here about WireGuard, so i wonder...

@RMerlin - WireGuard will it be implemented into your FW any time soon?

Thanks

 

[RMerlin]

@RMerlin - WireGuard will it be implemented into your FW any time soon?

No.

 

[Odkrys]

RT-AC86U CHACHA20-POLY1305 benchmark.
OpenVPN master commit + openssl 1.1.0j (compiled as 32bit into firmware, not entware version.)

tun-mtu 9000
mssfix 0

ncp-ciphers AES-128-GCM

C:\iperf-2.0.9-win64>iperf -l 1M -w 2M -c 192.168.50.246 -t 20
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[  3] local 10.8.0.2 port 5174 connected with 192.168.50.246 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-20.0 sec   567 MBytes   238 Mbits/sec

ncp-ciphers AES-256-GCM

C:\iperf-2.0.9-win64>iperf -l 1M -w 2M -c 192.168.50.246 -t 20
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[  3] local 10.8.0.2 port 5240 connected with 192.168.50.246 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-20.0 sec   548 MBytes   230 Mbits/sec

ncp-ciphers CHACHA20-POLY1305

C:\iperf-2.0.9-win64>iperf -l 1M -w 2M -c 192.168.50.246 -t 20
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[  3] local 10.8.0.2 port 5408 connected with 192.168.50.246 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-20.0 sec   540 MBytes   226 Mbits/sec

 

[Xentrk]

It has been nearly one year since I set up an AC86U for a friend who has a boutique hotel. My frustration and pain point with the AC86U is not being able to obtain the improved OpenVPN performance that many of you have reported. It is my understanding that Runner has to be enabled. Yet, it remains a mystery as to what settings in the firmware control having the feature enabled or not. Below is a screen pic.

On pfSense, I just place a check inside of a box to turn on the AES-NI acceleration feature for improved OpenVPN performance. I looked back at my prior posts and see I was able to get improved speeds by manually enabling runner setting using the method:

nvram set runner_disable=0
nvram commit

But it goes away after a reboot. I could add it to a user script to execute at boot though. I think the suggestion was to turn off AIProtection followed by a reboot. Once high tourist season is over, I can try that. Just wanted to know if anyone else hit this roadblock and if anyone has discovered the mystery setting that enables and disables Runner.

 

[Butterfly Bones]

It has been nearly one year since I set up an AC86U for a friend who has a boutique hotel. My frustration and pain point with the AC86U is not being able to obtain the improved OpenVPN performance that many of you have reported. It is my understanding that Runner has to be enabled. Yet, it remains a mystery as to what settings in the firmware control having the feature enabled or not. Below is a screen pic.

View attachment 16180

On pfSense, I just place a check inside of a box to turn on the AES-NI acceleration feature for improved OpenVPN performance. I looked back at my prior posts and see I was able to get improved speeds by manually enabling runner setting using the method:

nvram set runner_disable=0
nvram commit

But it goes away after a reboot. I could add it to a user script to execute at boot though. I think the suggestion was to turn off AIProtection followed by a reboot. Once high tourist season is over, I can try that. Just wanted to know if anyone else hit this roadblock and if anyone has discovered the mystery setting that enables and disables Runner.

For me enabling the Trend Micro options, Traffic Analyzer or QoS will disable Runner, so I leave them off, but I have a simple home network that I montor easily.

 

[pusb87]

It has been nearly one year since I set up an AC86U for a friend who has a boutique hotel. My frustration and pain point with the AC86U is not being able to obtain the improved OpenVPN performance that many of you have reported. It is my understanding that Runner has to be enabled. Yet, it remains a mystery as to what settings in the firmware control having the feature enabled or not. Below is a screen pic.

View attachment 16180

On pfSense, I just place a check inside of a box to turn on the AES-NI acceleration feature for improved OpenVPN performance. I looked back at my prior posts and see I was able to get improved speeds by manually enabling runner setting using the method:

nvram set runner_disable=0
nvram commit

But it goes away after a reboot. I could add it to a user script to execute at boot though. I think the suggestion was to turn off AIProtection followed by a reboot. Once high tourist season is over, I can try that. Just wanted to know if anyone else hit this roadblock and if anyone has discovered the mystery setting that enables and disables Runner.

i too have Runner disabled but do not have any Trend Micro options enabled either.

However, I do get full speeds when using openvpn client

My ISP gives me 200 down, 12 up

with OpenVPN client enabled using PIA

 

[Xentrk]

i too have Runner disabled but do not have any Trend Micro options enabled either.

However, I do get full speeds when using openvpn client

My ISP gives me 200 down, 12 up

with OpenVPN client enabled using PIA

Interesting. Your results appear to debunk the need for Runner to be enabled hypothesis and the impact of AiProtection on the Runner setting.

 

[ajp2k14]

Interesting. Your results appear to debunk the need for Runner to be enabled hypothesis and the impact of AiProtection on the Runner setting.

Not using vpn client myself but I just wanted to add an observation I did when upgrading to 384.9. Before my runner was always disabled when I had AI protection enabled but with 384.9 runner is enabled even when AI protection is on (86U).

 

[pusb87]

Interesting. Your results appear to debunk the need for Runner to be enabled hypothesis and the impact of AiProtection on the Runner setting.

yes thats what i thought although never looked at before seeing this thread.

I'm with AC86U running Firmware Version:384.8_2 by the way

 

[Xentrk]

yes thats what i thought although never looked at before seeing this thread.

I'm with AC86U running Firmware Version:384.8_2 by the way

I will do some more searching on the forum and see others discussing the issue. I did find a post by @faria you may find interesting.

While doing this i keeped checking the Hardware acceleration in Tools, it always showed : Runner: Disabled - Flow Cache: Enabled or Runner: Disabled (QoS) - Flow Cache: Enabled
Then i opt out of the Trend Micro Eula and bang , Runner: Enabled - Flow Cache: Enabled, @ this stage after a reboot i got my internet to full speed.

Since then i have been enabling the services that i disabled,Trend -Micro Stuff,Qos Jumbo Frame, Spanning-Tree Protocol , Traffic Analyzer ,etc but now i m getting full speed either with Runner: Enabled or Disabled , so i don't know where the issue was.

I think Asus could have implemented this better and hope they improve this. I recommended the router based on the improved OpenVPN speeds reported here and absolutely no change when compared to my RT-AC88U.

Maybe Asus should take a lesson from pfSense and have a check box to enable encryption acceleration? Then, if there is some setting else where in the firmware that conflicts, they can display an error message.

Once high tourist season is over, I'll see if I can find some time to get back to the site and do some testing.

 

[faria]

I will do some more searching on the forum and see others discussing the issue. I did find a post by @faria you may find interesting.



I think Asus could have implemented this better and hope they improve this. I recommended the router based on the improved OpenVPN speeds reported here and absolutely no change when compared to my RT-AC88U.

Maybe Asus should take a lesson from pfSense and have a check box to enable encryption acceleration? Then, if there is some setting else where in the firmware that conflicts, they can display an error message.

Once high tourist season is over, I'll see if I can find some time to get back to the site and do some testing.

@Xentrk ,thanks for the ping,
update: still running a full speed the the above settings, plus QOS settings im using are : "Adaptive QoS fq_codel"

 

[doczenith1]

Add me to the list of people who are able to get full speed over openvpn with runner disabled.

 

[PoloNes]

I used ipvanish in this test.
fw: 384.9

 

[mafiaboy01]

I recently upgraded from ac87u to a ac86u. I have an OpenVPN connection between my place and my file server at my parents place.

The ac86u is setup as the Tap server and my file server connects to it via OpenVPN and is accessible from my network.

Mostly files are going from my location to the file server. I have a Gigabit up and down and my parents have 500Mbps down. With the old setup I averaged about 40-50Mbps transfer. With the ac86u I'm getting about the same and nowhere near the 200Mpbs others are getting. Not sure what's holding me back.

client
dev tap
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
proto udp
remote
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-128-CBC
auth SHA1
compress lz4
keepalive 15 60
auth-user-pass
remote-cert-tls server

resolv-retry infinite
nobind
verb 4

 

[L&LD]

I recently upgraded from ac87u to a ac86u. I have an OpenVPN connection between my place and my file server at my parents place.

The ac86u is setup as the Tap server and my file server connects to it via OpenVPN and is accessible from my network.

Mostly files are going from my location to the file server. I have a Gigabit up and down and my parents have 500Mbps down. With the old setup I averaged about 40-50Mbps transfer. With the ac86u I'm getting about the same and nowhere near the 200Mpbs others are getting. Not sure what's holding me back.

client
dev tap
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
proto udp
remote
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-128-CBC
auth SHA1
compress lz4
keepalive 15 60
auth-user-pass
remote-cert-tls server

resolv-retry infinite
nobind
verb 4

Directly connected by OpenVPN on your server at the parent's place? Is it capable of higher speeds?

 

[mafiaboy01]

Directly connected by OpenVPN on your server at the parent's place? Is it capable of higher speeds?

The server is directly connected to the openvpn at my place. The server only has an i3 processor but I think it should be enough for higher speeds than what I'm getting.